CVE-2024-3400-pot.py

from flask import Flask, request, make_response, send_from_directory, abort, redirect
import logging
import re
import os

print("Current Working Directory:", os.getcwd())

app = Flask(__name__)

# Initialize logger
logging.basicConfig(filename='CVE-2024-3400_attempts.log', level=logging.INFO)

@app.route('/')
def root():
    return redirect('/global-protect/login.esp', code=302)

@app.route('/global-protect/portal/images/<filename>')
def serve_images_only(filename):
    allowed_extensions = ['.png', '.svg', '.ico']
    
    # Check if the file has one of the allowed extensions
    if any(filename.endswith(ext) for ext in allowed_extensions):
        # Serve the file if it's an allowed image type
        image_path = os.path.join('global-protect', 'portal', 'images')

        return send_from_directory(image_path, filename)
    else:
        # Log the request details for disallowed file types
        client_ip = request.remote_addr  # Get IP
        user_agent = request.headers.get('User-Agent', 'Unknown')  # Get User-Agent

        logging.warning(f"Suspicious file requested - {filename} from {client_ip}, User-Agent: {user_agent}")

        abort(403)  # Respond with a 403 Forbidden status code

@app.route('/global-protect/<path:filename>')
def global_protect_files(filename):
    # Assuming 'global-protect' is directly in the same directory as the script
    return send_from_directory('global-protect', filename)

@app.route('/ssl-vpn/hipreport.esp', methods=['POST'])
def hipreport_simulator():
    client_ip = request.remote_addr  # Get IP
    user_agent = request.headers.get('User-Agent', 'Unknown')  # Get User-Agent
    cookie = request.headers.get('Cookie', '')

    # Log the initial request details
    logging.info(f"Request from {client_ip}, User-Agent: {user_agent}, Cookie: {cookie}")

    # General regex to detect directory traversal or suspicious activity in cookie
    traversal_pattern = r"SESSID=/(?:\.\./|\./)+([^;]+);"
    command_injection_pattern = r"`[^`]*`|\$\([^)]+\)|\$(\{[^}]+\})"

    # Check for directory traversal or suspicious paths in cookie
    match = re.search(traversal_pattern, cookie)
    if match:
        suspicious_path = match.group(1)
        logging.warning(f"Detected suspicious HTTP request: {suspicious_path} from {client_ip}")

        # Check if the path contains potential command injections
        if re.search(command_injection_pattern, suspicious_path):
            logging.warning(f"Detected potential command injection in path: {suspicious_path} from {client_ip}")

        # Ensure the directory for suspicious files exists
        os.makedirs('suspicious_files', exist_ok=True)

        # Construct the path for the file to be saved, sanitizing the filename
        suspicious_file_path = os.path.join('suspicious_files', suspicious_path.replace('/', '_'))

        # Try to save the content of the POST request to the file, capturing potential payloads
        try:
            with open(suspicious_file_path, 'wb') as f:
                f.write(request.data)
            logging.info(f"File saved: {suspicious_file_path}")
        except Exception as e:
            logging.error(f"Failed to save file {suspicious_file_path} due to {e}")

    # Return a simulated normal response, despite the detection
    return "HTTP 200", 200

@app.route('/global-protect/login.esp', methods=['GET'])
def global_protect_login():
    client_ip = request.remote_addr  # Get IP
    user_agent = request.headers.get('User-Agent', 'Unknown')  # Get User-Agent

    logging.info(f"Login page request from {client_ip}, User-Agent: {user_agent}")

    # Prepare the simulated HTML content and headers
    content = """
    <html>
        <!DOCTYPE html>
        <html lang="en">
            <head>
                <meta charset="utf-8">
                <meta http-equiv="X-UA-Compatible" content="IE=edge">
                <meta name="viewport" content="width=device-width, initial-scale=.85">
                <meta http-equiv="pragma" content="no-cache">
                <title>GlobalProtect Portal </TITLE>
                <link rel="shortcut icon" type="image/x-icon" href="portal/images/favicon.ico">
                <link rel="stylesheet" href="/global-protect/portal/css/bootstrap.min.css">
                <link rel="stylesheet" href="/global-protect/portal/css/latofonts.css">
                <script src="portal/js/jquery.min.js"></script>
                <script src="portal/js/ie10-viewport-bug-workaround.js"></script>
                <link rel="stylesheet" href="/global-protect/portal/css/ie10-viewport-bug-workaround.css">
                <link rel="stylesheet" href="/global-protect/portal/css/login.css">
                <style type="text/css">
                    html,
                    body {
                        overflow: auto;
                    }
                </style>
                <script type="text/javascript">
                    function loadPage() {
                        if (typeof window.Storage !== 'undefined') {
                            window.localStorage.clear();
                        }
                        if (document.login.user.value == '') document.login.user.value = "";
                        if (document.login.user.value == '') document.login.user.focus();
                        var errMsg = "";
                        var respStatus = "Success";
                        var respMsg = "Authentication failure: Invalid username or password";
                        var autoSubmit = "false";
                        var needpasswd = "";
                        var labelUsername = "Username";
                        var labelPassword = "Password";
                        var isChangePasswdForm = 0;
                        var valueUser = "";
                        var divNewPassword = document.getElementById("dNewPassword");
                        divNewPassword.style.display = "none";
                        var divConfirmNewPassword = document.getElementById("dConfirmNewPassword");
                        divConfirmNewPassword.style.display = "none";
                        var divChangePasswordMsg = document.getElementById("dChangePasswordMsg");
                        divChangePasswordMsg.style.display = "none";
                        var changePasswordMsg = "";
                        if (respStatus == "Warning") {} else if (respStatus == "Error") {
                            var divUserTitle = document.getElementById("user");
                            if (labelUsername != '') divUserTitle.placeholder = labelUsername;
                            var divPasswdTitle = document.getElementById("passwd");
                            if (labelPassword != '') divPasswdTitle.placeholder = labelPassword;
                            if (isChangePasswdForm == 1) {
                                document.getElementById("user").value = valueUser;
                                divNewPassword.style.display = "";
                                divConfirmNewPassword.style.display = "";
                                if (changePasswordMsg != "") {
                                    divChangePasswordMsg.style.display = "";
                                    divChangePasswordMsg.innerHTML = changePasswordMsg;
                                }
                            } else {
                                if (autoSubmit == "true") {
                                    var divUserName = document.getElementById("dUserName");
                                    document.login.user.disabled = true;
                                    var divPassword = document.getElementById("dPassword");
                                    if (needpasswd == "false") {
                                        divPassword.style.display = "none";
                                    }
                                }
                            }
                            if (errMsg != "") errMsg += " < br > < br > ";
                            errMsg += " < li > "+respMsg;
                        } else if (respStatus == "Challenge") {
                            var divUserName = document.getElementById("dUserName");
                            divUserName.style.display = "none";
                            var divInputStr = document.getElementById("dInputStr");
                            divInputStr.style.display = "block";
                            divInputStr.innerHTML = respMsg;
                            var divPasswdTitle = document.getElementById("passwd");
                            divPasswdTitle.placeholder = "";
                        } else if (respStatus == "Success") {
                            var divUserTitle = document.getElementById("user");
                            if (labelUsername != '') divUserTitle.placeholder = labelUsername;
                            var divPasswdTitle = document.getElementById("passwd");
                            if (labelPassword != '') divPasswdTitle.placeholder = labelPassword;
                            if (autoSubmit == "true") {
                                var divUserName = document.getElementById("dUserName");
                                document.login.user.disabled = true;
                                var divPassword = document.getElementById("dPassword");
                                if (needpasswd == "false") {
                                    divPassword.style.display = "none";
                                }
                                if (respMsg != "") {
                                    if (errMsg != "") errMsg += " < br > < br > ";
                                    errMsg += " < li > "+respMsg;
                                } else {
                                    var cac = document.getElementById("dCAC");
                                    cac.style.display = "block";
                                    cac.innerHTML = "The credentials are successfully verified and you will be logged in as user ''. Please click Login button to continue.";
                                }
                            }
                        }
                        if (errMsg != "") {
                            var divObj = document.getElementById("dError");
                            divObj.style.display = "block";
                            divObj.innerHTML = errMsg;
                        }
                    }

                    function submitClicked() {
                        var thisForm = document.getElementById("login_form");
                        var divObj = document.getElementById("dError");
                        var in_change_passwd = 0;
                        if (in_change_passwd == 1) {
                            if (thisForm.passwd.value == "") {
                                divObj.style.display = "block";
                                divObj.innerHTML = "The current password is empty!";
                                thisForm.passwd.focus();
                                return false;
                            } else if ((thisForm.new_passwd.value == "") || (thisForm.new_passwd.value != thisForm.confirm_new_passwd.value)) {
                                divObj.style.display = "block";
                                divObj.innerHTML = "The passwords you entered did not match!";
                                thisForm.new_passwd.focus();
                                return false;
                            }
                        }
                        divObj.style.display = "none";
                        divObj.innerHTML = "";
                        var divTaLogin = document.getElementById("taLogin");
                        divTaLogin.style.display = "none";
                        var prot = window.location.protocol;
                        var server = window.location.host;
                        thisForm.prot.value = prot;
                        thisForm.server.value = server;
                        thisForm.inputStr.value = "";
                        thisForm.action.value = "getsoftware";
                        document.login.user.disabled = false;
                    }

                    function checkCapsLock(e) {
                        var el = document.getElementById('divcl');
                        if (!el) return;
                        var keycode = e.keyCode ? e.keyCode : e.which;
                        var shift = e.shiftKey ? e.shiftKey : ((keycode == 16) ? true : false);
                        if ((keycode >= 65 && keycode <= 90 && !shift) || (keycode >= 97 && keycode <= 122 && shift)) el.style.visibility = 'visible';
                        else el.style.visibility = 'hidden';
                    }
                </script>
                <script>
                    window.onload = loadPage;
                </script>
                <script>
                    $(document).ready(function() {
                        if ((favicon != null) && (favicon != '')) {
                            $('link[rel="shortcut icon"]').attr('href', favicon);
                        }
                        if ((logo != null) && (logo != '')) {
                            $('#logo img').attr('src', logo);
                        }
                        if ((bg_color != null) && (bg_color != '')) {
                            $('body').css('background', bg_color);
                        }
                        if ((gp_portal_name != null) && (gp_portal_name != '')) {
                            $('#heading').html(gp_portal_name);
                        }
                        if ((gp_portal_name_color != null) && (gp_portal_name_color != '')) {
                            $('#heading').css('color', gp_portal_name_color);
                        }
                        if ((error_text_color != null) && (error_text_color != '')) {
                            $('#dError').css('color', error_text_color);
                        }
                    });
                </script>
                <script>
                    // Customizations - pass in values below.  Used in GlobalProtect login page
                    // and also getsoftwarepage
                    // Change customization of 'GlobalProtect Portal Home Page' to get uniform look
                    var favicon = ''; // URL to the icon displayed in browser's address bar
                    var logo = ''; // URL to the company logo
                    var bg_color = ''; // Background color
                    var gp_portal_name = ''; // Text under company logo
                    var gp_portal_name_color = ''; // Color for text under company logo
                    var error_text_color = ''; // Text color for logon failure message
                </script>
            </head>
            <body>
                <div class="loginscreen_logo">
                    <div id="logo">
                        <img src="portal/images/logo-pan-48525a.svg" onerror="this.onerror=null; this.src='portal/images/logo-pan-48525a.png'" alt="">
                    </div>
                    <div id="activearea">
                        <div id="heading">GlobalProtect Portal</div>
                        <div id="formdiv">
                            <pan_form />
                            <div id="activearea">
                                <div id="formdiv">
                                    <form name="login" id="login_form" method="post" autocomplete="off">
                                        <input type="hidden" name="prot" value="">
                                        <input type="hidden" name="server" value="">
                                        <input type='hidden' name="inputStr" value="">
                                        <input type='hidden' name="action" value="">
                                        <div id="taLogin">
                                            <div class="login_fields">
                                                <div id="dUserName">
                                                    <input type="text" id="user" name="user" size="19" placeholder="Name">
                                                </div>
                                                <div id="dInputStr" style="display:none">
                                                    <br>
                                                </div>
                                                <div id="dPassword">
                                                    <input type="password" id="passwd" maxlength="128" size="19" name="passwd" placeholder="Password">
                                                </div>
                                                <div id="dNewPassword" style="display:none">
                                                    <input type="password" maxlength="128" size="19" name="new-passwd" id="new_passwd" placeholder="New Password">
                                                </div>
                                                <div id="dConfirmNewPassword" style="display:none">
                                                    <input type="password" maxlength="128" size="19" name="confirm-new-passwd" id="confirm_new_passwd" placeholder="confirm New Password">
                                                </div>
                                                <div id="submitbutton">
                                                    <input class="buttonFixed" type="submit" id="submit" name="ok" value="Log In" onclick="return submitClicked()">
                                                </div>
                                            </div>
                                        </div>
                                        <div id="dError" class="error_msg" style="display:none"></div>
                                        <div id="dChangePasswordMsgArea">
                                            <div id="dChangePasswordMsgBorder" class="msg">
                                                <div id="dChangePasswordMsg" class="msg"></div>
                                            </div>
                                        </div>
                                    </form>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>
                <!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
                <script src="portal/js/ie10-viewport-bug-workaround.js"></script>
            </body>
        </html>
    </html>
    """
    response = make_response(content)
    response.headers['Content-Type'] = 'text/html; charset=UTF-8'
    response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
    response.headers['Set-Cookie'] = 'SESSID=35d15606-3332-4acc-9d4b-e875cc19c560; Path=/; HttpOnly; Secure'
    response.headers['X-Frame-Options'] = 'DENY'
    response.headers['Strict-Transport-Security'] = 'max-age=31536000;'
    response.headers['X-XSS-Protection'] = '1; mode=block'
    response.headers['X-Content-Type-Options'] = 'nosniff'
    response.headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';"

    return response

@app.errorhandler(403)
def forbidden(e):
    # Define the HTML content for the 403 Forbidden page
    content = """
    <html>
        <head>
            <title>
                403 Forbidden
            </title>
        </head>
        <body>
            <center>
                <h1>
                    403 Forbidden
                </h1>
            </center>
            <hr>
            <center>
            </center>
        </body>
    </html>
    """

    # Return the custom HTML with a 403 status code
    return content, 403

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem'), threaded=True)