CVE-2024-24590 PoC — Allegro 代码问题漏洞

Source

https://github.com/j3r1ch0123/CVE-2024-24590

Associated Vulnerability

Title:Allegro 代码问题漏洞 (CVE-2024-24590)
Description:Allegro是Allegro开源的一个主要针对视频游戏和多媒体编程的跨平台库。 Allegro AI ClearML 0.17.0版本及之后版本存在代码问题漏洞，该漏洞源于不可信数据反序列化。攻击者利用该漏洞可以执行任意代码。

Description

Created this exploit for the Hack The Box machine, Blurry.

Readme

# ClearML Exploit

This repository contains a proof-of-concept exploit for a deserialization vulnerability in ClearML, allowing for remote command execution. This exploit demonstrates how to upload a malicious pickle artifact to ClearML to gain a reverse shell.

## Prerequisites

Before you begin, ensure you have met the following requirements:

- A machine running ClearML.
- Python 3.8 or higher.
- The `clearml` library installed. You can install it using pip:

  ```bash
  pip install clearml
  clearml-init
  ```

Follow the onscreen instructions and paste your configuration settings when prompted.

Start your listener with:

  ```bash
  nc -lvnp <your_port>
  ```

It might take a minute or so for the server to process the payload, so be patient.

For more information on the vulnerability, click the following link:

https://www.cve.org/CVERecord?id=CVE-2024-24590

File Snapshot


 [4.0K]  /data/pocs/ea983b7ffa62cf77cfc8f38a61c7d9d27167959b
├── [ 860]  exp.py
└── [ 877]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!