libwebp WebP Heap Buffer Overflow

This repository is a self-contained Docker lab for reproducing CVE-2023-4863, the libwebp heap buffer overflow. It is not a traditional one-shot exploit against a remote target; instead, it builds an attacker container that generates a malicious WebP file using a public PoC (craft.c), serves it over HTTP, and then demonstrates the effect on multiple victim containers. The main exploit capability is reliable crash reproduction in vulnerable libwebp consumers: the CLI victim downloads exploit.webp and processes it with dwebp, producing heap corruption symptoms and SIGABRT; the GUI victim uses Firefox 110 to load a phishing-style page embedding exploit.webp, demonstrating browser-side impact. Patched CLI and GUI containers are included to show mitigated behavior, where the malformed image is rejected with BITSTREAM_ERROR instead of crashing. Repository structure is centered around docker-compose.yml plus per-role Dockerfiles and entrypoint scripts. attacker/ builds a Debian container, clones the upstream PoC repo, compiles craft.c into a generator, creates exploit.webp, and serves exploit.webp, bad.webp, and index.html via python3 -m http.server on port 80. victim-cli/ and victim-patched/ are Ubuntu 22.04 CLI environments that automatically fetch the malicious file from http://attacker/ and run dwebp to compare vulnerable versus patched libwebp behavior. victim-gui/ and victim-gui-patched/ add XFCE, Xvfb, x11vnc, supervisord, and Firefox builds (110 vulnerable, 126 patched) for interactive browser testing over VNC. guacamole/ contains SQL initialization and connection definitions so the whole lab can be accessed through Apache Guacamole at localhost:8888. Notable observables include the attacker-hosted endpoints http://attacker/exploit.webp, http://attacker/bad.webp, and http://attacker/index.html; exposed local ports 8080, 8888, 2220-2224, 5900, and 5901; and external build-time download sources including GitHub, Launchpad Librarian, and releases.mozilla.org. The exploit does not include a code-execution payload, persistence, or lateral movement logic. Its purpose is demonstrative and educational: generate a malformed WebP, deliver it over HTTP, and prove vulnerable parsing paths by causing application crashes in controlled containers.

This repository is a minimal proof-of-concept exploit generator for CVE-2023-4863, consisting of a short README and a single Python script, gen_oob_webp.py. The README states it is a modified version of DARKNAVY's script with OFFSET and VALUE constants exposed at the top for easier tuning. The Python script does not attack a remote service directly. Instead, it programmatically constructs a malformed lossless WebP image by assembling RIFF and VP8L structures, generating custom bitstreams, and encoding crafted Huffman code-length tables. Its core purpose is to produce a file that triggers an out-of-bounds heap write when decoded by a vulnerable WebP parser. The overwrite() helper is the key exploit primitive: it lets the operator choose an 8-byte-aligned heap-relative OFFSET and a constrained VALUE (3 through 0x27), which are then encoded into the malicious bitstream to influence the resulting overwrite behavior. Repository structure is extremely small and straightforward: README.md provides attribution and context; gen_oob_webp.py is the sole executable artifact and likely entry point. Internally, the script defines helper functions bitstream_to_bytearray() and bit() for bit-level encoding, builds RIFF_header and image_header, assembles multiple code-length tables for green/red/distance channels, appends padding bytes, recalculates container sizes, and finally writes the generated payload to oob.webp. There are no network callbacks, hardcoded IPs, URLs, registry keys, or command execution routines in the exploit. The only fingerprintable artifact produced by the code is the output file oob.webp, along with the embedded format markers RIFF and WEBPVP8L. Overall, this is a file-based exploit PoC demonstrating controlled memory corruption, not a weaponized exploit or delivery framework.

This repository is the official source for Google's libwebp, a widely used image encoding/decoding library. The repository contains the full source code, build scripts, documentation, and a suite of example tools for encoding and decoding WebP images. Of particular interest for exploitation is the presence of two files in the examples directory: 'craft.c' and 'poc.py'. - 'examples/craft.c' is a C program that generates a specially crafted WebP image ('bad.webp') designed to trigger a heap buffer overflow in the lossless bitstream parsing logic of libwebp. The exploit is based on research by Ben Hawkes and others, and is directly referenced in public writeups about CVE-2023-4863 (the 'WebP 0day'). - 'examples/poc.py' is a Python script that generates a minimal WebP file ('poc.webp') that also triggers the vulnerability, demonstrating the exploit in a more concise form. The README.md provides detailed instructions for building the library, compiling the exploit, and running it to observe the heap buffer overflow (with AddressSanitizer output included). The exploit works by generating a malformed WebP file that, when decoded by a vulnerable version of libwebp (e.g., via the 'dwebp' tool or any application using libwebp), causes a heap buffer overflow in the BuildHuffmanTable function. This can lead to remote code execution or denial of service, depending on the context in which the image is processed. The repository also includes a full suite of tools and documentation for working with WebP images, but the exploit code is isolated to the 'examples/craft.c' and 'examples/poc.py' files. No network endpoints or remote services are involved; the attack vector is the delivery and processing of a malicious WebP file. The exploit is operational and can be used to test or demonstrate the vulnerability in affected libwebp versions.