Unauthenticated command execution in OpenCode local HTTP server

Repository contains a Python exploit and a Nuclei template targeting CVE-2026-22812 in anomalyco OpenCode versions earlier than 1.0.216. The issue is an unauthenticated HTTP service that exposes command execution and related functionality. The Python script is the primary exploit implementation: it initializes a requests session, checks vulnerability by POSTing to /session, stores the returned session id, and then uses /session/{id}/shell with JSON payloads containing an attacker-controlled command. Based on the visible CLI handling and method names, it supports vulnerability checking, one-shot command execution, interactive shell access, system information gathering, file reading, file upload, and file download. It also supports configurable timeout and HTTP/HTTPS proxying. The YAML file is a Nuclei template that fingerprints the vulnerability by chaining requests to /session, /session/{{session_id}}/shell, /pty, and /file/content?path=/etc/hostname. It extracts the session id from JSON and confirms exploitation by matching the echoed marker string `CVE202622812VULN`, PTY behavior, file-read success, or session creation bypass. Because this repository includes a Nuclei template, it belongs to a framework; however, the repository also includes standalone exploit code. Overall purpose: provide both active exploitation and scanner-based validation for OpenCode's exposed local HTTP API leading to unauthenticated RCE and file access.

Repository contains a Nuclei detection template plus a standalone Python exploit for alleged OpenCode unauthenticated RCE (CVE-2026-22812). Structure: - CVE-2026-22812-detect.yaml: Nuclei template that probes BaseURL and common OpenCode ports (4096-4100) to (1) identify OpenCode via body keywords ("OpenCode"/"opencode-sdk") and (2) confirm unauthenticated session creation by POSTing to /session and matching HTTP 200/201 with a JSON body containing an "id". - rce.py: Main exploit tool. Implements an OpenCodeExploiter class using requests.Session with a distinctive User-Agent. Core flow is POST {url}/session to obtain a session id, then POST {url}/session/{id}/shell with JSON {agent:"build", command:<cmd>} to execute arbitrary commands. Includes a GET {url}/file/content?path=<path> helper to read file contents. The check routine validates the target looks like OpenCode, creates a session, and runs a benign command (echo 'VULN_TEST') to confirm RCE. The script also supports scanning multiple targets concurrently (ThreadPoolExecutor) and printing/saving results. - README.md: Usage examples (check, command execution, file read, list scanning) and notes default ports 4095-4100 and search dorks. Capabilities: - Unauthenticated remote command execution against exposed OpenCode HTTP API. - Unauthenticated file read via file content endpoint. - Target discovery/checking and multi-target scanning with concurrency and optional output. Notes: - The provided rce.py content is truncated in the supplied snapshot, but the visible portions clearly show the exploit primitives (/session, /session/{id}/shell, /file/content) and the vulnerability check logic.

Repository contains a Python exploitation tool and a Nuclei template for CVE-2026-22812 (OpenCode < 1.0.216). The core exploit logic (CVE-2026-22812.py) uses unauthenticated HTTP requests to OpenCode’s exposed service to (1) create a session via POST /session and (2) execute arbitrary OS commands via POST /session/{session_id}/shell with a JSON body containing an agent name and command. The README indicates additional capabilities implemented in the Python tool: interactive shell mode, file read/write, upload/download, and system reconnaissance, with optional HTTP proxy support and basic statistics tracking. Structure/purpose: - CVE-2026-22812.py: primary exploit client (requests-based), session creation, command execution, interactive loop, and file operations (per README and visible endpoint usage). - CVE-2026-22812.yaml: Nuclei template to detect/confirm the issue by creating a session, executing a benign echo command, optionally probing /pty, and reading /file/content?path=/etc/hostname. - README.md: usage examples and endpoint documentation. - LICENSE: MIT. Overall, this is an operational unauthenticated RCE exploit client for OpenCode’s exposed HTTP endpoints, plus a scanner template to validate vulnerability and basic exploitation primitives.

Repository contains a standalone Python proof-of-concept/operational exploit for CVE-2026-22812 (OpenCode unauthenticated HTTP server leading to RCE). Structure: (1) CVE-2026-22812.py is the main exploit tool using requests.Session with TLS verification disabled and optional proxy support. It first creates an unauthenticated session via POST {target}/session and then achieves RCE by POSTing JSON to {target}/session/{id}/shell with fields including agent='build' and an attacker-supplied command. The script supports multiple operator workflows: vulnerability verification, single-command execution, and an interactive shell loop. The truncated portion plus README indicate additional helper features implemented in the script: reading files, uploading/writing files, downloading/exfiltrating files, collecting system information (hostname/user/kernel/os/processes), and creating a PTY session for improved interactivity. (2) README.md documents affected versions (<1.0.216), attack scenario (network reachable local server + permissive CORS enabling browser-assisted attacks), and provides usage examples for verify/command/interactive/file ops/sysinfo. (3) requirements.txt pins requests/urllib3. Overall purpose: provide unauthenticated remote command execution and post-exploitation convenience functions against vulnerable OpenCode instances exposed on an HTTP port (examples use :4096).

Repository contains a single Python exploit script (CVE-2026-22812.py) and a minimal README. The script is a network-based RCE PoC/operational exploit that takes a base URL from argv[1], strips a trailing slash, and uses the requests library (TLS verification disabled) to interact with a presumed vulnerable HTTP API. Workflow: 1) POST {BASE_URL}/session with browser-like headers to obtain/trigger a list of sessions. It checks for the substring 'ses_' in the response body and then parses the response as JSON. 2) Iterates over returned session objects, extracting sid['id']. 3) For each session id, POSTs to {BASE_URL}/session/{id}/shell with JSON payload {agent: 'build', command: 'touch /tmp/grass'}. 4) Prints the response; if HTTP 500, it tries the next session; otherwise it reports success and stops. Notable characteristics: hardcoded command payload (creates /tmp/grass), no authentication handling, no target fingerprinting beyond the 'ses_' substring check, and verify=False (susceptible to MITM but common in PoCs).

Repository contains a standalone Python exploitation tool for CVE-2026-22812 (OpenCode unauthenticated RCE) targeting OpenCode versions < 1.0.216. Structure is minimal: (1) README.md documents features and usage, (2) exploit.py implements the exploit logic and CLI, (3) requirements.txt pins Python dependencies (requests, urllib3). Core exploit flow in exploit.py: - Establishes an HTTP client (requests.Session) with optional proxy support and TLS verification disabled. - Verifies vulnerability by attempting unauthenticated session creation via POST to the /session endpoint; on success it extracts a returned session id. - Performs RCE by POSTing JSON to /session/{session_id}/shell with fields like {"agent":"build","command":"<attacker command>"}. Capabilities advertised/implemented (per README and visible code portions): - Unauthenticated session creation (used as both a check and prerequisite). - Arbitrary command execution (single command mode and interactive shell mode with readline history). - File operations: read arbitrary files; upload/download files (implementation exists but is truncated in provided content). - System enumeration helper (e.g., hostname/user/kernel/os/ip/process listing) and optional PTY session creation. Primary network targets/endpoints are the OpenCode service base URL (commonly http://<host>:4096) and the REST-style paths /session and /session/{id}/shell. The tool is operational (usable end-to-end) and not merely a detector, as it provides interactive command execution and post-exploitation utilities.