horizon3ai/CVE-2023-34362

Stars
136
Rank 267,670 (Top 6 %)
Language
Python
Created over 1 year ago
Updated over 1 year ago

horizon3ai/CVE-2023-34362

horizon3ai

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

MOVEit CVE-2023-34362

CVE-2023-34362

POC for CVE-2023-34362 affecting MOVEit Transfer

Technical Analysis

A technical root cause analysis of the vulnerability can be found on our blog: https://www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/

Summary

This POC abuses an SQL injection to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution.

This POC needs to reach out to an Identity Provider endpoint which hosts proper RS256 certificates used to forge arbitrary user tokens - by default this POC uses our IDP endpoint hosted in AWS.

By default, the exploit will write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the ysoserial.net project.

Usage

python CVE-2023-34362.py https://127.0.0.1
[*] Getting sysadmin access token
[*] Got access token
[*] Getting FolderID
[*] Got FolderID: 963611079
[*] Starting file upload
[*] Got FileID: 965943963
[*] Injecting the payload
[*] Payload injected
[*] Triggering payload via resume call
[+] Triggered the payload!
[*] Deleting uploaded file

Mitigations

Update to the latest version or mitigate by following the instructions within the Progress Advisory

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Follow the Horizon3.ai Attack Team on Twitter for the latest security research:

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

vcenter_saml_login

A tool to extract the IdP cert from vCenter backups and log in as Administrator

CVE-2022-40684

A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager

CVE-2022-39952

POC for CVE-2022-39952

CVE-2021-21972

Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-38647

Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

CVE-2022-1388

POC for CVE-2022-1388

CVE-2022-22972

vRealizeLogInsightRCE

POC for RCE using vulnerabilities described in VMSA-2023-0001

CVE-2022-47966

POC for CVE-2022-47966 affecting multiple ManageEngine products

proxyshell

Proof of Concept for CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207

CVE-2023-27524

Basic PoC for CVE-2023-27524: Insecure Default Configuration in Apache Superset

backup_dc_registry

A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY

CVE-2023-34051

VMware Aria Operations for Logs CVE-2023-34051

CVE-2024-0204

Authentication Bypass in GoAnywhere MFT

CVE-2023-27532

POC for Veeam Backup and Replication CVE-2023-27532

CVE-2023-27350

Proof of Concept Exploit for PaperCut CVE-2023-27350

CVE-2022-28219

PoC for ManageEngine ADAudit Plus CVE-2022-28219

CVE-2023-48788

Fortinet FortiClient EMS SQL Injection

CVE-2023-38035

Ivanti Sentry CVE-2023-38035

CVE-2024-23108

CVE-2024-23108: Fortinet FortiSIEM Unauthenticated 2nd Order Command Injection

CVE-2021-44077

Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2023-34992

CVE-2023-34992: Fortinet FortiSIEM Command Injection Proof of Concept Exploit

CVE-2023-26067

Lexmark CVE-2023-26067

CVE-2024-1403

Progress OpenEdge Authentication Bypass

h3-cli

CLI tool for the Horizon3.ai API

CVE-2024-29824

Ivanti EPM SQL Injection Remote Code Execution Vulnerability

CVE-2021-44142

cyanide

SecureConnect-Auth-Bypass

An exploit proof of concept for ConnectWise SecureConnect authentication bypass vulnerability.