[CVE-2016-3714] ImageMagick Delegate Arbitrary Command Execution Using Metasploit

May 10, 2016 09:48 AM
635984451382772222.jpg

This module exploits a shell command injection in the way "delegates"

(commands for converting files) are processed in ImageMagick versions

<= 7.0.1-0 and <= 6.9.3-9 (legacy).

Since ImageMagick uses file magic to detect file format, you can create

a .png (for example) which is actually a crafted SVG (for example) that

triggers the command injection.

Tested on Linux, BSD, and OS X. You'll want to choose your payload

carefully due to portability concerns. Use cmd/unix/generic if need be.

Related Articles

637587411395252764.jpg

How to Perform Advanced Man-in-the-Middle Attacks with Xerosploit

635211718118959676.jpg

How to Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

Comments

No Comments Exist

Be the first, drop a comment!