Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-12735 PoC — Vim 操作系统命令注入漏洞

Source
https://github.com/st9007a/CVE-2019-12735
Associated Vulnerability
Title:Vim 操作系统命令注入漏洞 (CVE-2019-12735)
Description:getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
Description
A demo for cve-2019-12735
Readme
# CVE-2019-12735

This CVE was fixed after neovim 0.3.6 and vim 8.1.1365

## POC

```bash
vim demo1.txt
```

## Remote shell

1. Create malware text file:

```bash
gcc make_demo3.c -o make_demo3
./make_demo3
```

2. Build client in another session:
```bash
nc -vlp 9999
```

3. Open malware file:
```bash
vim demo3.txt
```

And then, you can execute any linux commands in the session.


## Reference

- [A POC demo on github](https://github.com/pcy190/ace-vim-neovim)
- [Exploit DB](https://www.exploit-db.com/exploits/46973)
- [netcat](https://myapollo.com.tw/zh-tw/linux-command-nc/)

## ANSI

- `\x1b[?7l` : 輸出到行末時不換行, 持續覆蓋最後一個字元
- `\x1bS`: STS, Set transmit state
- `\x1b[1G`: 移動到column 1
- `\x1b[K`: 刪除從目前游標位置至行末的所有字元
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →