来源

关联漏洞

描述

Unauthenticated remote command execution in Papercut service allows an attacker to execute commands due to improper access controls in the SetupCompleted Java class.

介绍

[!] Be careful executing this as it re-configures the server config in order to execute commands. The script reverts the changes on exit but might not revert it if the process is improperly killed [!]

# CVE-2023-27350 ~ Papercut Unauthenticated RCE (Versions < 22.0.8)

PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the `SetupCompleted` Java class, allowing an attacker to bypass user authentication and access the server as an administrator. After accessing the server, the attack can leverage existing PaperCut software features for remote code execution (RCE). 

The PaperCut server process pc-app runs with SYSTEM- or root-level privileges. When the software is exploited to execute other processes such as cmd.exe or powershell.exe, these child processes are created with the same privileges. Commands supplied with the execution of these processes will also run with the same privileges.


# Usage:


`python3 exploit.py --url <IPADRESS>`

    The script automatically tests if server is vulnerable.
    Interactive Shell: Once the vulnerability is confirmed, the script prompts for commands to be sent.
    The script reverts the configuration on exit.


# Example:

![image](https://github.com/user-attachments/assets/98ef4286-c872-461d-8d6d-90b0c864c750)


# References:

[CVE-2023-27350](https://www.cisa.gov/sites/default/files/2023-05/AA23-131A%20Malicious%20Actors%20Exploit%20CVE-2023-27350%20in%20PaperCut%20MF%20and%20NG_0.pdf)


Disclaimer
This script is for educational purposes.

文件快照

 [4.0K]  /data/pocs/f9a77b70ea3fe71a67f2d3f1184dab309e4b6652
├── [6.1K]  exploit.py
└── [1.5K]  README.md

0 directories, 2 files

备注