Command Injection in Ivanti Connect Secure and Policy Secure Web Components

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository provides a Python-based exploit for CVE-2024-21887, a command injection vulnerability in Ivanti Connect Secure gateways. The main script, 'ivanti_shell.py', automates the process of establishing a reverse shell from a vulnerable Ivanti device to the attacker's machine using Ngrok as a tunneling service. The script sets up an Ngrok tunnel, constructs a Python reverse shell payload, URL-encodes it, and crafts a malicious API request to the target Ivanti device. If the exploit is successful, the attacker gains shell access to the target system via the Ngrok tunnel. The repository includes a README with setup and usage instructions, a requirements.txt for dependencies, and the exploit script itself. The exploit is operational and provides a working reverse shell payload, but is not part of a larger framework.

This repository provides a working exploit for chaining two critical vulnerabilities in Ivanti Connect Secure and Policy Secure appliances: CVE-2024-21893 (SSRF) and CVE-2024-21887 (command injection). The main exploit script (exploit.py) is written in Python and automates the attack by sending a crafted XML payload to the vulnerable endpoint (/dana-ws/saml20.ws) on the target. The payload leverages SSRF to reach an internal service and injects a command that opens a reverse shell to the attacker's machine. The script can also set up a listener using pwncat to handle the incoming shell. Two Nuclei YAML templates are included for detection of the SSRF and the SSRF-to-RCE chain, targeting the same endpoint. The repository is structured with a README.md (usage and background), the main exploit script, two detection templates, and a requirements.txt for dependencies. The exploit is operational and provides unauthenticated remote code execution if the target is vulnerable and unpatched.

This repository provides a Python-based exploit tool for CVE-2024-21887, a critical command injection vulnerability affecting Ivanti Connect Secure and Policy Secure systems. The tool consists of three files: a README.md with usage instructions and background, a requirements.txt listing Python dependencies, and the main exploit script exploit.py. The exploit.py script allows users to scan a single URL or multiple URLs (from a file) for vulnerability, using multi-threading for bulk scans. If a target is found vulnerable, the tool provides an interactive shell for executing arbitrary commands on the target system via a crafted POST request to a specific API endpoint. The exploit requires authenticated admin access to the target. The main fingerprintable endpoint is the API path '/api/v1/totp/user-backup-code/%2E%2E/%2E%2E/system/maintenance/archiving/cloud-server-test-connection', which is used for the command injection. The repository is operational in maturity, providing both detection and exploitation capabilities.

This repository provides two Bash proof-of-concept exploit scripts targeting Ivanti Connect Secure and Policy Secure appliances (versions 9.x and 22.x) for CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection). The structure consists of two shell scripts and a detailed README. - CVE-2023-46805.sh exploits an authentication bypass by sending a crafted GET request to a system information endpoint, allowing unauthenticated access to restricted data. - CVE-2024-21887.sh exploits a command injection vulnerability by injecting a user-supplied command (URL-encoded) into a specific API endpoint, allowing an authenticated administrator to execute arbitrary commands on the appliance. The README provides usage instructions, example endpoints, and additional API paths that may be of interest for further exploitation or post-exploitation activities. The scripts require standard Unix utilities (curl, json_pp, xxd, tr, sed) and are intended for use in a command-line environment. No hardcoded IPs or credentials are present; the user supplies the target URL and, for the command injection, the payload command. The attack vector is network-based, targeting exposed web interfaces of vulnerable Ivanti appliances.

This repository is a Python-based exploit tool targeting CVE-2024-21887, a critical command injection vulnerability in Ivanti Connect Secure and Policy Secure systems. The tool is designed to both detect and exploit the vulnerability by allowing authenticated admin users to execute arbitrary commands on the target system. The main script, 'exploit.py', is obfuscated using Python's marshal module, making direct code review difficult, but the README and usage patterns indicate it supports both single and bulk URL scanning, multi-threaded operation, and output logging. The tool interacts with the target via HTTP requests, requiring the attacker to supply a target URL (or a file of URLs) and, presumably, valid admin credentials. The requirements.txt lists several dependencies for user interface and HTTP communication. The exploit is operational, providing real command execution on vulnerable systems, and is not just a detection script. No hardcoded IPs, domains, or file paths are present, but the main fingerprintable endpoint is the user-supplied target URL representing the Ivanti web interface.