两个poc简介和一个安卓木马家族Asacub分析报告

一、#0day

640?wx_fmt=png

(1)IE11 沙箱逃逸

640?wx_fmt=png

640?wx_fmt=png

(2) 

0day-Windows LPE - Non-admin/Guest to system

PoC现在会劫持打印后台处理程序服务 - spoolsv.exe - 因为它需要更少的代码然后劫持printfilterpipelinesvc.exe

640?wx_fmt=png

640?wx_fmt=png

640?wx_fmt=png

Description of the vulnerability

The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.

The prototype looks like this:

 

long _SchRpcSetSecurity(

[in][string] wchar_t* arg_1, //Task name

[in][string] wchar_t* arg_2, //Security Descriptor string

[in]long arg_3);

Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating. However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating. Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.

So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.

下载链接:

https://github.com/SandboxEscaper/randomrepo

二、

安卓银行木马家族Asacub 崛起 

专门针对一家俄罗斯主要银行的客户

链接:https://securelist.com/the-rise-of-mobile-banker-asacub/87591/

设备信息

解密后的报文数据格式

640?wx_fmt=png

服务器端收到信息后的返回报文格式

640?wx_fmt=png

窃取短信

解密后的短信传输流量

640?wx_fmt=png

用于伪装的图标

640?wx_fmt=png

C&C IP地址:

  • 155.133.82.181

  • 155.133.82.240

  • 155.133.82.244

  • 185.234.218.59

  • 195.22.126.160

  • 195.22.126.163

  • 195.22.126.80

  • 195.22.126.81

  • 5.45.73.24

  • 5.45.74.130

下载特洛伊木马的IP地址:

  • 185.174.173.31

  • 185.234.218.59

  • 188.166.156.110

  • 195.22.126.160

  • 195.22.126.80

  • 195.22.126.81

  • 195.22.126.82

  • 195.22.126.83

有兴趣考虑换工作的可以加我微信,岗位:情报以及样本分析岗位和安全开发岗位,2年以上工作经验,15K到30K

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值