Unauthenticated unrestricted file upload/download leading to RCE in Cleo Harmony, VLTrader, and LexiCom

This repository contains a proof-of-concept exploit for CVE-2024-50623. The main file, poc.py, is a Python script that takes a target host as input and sends a crafted HTTP GET request to the /Synchronization endpoint. The request includes a 'Retrieve' header with a path traversal payload (path=../../etc/passwd), attempting to read the /etc/passwd file from the target system. If the exploit is successful, the contents of the file are printed to the console. The exploit demonstrates an arbitrary file read vulnerability over the network. The repository structure is simple, consisting of a README.md with usage instructions and the poc.py exploit script.

This repository contains a Python exploit script (CVE-2024-50623.py) and a brief README. The script targets Cleo LexiCom servers vulnerable to CVE-2024-50623 (versions below 5.8.0.24) by interacting with the /Synchronization endpoint over HTTP or HTTPS. It first checks for the presence and version of Cleo LexiCom by parsing the Server header from a 500 response. If the target is vulnerable, the script attempts to read the Windows system.ini file using a crafted VLSync header, confirming arbitrary file read capability. It then attempts to upload a file (test.txt) and verifies the upload by reading it back. The script supports both single URL and batch mode via command-line arguments. The exploit demonstrates both file read and file upload (write) capabilities, making it operational. No hardcoded IPs or domains are present, but the /Synchronization endpoint and file paths are fingerprintable. The README provides usage instructions and a link to additional PoCs.

This repository provides a proof-of-concept (POC) exploit for CVE-2024-50623, a critical unrestricted file upload and download vulnerability in Cleo Harmony, Cleo VLTrader, and Cleo LexiCom (versions prior to 5.8.0.21). The repository contains two files: a detailed README.md explaining the vulnerability, affected products, and usage instructions, and a Bash script (cve-2024-50623.sh) that implements the exploit logic. The exploit script allows an attacker to either read arbitrary files from the target server or upload arbitrary files to it by sending specially crafted HTTP requests to the /Synchronization endpoint. The script uses custom HTTP headers (notably 'VLSync') to instruct the server to perform file operations. The attacker can specify a proxy, the target URL, the action (read or write), the file path, and (for write) the local file to upload. The script logs actions and responses for auditing. No hardcoded IPs or domains are present, but the main fingerprintable endpoint is the '/Synchronization' path on the target server. The exploit is a POC and does not include weaponized payloads, but demonstrates the ability to read or write files, which could be leveraged for further attacks such as remote code execution. The repository is well-structured for testing and research purposes.

This repository contains a Python proof-of-concept exploit for CVE-2024-50623, an unrestricted file upload and download vulnerability in Cleo software (likely VLTrader or Harmony). The exploit consists of a single Python script (CVE-2024-50623.py) and a README.md with usage instructions and background. The script allows an attacker to perform arbitrary file reads and writes on a vulnerable Cleo server by sending specially crafted HTTP requests to the /Synchronization endpoint, using a custom 'VLSync' header to specify the action and file path. The attacker can read any file on the server or upload arbitrary files, which could lead to further exploitation such as remote code execution if a malicious file is uploaded to an executable location. The exploit does not require authentication and targets the Cleo product on Windows platforms. The README provides clear usage examples for both file read and write operations. No detection or fake code is present; this is a functional exploit PoC.