Authentication Bypass in Ivanti Connect Secure and Policy Secure Web Component

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository provides two Bash proof-of-concept exploit scripts targeting Ivanti Connect Secure and Policy Secure appliances (versions 9.x and 22.x) for CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection). The structure consists of two shell scripts and a detailed README. - CVE-2023-46805.sh exploits an authentication bypass by sending a crafted GET request to a system information endpoint, allowing unauthenticated access to restricted data. - CVE-2024-21887.sh exploits a command injection vulnerability by injecting a user-supplied command (URL-encoded) into a specific API endpoint, allowing an authenticated administrator to execute arbitrary commands on the appliance. The README provides usage instructions, example endpoints, and additional API paths that may be of interest for further exploitation or post-exploitation activities. The scripts require standard Unix utilities (curl, json_pp, xxd, tr, sed) and are intended for use in a command-line environment. No hardcoded IPs or credentials are present; the user supplies the target URL and, for the command injection, the payload command. The attack vector is network-based, targeting exposed web interfaces of vulnerable Ivanti appliances.