GitLab CE/EE ExifTool Image Parsing RCE

This repository is a small standalone exploit PoC for GitLab unauthenticated RCE via CVE-2021-22205. It contains two files: a README describing the vulnerability and impact, and a single Python exploit script. The script is the operational component. It generates a malicious DjVu-based payload by combining two hardcoded binary blobs with an injected command string. That command is a base64-wrapped bash reverse shell that connects back to an attacker-supplied LHOST and LPORT. The exploit then starts a local TCP listener, uploads the crafted file to the target over HTTP POST using the requests library, and waits for an inbound shell connection. If the callback arrives, it provides an interactive shell over the socket using select() to multiplex stdin and the remote connection. Structurally, exploit.py has four main functions: generate_malicious_djvu() builds the malicious file; upload_exploit() sends it to the target URL with a random 8-character path suffix; listener_thread() binds and waits up to 60 seconds for the reverse shell; and interactive_shell() provides operator interaction with the compromised host. The main() function parses arguments, launches the listener and uploader in separate threads, and transitions into shell handling on success. The exploit’s primary capability is unauthenticated remote code execution against vulnerable GitLab CE/EE instances, resulting in an interactive reverse shell. It is not a scanner or detection script. It is best classified as OPERATIONAL rather than WEAPONIZED because it includes a working hardcoded reverse-shell payload but lacks broader framework integration, target validation, or payload modularity. Notably, the upload path in the code is a generic random URL suffix rather than a clearly GitLab-specific known endpoint, which may indicate the PoC is simplified or assumes a particular routing condition; however, the intended purpose is clearly exploitation of CVE-2021-22205 through malicious file upload and ExifTool processing.

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository provides a Python exploit script (CVE-2021-22205.py) targeting a remote command execution vulnerability in GitLab CE/EE (CVE-2021-22205). The exploit abuses improper validation of image files, allowing attackers to upload a specially crafted image that triggers arbitrary command execution on the server. The script supports three main modes: vulnerability check (verifies if the target is vulnerable), attack (executes arbitrary commands), and batch scan (scans multiple targets from a file). The README.md provides detailed usage instructions, including examples for command execution and reverse shell payloads. The exploit interacts with the GitLab web interface, specifically the '/users/sign_in' endpoint to retrieve a CSRF token and the '/uploads/user' endpoint to upload the malicious file. The default payload includes a DNS exfiltration command to verify code execution. The repository is operational and can be used to achieve remote code execution on vulnerable GitLab instances.

This repository contains a functional unauthenticated remote code execution (RCE) exploit targeting GitLab instances running versions prior to 13.10.3 (CVE-2021-22205). The exploit leverages a vulnerability in the way GitLab processes image uploads, specifically by abusing ExifTool's handling of DjVu files. The main exploit script, 'exploit.py', is written in Python and automates the attack by: 1. Retrieving a CSRF token from the GitLab login page. 2. Crafting a malicious DjVu file with embedded shell commands using 'djvumake' and 'djvulibre'. 3. Renaming the DjVu file to a .jpg extension. 4. Uploading the file to the '/uploads/user' endpoint of the target GitLab instance. 5. Triggering code execution on the server if the file is processed. 6. Cleaning up temporary files. The exploit requires no authentication and only needs network access to the target GitLab instance. The payload is customizable via command-line arguments, allowing the attacker to specify arbitrary shell commands to execute on the target. The repository includes a README with background information, usage instructions, and references to the original vulnerability report and write-ups. The only code file is 'exploit.py', which serves as the entry point for the exploit.

This repository consists of a single file, 'Poc.txt', which provides step-by-step instructions for generating and delivering a malicious DjVu image payload. The payload is constructed by embedding a base64-decoded reverse shell command into a DjVu image file ('lol.jpg'). The exploit targets a file upload endpoint on a remote server (example: http://10.0.0.7/...), where the attacker uploads the crafted image. When the image is processed by the vulnerable service, it triggers a reverse shell connection from the target to the attacker's machine (10.0.0.3) on TCP port 1270. The instructions also include how to listen for the incoming shell using netcat. The exploit is operational and demonstrates a practical attack scenario, but does not reference a specific CVE or product. The main attack vector is network-based, leveraging file upload and remote code execution via a crafted image file.

This repository contains a Python proof-of-concept exploit for CVE-2021-22205, a critical unauthenticated remote code execution vulnerability in GitLab CE/EE (versions prior to 13.10.3, 13.9.6, and 13.8.8). The exploit works by first retrieving a CSRF token from the /users/sign_in endpoint, then crafting a malicious DJVU image file with an embedded shell command in its metadata. This file is uploaded via a POST request to the /uploads/user endpoint, exploiting improper file handling to execute arbitrary commands on the server. The exploit is operational, requiring only the target URL and a shell command as arguments. The repository consists of the main exploit script (CVE-2021-22205.py) and a README.md with usage instructions and references. No authentication is required, and the attack vector is network-based, targeting exposed GitLab web interfaces.

This repository contains a Python exploit script (CVE-2021-22205.py) targeting the unauthenticated remote code execution (RCE) vulnerability in GitLab CE/EE (CVE-2021-22205). The exploit leverages improper image file validation in GitLab's ExifTool integration, allowing attackers to execute arbitrary commands on the server by uploading a malicious image file. The script supports several attack modes: version detection, command execution (via out-of-band channels or direct file write), reverse shell, SSH key injection, and user account manipulation (add, modify, restore passwords). It automates out-of-band (OOB) verification using DNSLog, PostBin, and RequestBin services, whose endpoints are hardcoded in the script. The repository consists of the main exploit script and a README.md with detailed usage instructions, affected versions, and references. The exploit is operational, providing real-world attack capabilities against vulnerable GitLab instances without requiring authentication.

This repository provides a Python exploit script (CVE-2021-22205.py) targeting a remote command execution vulnerability in GitLab CE/EE (CVE-2021-22205). The exploit abuses improper validation of image files, allowing attackers to upload a specially crafted image that triggers arbitrary command execution on the server. The script supports three modes: verification (checks if the target is vulnerable), attack (executes a supplied command), and batch scan (tests multiple targets from a file). The exploit works by first retrieving a CSRF token from the target's sign-in page, then uploading a malicious image to the /uploads/user endpoint. The payload can be customized to execute any system command, including establishing a reverse shell. The repository includes a README.md with usage instructions, affected product versions, and example payloads. The target.txt file provides an example target URL. The exploit is operational and can be used to gain remote code execution on vulnerable GitLab instances.

This repository contains a Python exploit script (exploit.py) targeting CVE-2021-22205, a critical unauthenticated remote code execution vulnerability in GitLab (versions prior to 13.10.3). The exploit works by generating a malicious JPEG file in-memory (removing the need for external tools like djvumake or djvulibre) and uploading it to the vulnerable GitLab instance via the /uploads/user endpoint. The script supports both authenticated and unauthenticated exploitation, depending on whether valid GitLab credentials are provided. The attacker can specify an arbitrary command to execute on the target server. The repository structure is simple, consisting of the main exploit script and a README.md file with usage instructions. The exploit leverages network access to the target GitLab instance and does not require prior authentication, though it supports authenticated attacks as well. No hardcoded IPs or domains are present; the target URL is supplied by the user at runtime.

This repository contains two main Python scripts targeting GitLab instances vulnerable to CVE-2021-22205, a remote code execution vulnerability in the ExifTool integration. The primary script, 'GitLab-revshell.py', is an exploit that crafts a malicious DjVu image file containing a base64-encoded bash reverse shell payload. It uploads this file to the '/uploads/user' endpoint of a target GitLab server after retrieving a CSRF token from '/users/sign_in'. If successful, the exploit spawns a reverse shell to the attacker's specified IP and port. The script requires the 'djvumake' utility to be installed on the attacker's machine. The second script, 'shodan-scanner.py', is a scanner that uses the Shodan API to find potential vulnerable GitLab instances on the internet. For each discovered target, it attempts to upload a similar malicious DjVu file (with a DNS exfiltration payload) to test for the vulnerability, logging results to a file. The repository also includes a README with usage instructions and credits, and a .gitignore file. The exploit is operational, providing a working reverse shell payload, and is not part of a larger framework. The main attack vector is network-based, targeting accessible GitLab servers via HTTP(S) endpoints.

This repository contains a single file, README.md, which provides a one-line Bash proof-of-concept (PoC) exploit for CVE-2021-22205, a pre-authentication remote code execution vulnerability in GitLab CE/EE. The exploit crafts a malicious image file (1.jpg) containing a payload that, when processed by a vulnerable GitLab instance, results in arbitrary command execution. The Bash command in the PoC uploads this file to the target GitLab server using the /uploads/user endpoint, after retrieving a CSRF token from the /users/sign_in page. The payload is a base64-encoded reverse shell, which, when executed, connects back to the attacker's machine. The repository also includes a sample Ruby reverse shell payload. No actual code files are present beyond the README, but the exploit is functional and demonstrates the vulnerability. The repository targets GitLab instances vulnerable to CVE-2021-22205 and is intended for security testing and research purposes.