漏洞平台

POC详情： fcad82a89a9ed246404ba23da477a37e4faf0f87

来源

https://github.com/vulncheck-oss/cve-2023-36845-scanner

关联漏洞

标题： Juniper Networks Junos OS EX 安全漏洞 (CVE-2023-36845)
描述：Juniper Networks Junos OS EX是美国瞻博网络（Juniper Networks）公司的一套专用于该公司的硬件设备的网络操作系统。该操作系统提供了安全编程接口和Junos SDK。 Juniper Networks Junos OS EX存在安全漏洞，该漏洞源于J-Web模块存在PHP外部变量修改漏洞。

描述

A tool to discover Juniper firewalls vulnerable to CVE-2023-36845

介绍

# Vulnerability Scanner for Juniper CVE-2023-36845

This vulnerability scanner can be used to scan Juniper firewalls to determine if they are vulnerable to [CVE-2023-36845](https://nvd.nist.gov/vuln/detail/CVE-2023-36845). Because this is built on top of [go-exploit](https://github.com/vulncheck-oss/go-exploit), this scanner has two phases:

* Target verification to ensure the target is a potentially impacted Juniper firewall.
* Target exploitation in which the scanner sends an `LD_PRELOAD` message to generate a (harmless) error message from vulnerable systems.

For more details on exploiting CVE-2023-36845 see our blog, [Fileless Remote Code Execution on Juniper Firewalls](https://vulncheck.com/blog/juniper-cve-2023-36845/).

## Compiling

You can use the makefile to build a docker container:

```
make docker
```

Or, if you have a Go build environment ready to go, just use `make`:

```sh
albinolobster@mournland:~/cve-2023-36845-scanner$ make
gofmt -d -w scan.go
golangci-lint run --fix scan.go
GOOS=linux GOARCH=arm64 go build -o build/scan_linux-arm64 scan.go
```

## Usage

The tool is built on top of [go-exploit](https://github.com/vulncheck-oss/go-exploit), so there are multipe ways to provide targets to scan. A full description can be found in the project's [scanning documentation](https://github.com/vulncheck-oss/go-exploit/blob/main/docs/scanning.md). However, the following shows some examples:

### Scanning One Host

```sh
$ ./build/scan_linux-arm64 -a -v -e -rhost 10.12.72.1 -log-json=true | jq 'select(.msg == "Vulnerable")'
{
  "time": "2023-09-16T06:18:01.964471183-04:00",
  "level": "SUCCESS",
  "msg": "Vulnerable",
  "vulnerable": true,
  "rhost": "10.12.72.1",
  "rport": 80
}
```

### Scanning Multiple Hosts

```sh
$ ./build/scan_linux-arm64 -a -v -e -rhosts 10.12.72.1,10.12.72.2
time=2023-09-16T06:19:26.592-04:00 level=STATUS msg="Starting target" index=0 host=10.12.72.1 port=80 ssl=false "ssl auto"=true
time=2023-09-16T06:19:36.607-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=10.12.72.1 port=80
time=2023-09-16T06:19:37.528-04:00 level=SUCCESS msg="Target validation succeeded!" host=10.12.72.1 port=80
time=2023-09-16T06:19:37.574-04:00 level=SUCCESS msg=Vulnerable vulnerable=true rhost=10.12.72.1 rport=80
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Exploit successfully completed"
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Starting target" index=1 host=10.12.72.2 port=80 ssl=false "ssl auto"=true
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=10.12.72.2 port=80
time=2023-09-16T06:19:37.576-04:00 level=ERROR msg="The target isn't recognized as JunOS Web Interface, quitting" host=10.12.72.2 port=80
```

### Scanning a File of Hosts Using a Proxy (and logging to file)

go-exploit provides the ability to scan via a provided target csv, where the csv is: `host, port, anything if ssl is enabled` (although the SSL field is ignored if -a is used). Please see the scanning documentation for full details. It also provides the ability to scan through a proxy. The command works like so:

```sh
$ ./build/scan_linux-arm64 -v -e -rhosts-file ~/junos/junos.targets.csv -proxy socks5://127.0.0.1:9050 -log-file vulnscan.json
^C
$ tail vulnscan.json 
time=2023-09-17T05:11:19.256-04:00 level=STATUS msg="Starting target" index=0 host=x port=443 ssl=true "ssl auto"=false
time=2023-09-17T05:11:19.256-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=x port=443
time=2023-09-17T05:11:29.257-04:00 level=ERROR msg="HTTP request error: Get \"https://x:443/\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
time=2023-09-17T05:11:29.257-04:00 level=ERROR msg="The target isn't recognized as JunOS Web Interface, quitting" host=x port=443
time=2023-09-17T05:11:29.257-04:00 level=STATUS msg="Starting target" index=1 host=x port=80 ssl=false "ssl auto"=false
time=2023-09-17T05:11:29.257-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=xport=80
```

文件快照


 [4.0K]  /data/pocs/fcad82a89a9ed246404ba23da477a37e4faf0f87
├── [ 466]  Dockerfile
├── [ 877]  go.mod
├── [4.7K]  go.sum
├── [ 11K]  LICENSE
├── [2.1K]  Makefile
├── [4.0K]  README.md
└── [3.4K]  scan.go

0 directories, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。