SSRF in Ivanti Connect Secure/Policy Secure/Neurons for ZTA SAML component

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository provides a working exploit for chaining two critical vulnerabilities in Ivanti Connect Secure and Policy Secure appliances: CVE-2024-21893 (SSRF) and CVE-2024-21887 (command injection). The main exploit script (exploit.py) is written in Python and automates the attack by sending a crafted XML payload to the vulnerable endpoint (/dana-ws/saml20.ws) on the target. The payload leverages SSRF to reach an internal service and injects a command that opens a reverse shell to the attacker's machine. The script can also set up a listener using pwncat to handle the incoming shell. Two Nuclei YAML templates are included for detection of the SSRF and the SSRF-to-RCE chain, targeting the same endpoint. The repository is structured with a README.md (usage and background), the main exploit script, two detection templates, and a requirements.txt for dependencies. The exploit is operational and provides unauthenticated remote code execution if the target is vulnerable and unpatched.

This repository contains a Python proof-of-concept exploit for CVE-2024-21893, a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA. The exploit script (CVE-2024-21893.py) constructs a malicious SAML SOAP request with a crafted <ds:RetrievalMethod> URI pointing to an attacker-controlled server. When sent to the vulnerable endpoint (typically /dana-ws/saml20.ws), the target system processes the XML and makes a server-side request to the specified URI, enabling the attacker to access internal resources or exfiltrate data. The script supports both single-target and list-based targeting and requires the attacker to specify their own server for receiving SSRF callbacks. The README provides usage instructions, example payloads, and references. The exploit is a functional PoC and does not include weaponized features such as automated post-exploitation or payload customization.