noperator / cve-2019-18935 Goto Github PK
View Code? Open in Web Editor NEWRCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.
License: Apache License 2.0
cve-2019-18935's Issues
In the new version of Visual Studio, the directory does not exist
Line 17 in 785c19b
TypeError: 'NoneType' object is not subscriptable
Traceback (most recent call last): File "C:\Users\hi\Desktop\CVE-2019-18935\CVE-2019-18935.py", line 202, in <module> filename_remote_actual = upload( File "C:\Users\hi\Desktop\CVE-2019-18935\CVE-2019-18935.py", line 121, in upload if filename_remote != result['metaData']['TempFileName']: TypeError: 'NoneType' object is not subscriptable
I have managed to compile the payload, and have shortlisted the version of Telerik to be 2019.1.215 (based on the last modified date on /WebResource). What could be the possible reason for this error?
The command I ran was python .\CVE-2019-18935.py -v 2019.1.215 -u HOSTNAME/Telerik.Web.UI.WebResource.axd?type=rau -p .\payloads\sleep-2020122117174156-amd64.dll -f 'C:\Windows\Temp'
your code dosen't work
HI, I try all of code for several days but even stager also does not work ,i install sliver in kali but sliver-stager code also doesn't work , I enable debug in sliver-stage code and set 1 ,but it doesn't show any error and also sleep doesn't increase response time
I test these
python3 CVE-2019-18935.py -v 2013.2.717.40 -p sleep-05202102280267-amd64.dll -u http://xxx/Telerik.Web.UI.WebResource.axd?type=rau
python3 CVE-2019-18935.py -v 2017 -u http://xxx/Telerik.Web.UI.WebResource.axd?type=rau -p sliver-stager-05202117080198-x86.dll and reverse shell
please help
Connection reset by peer
Whenever i'm trying to get a rev shell, the connection is closed.
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
Any suggestions how to resolve the issue ?
nc: getnameinfo: Temporary failure in name resolution
thanks for this project. The target server has a telerik vulnerability. The sleep.dll file is executing successfullyf. but when I want to get a reverse shell, the server pings but my netcat listener ends. nc: getnameinfo: Temporary failure in name resolution
Could it be some kind of waf in the background? Or what is the reason for this? Can I use a different payload instead of the reverse_shell.c file? I think maybe I can succeed with the powershell download string method. but please give me an idea how can i do this.
reverse shell
I want to use this vulnerability in one of my tests
The sleep tool works properly But no reverse shell
Where can the problem be?
Link for installer of vulnerable trial version of Telerik
Do you have a link/instructions where I can download Telerik for ASP.NET Ajax old versions and verify that the exploit works?
Connection reset by peer even when uploading sleep dll
[*] Destination folder: C:\Windows\Temp
[*] Remote payload name: 1653504358.1273334.dll
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/lib/python3.10/http/client.py", line 1282, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1076, in _send_output
self.send(chunk)
File "/usr/lib/python3.10/http/client.py", line 998, in send
self.sock.sendall(data)
ConnectionResetError: [Errno 104] Connection reset by peer
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 400, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/usr/lib/python3/dist-packages/six.py", line 718, in reraise
raise value.with_traceback(tb)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/lib/python3.10/http/client.py", line 1282, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1076, in _send_output
self.send(chunk)
File "/usr/lib/python3.10/http/client.py", line 998, in send
self.sock.sendall(data)
urllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/misctest/RAU_crypto/CVE-2019-18935/CVE-2019-18935.py", line 245, in <module>
filename_remote_actual = upload(
File "/root/misctest/RAU_crypto/CVE-2019-18935/CVE-2019-18935.py", line 125, in upload
result = send_request(url, files)
File "/root/misctest/RAU_crypto/CVE-2019-18935/CVE-2019-18935.py", line 46, in send_request
response = post(url, files=files, headers=headers, verify=False)
File "/usr/lib/python3/dist-packages/requests/api.py", line 116, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
Getting this error while uploading sleep payload, @noperator as i see you have closed #8 issue which didnt have much info.
any wonder whats happening here?
Payload compilation
To compile the DLL payload successfully .NET Framework 4.x SDK seems to be required. For example, .NET framework 4.6.1 SDK available at https://www.microsoft.com/en-us/download/details.aspx?id=49978. It would be nice to have this infor in the README.md.
del
Validation of viewstate MAC failed
Hello, do you know what this error means?
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
See http://go.microsoft.com/fwlink/?LinkID=314055 for more information
Require proxy switch or a way to provide session cookies (Authentication)
This tool works great when you can access 'Telerik.Web.UI.WebResource.axd?type=rau' as an unauthenticated user. But in most of the cases, I have seen that to access 'Telerik.Web.UI.WebResource.axd?type=rau' you need to be authenticated.
How to use this exploit in the authenticated case?
One possibility I can think of is to relay the tool's traffic via burp using the proxy switch. Having a proxy switch would be really helpful in this case. Alternatively, we can also have a switch to provide session cookies to the tool.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.