两个poc简介和一个安卓木马家族Asacub分析报告
一、#0day
(1)IE11 沙箱逃逸
(2)
0day-Windows LPE - Non-admin/Guest to system
PoC现在会劫持打印后台处理程序服务 - spoolsv.exe - 因为它需要更少的代码然后劫持printfilterpipelinesvc.exe
Description of the vulnerability
The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.
The prototype looks like this:
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1, //Task name
[in][string] wchar_t* arg_2, //Security Descriptor string
[in]long arg_3);
Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating. However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating. Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.
So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
下载链接:
https://github.com/SandboxEscaper/randomrepo
二、
安卓银行木马家族Asacub 崛起
专门针对一家俄罗斯主要银行的客户
链接:https://securelist.com/the-rise-of-mobile-banker-asacub/87591/
设备信息
解密后的报文数据格式
服务器端收到信息后的返回报文格式
窃取短信
解密后的短信传输流量
用于伪装的图标
C&C IP地址:
155.133.82.181
155.133.82.240
155.133.82.244
185.234.218.59
195.22.126.160
195.22.126.163
195.22.126.80
195.22.126.81
5.45.73.24
5.45.74.130
下载特洛伊木马的IP地址:
185.174.173.31
185.234.218.59
188.166.156.110
195.22.126.160
195.22.126.80
195.22.126.81
195.22.126.82
195.22.126.83
有兴趣考虑换工作的可以加我微信,岗位:情报以及样本分析岗位和安全开发岗位,2年以上工作经验,15K到30K