pc_rpc.py

rpc.py

---

An interesting root process was identified. It’s executing a Python script; /opt/rpc.py This was also picked up by PEAS at a later stage

user@pc:/$ cat /opt/rpc.py 
from typing import AsyncGenerator
from typing_extensions import TypedDict
 
import uvicorn
from rpcpy import RPC
 
app = RPC(mode="ASGI")
 
 
@app.register
async def none() -> None:
    return
 
 
@app.register
async def sayhi(name: str) -> str:
    return f"hi {name}"
 
 
@app.register
async def yield_data(max_num: int) -> AsyncGenerator[int, None]:
    for i in range(max_num):
        yield i
 
 
D = TypedDict("D", {"key": str, "other-key": str})
 
 
@app.register
async def query_dict(value: str) -> D:
    return {"key": value, "other-key": value}
 
 
if __name__ == "__main__":
    uvicorn.run(app, interface="asgi3", port=65432)

This appears to be an ASGI-based RPC server, using the rpcpy and uvicorn libraries, running on the target port 65432 There appears to be 4 endpoints;

• /none
• /sayhi
• /yield_data
• /query_dict

Initially, I was not familiar with the concept of WSGI/ASGI So I was more focused on finding a logic error, resulting in checking each endpoint manually

/none

---

user@pc:/$ curl -X POST http://localhost:65432/none -H "Content-Type: application/json" 
null

N/A

/sayhi

---

user@pc:/$ curl -X POST http://localhost:65432/sayhi -H "Content-Type: application/json" -d '{"name":"blahblah"}'
"hi blahblah"

N/A

/yield_data

---

user@pc:/$ curl -X POST http://localhost:65432/yield_data -H "Content-Type: application/json" -d '{"max_num":5}'
event: yield
data: MA==
 
event: yield
data: MQ==
 
event: yield
data: Mg==
 
event: yield
data: Mw==
 
event: yield
data: NA==

N/A

/query_dict

---

user@pc:/$ curl -X POST http://localhost:65432/query_dict -H "Content-Type: application/json" -d '{"value":"test"}'
{"key": "test", "other-key": "test"}

N/A

Vulnerabilities

---

Looking up rpcpy online immediately shows a RCE exploit, affecting the version 0.6.0

Version Check

---

user@pc:/var/tmp$ pip3 show rpc.py
Name: rpc.py
Version: 0.6.0
Summary: An fast and powerful RPC framework based on ASGI/WSGI.
Home-page: https://github.com/abersheeran/rpc.py
Author: abersheeran
Author-email: me@abersheeran.com
License: Apache-2.0
Location: /usr/local/lib/python3.8/dist-packages
Requires: baize
Required-by: 

Checking the installed rpcpy reveals that the version is 0.6.0, matching the exploit Moving on to the Privilege Escalation phase