两个poc简介和一个安卓木马家族Asacub分析报告

释放双眼,带上耳机,听听看~!

一、#0day

(1)IE11 沙箱逃逸

(2) 

0day-Windows LPE – Non-admin/Guest to system

PoC现在会劫持打印后台处理程序服务 – spoolsv.exe – 因为它需要更少的代码然后劫持printfilterpipelinesvc.exe

Description of the vulnerability

The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.

The prototype looks like this:

 

long _SchRpcSetSecurity(

[in][string] wchar_t* arg_1, //Task name

[in][string] wchar_t* arg_2, //Security Descriptor string

[in]long arg_3);

Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating. However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating. Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.

So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.

下载链接:

https://github.com/SandboxEscaper/randomrepo

二、

安卓银行木马家族Asacub 崛起 

专门针对一家俄罗斯主要银行的客户

链接:https://securelist.com/the-rise-of-mobile-banker-asacub/87591/

设备信息

解密后的报文数据格式

服务器端收到信息后的返回报文格式

窃取短信

解密后的短信传输流量

用于伪装的图标

C&C IP地址:

  • 155.133.82.181

  • 155.133.82.240

  • 155.133.82.244

  • 185.234.218.59

  • 195.22.126.160

  • 195.22.126.163

  • 195.22.126.80

  • 195.22.126.81

  • 5.45.73.24

  • 5.45.74.130

下载特洛伊木马的IP地址:

  • 185.174.173.31

  • 185.234.218.59

  • 188.166.156.110

  • 195.22.126.160

  • 195.22.126.80

  • 195.22.126.81

  • 195.22.126.82

  • 195.22.126.83

有兴趣考虑换工作的可以加我微信,岗位:情报以及样本分析岗位和安全开发岗位,2年以上工作经验,15K到30K

本文源自微信公众号:黑鸟

人已赞赏
安全工具

针对工控系统的TRITON入侵活动由俄罗斯研究所支持 ||朝鲜Lazarus组织Battle Cruiser活动再度来袭

2019-10-16 10:11:55

安全工具

Yikesnews第21期夜谈:新型攻击方式—构造含马视频字幕文件||linux Samba漏洞,可远程代码执行

2019-10-16 10:11:59

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索