MXNet Blog - snappify.com

Python
import os, ctypes

from flask import Flask, request, jsonify

from urllib.parse import urlparse

import base64




app = Flask(__name__)




BASE = os.path.expanduser('~') + '/.local/lib/python3.10/site-packages/mxnet/'

mxnet = ctypes.CDLL(BASE + 'libmxnet.so')




PID = os.getpid()




fd = open('/proc/self/maps','r', encoding="utf-8")

MAPS = fd.read()

fd.close()




traffic = []




@app.route('/get_storage_type', methods=['GET'])

def get_storage_type():

    handle = int(request.args.get('handle'))

    out_storage_type = 0

    out = None

    if request.args.get('storage_type'):

        out_storage_type = int(request.args.get('storage_type'))

        out = out_storage_type

        mxnet.MXNDArrayGetStorageType(ctypes.c_void_p(handle), ctypes.c_void_p(out))

    else:

        out = ctypes.byref(out_storage_type)

        mxnet.MXNDArrayGetStorageType(ctypes.c_void_p(handle), out)

    response = {'result': out_storage_type}

    return jsonify(response)




@app.route('/id', methods=['GET'])

def client_id():

    global traffic

    objtype = request.args.get('objtype')

    client_id = None

    if objtype == 'int':

        client_id = int(request.args.get('id'))

    else:

        data = request.args.get('id')

        client_id = base64.b64decode(data)

    traffic.append(client_id)

    response = {'result': str(id(traffic[len(traffic)-1]))}

    return jsonify(response)




@app.route('/rwx', methods=['GET'])

def rwx():

    rwx_addr = 0

    with open('/proc/self/maps','r', encoding="utf-8") as fd:

        for line in fd.read().split('\n'):

            if 'rwx' in line:

                rwx_addr = int('0x' + line.split('-')[0], 0x10)

    response = {'result': str(rwx_addr)}

    return jsonify(response)




@app.route('/', methods=['GET'])

def index():

    global PID, MAPS

    return f'''

<html>

<head><title>Example Vulnerable Application</title></head>

<body>

<h1>Example Vulnerable Application</h1>

<pre>

    id: {id(id)}

    pid: {PID}




    Minimum functionality required to demonstrate exploit:

        /get_storage_type

            &lthandle: int&gt

            [storage_type: int]

            returns result (int)

            E.G: /get_storage_type?handle=0&storage_type=0




        /id

            &ltid: str&gt

            &ltobjtype: str&lt'int', 'base64'&gt&gt

            returns result (int)

            E.G: <a href='/id?id=0&objtype=int'>/id?id=0&objtype=int</a>




    Optional:

        /rwx

            returns result (int)

            E.G: <a href='/rwx'>/rwx</a>

</pre>

</body>

</html>





if __name__ == '__main__':

    app.run(debug=False)