Unauthenticated RCE in GeoServer via GeoTools XPath Evaluation

Repository is a self-contained reproduction and exploit study for CVE-2024-36401, an unauthenticated GeoServer RCE caused by unsafe JXPath evaluation in GeoTools. It is not tied to a major exploit framework; the main exploit logic is implemented in `exploit/exploit.py` with a secondary curl-based PoC in `exploit/exploit.sh`. Structure: `docker/` contains two nearly identical Dockerfiles that build GeoServer 2.25.1 (vulnerable) and 2.25.2 (patched) from official SourceForge binaries; `docker-compose.yml` exposes them on localhost ports 8080 and 8081; `exploit/` contains the Python exploit/verifier, shell PoC, payload catalog, and captured proof artifacts; `run-reproduction.sh` automates build, readiness checks, exploitation of both instances, and proof collection; `report/report.md` is a detailed technical write-up. Exploit capability: the Python script first enumerates layers via WFS GetCapabilities, then sends WFS GetPropertyValue requests with attacker-controlled `valueReference` values. It uses a blind timing payload `java.lang.Thread.sleep(8000)` to detect code execution from client-side response delay, and a command-execution payload `exec(java.lang.Runtime.getRuntime(),'touch /tmp/<marker>')` to create a file inside the target container. The shell PoC demonstrates the same technique with GET and POST/XML requests and documents that POST may help bypass defenses inspecting only query strings. `payloads.md` also documents alternate vectors through WFS GetFeature and WMS GetMap using `CQL_FILTER`. Observed behavior in included logs confirms real exploitation on the vulnerable instance: the blind probe delays the response by ~8 seconds and the file `/tmp/cve3641_1780498920` is created only on the vulnerable container. On the patched instance, the same payloads are rejected with `No such attribute` errors and no file is created. Overall, this is a legitimate operational PoC/verifier for unauthenticated web/network RCE against vulnerable GeoServer deployments.

This repository is a minimal PoC exploit repo containing a trivial README and one standalone Python script, exploit_CVE-2024-36401.py. The script targets CVE-2024-36401, an unauthenticated GeoServer OGC/WFS XPath injection leading to remote code execution via exec(java.lang.Runtime.getRuntime(), ... ) embedded in a crafted GetPropertyValue XML request. Repository structure is simple: the README only names the PoC, while the Python file contains all exploit logic, CLI handling, target validation, feature-type discovery, payload construction, and delivery. The script uses the requests library and disables TLS verification warnings. It first fingerprints GeoServer by requesting /geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage and parsing the version string, with fallback detection via /geoserver/web/. It then optionally checks whether the version falls into the vulnerable ranges, though the code always proceeds with exploitation even if the version appears patched or unknown. For exploitation, it probes /geoserver/ows using WFS DescribeFeatureType requests against a hardcoded list of common feature types to find one that exists. Once a usable feature type is found (or manually supplied), it sends a malicious XML POST to /geoserver/wfs. The XML places an exec(java.lang.Runtime.getRuntime(),'<command>') expression inside the wfs:valueReference element. Success is inferred heuristically from HTTP 400 responses containing NoApplicableCode, HTTP 200 responses, or read timeouts. The exploit supports two main capabilities: blind single-command execution and reverse shell delivery. The reverse shell path is more developed: it base64-encodes a bash /dev/tcp reverse shell, then uses a two-stage approach to avoid quoting/metacharacter issues—first writing the decoded shell to /tmp/rs.sh via tee, then executing bash /tmp/rs.sh. This makes the exploit operational rather than a pure detection script. Notable implementation issue: in the single-command branch, build_revshell_payload is called with only one argument when shell metacharacters are present, which appears to be a bug and may break that path for certain commands. Despite that flaw, the reverse shell workflow is complete and clearly intended as the primary exploitation path.

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a single Python exploit script (ex.py) and a LICENSE file. The script targets GeoServer instances vulnerable to CVE-2024-36401, a remote code execution vulnerability. The exploit works by sending a specially crafted XML payload to the /geoserver/wfs endpoint, attempting to execute arbitrary system commands via Java's Runtime.getRuntime(). The script supports both single-target and multi-target (file-based) modes, and can be used to check for vulnerability (using a DNS-based OOB check) or to execute arbitrary commands. The code uses multithreading for batch exploitation. The main fingerprintable endpoints are the /geoserver/wfs HTTP path and the DNS domain vaw728.dnslog.cn (used for OOB detection). The exploit is operational, providing real command execution if the target is vulnerable.

This repository contains a Python exploit (exp.py) and a README for CVE-2024-36401, a remote command execution vulnerability in GeoServer's WFS (Web Feature Service) endpoint. The exploit allows an attacker to send a specially crafted XML payload to the /geoserver/wfs endpoint, injecting a command via the valueReference element. The tool supports two modes: 'cmd' for executing arbitrary commands and 'reverse' for establishing a reverse shell to an attacker's server. The reverse shell payload is base64-encoded and executed via bash. The README provides detailed usage instructions, including how to test outbound connectivity and set up a listener for reverse shells. The repository is structured simply, with exp.py as the main exploit script and README.md providing context and instructions. The exploit is operational and can be used for both command execution and interactive shell access on vulnerable GeoServer instances.

This repository provides a Proof of Concept (PoC) exploit for CVE-2024-36401, a remote code execution vulnerability in GeoServer. The exploit is implemented in two Python scripts (poc_CN.py and poc_EN.py) with Chinese and English comments/documentation, respectively. The scripts automate the process of discovering valid 'Typename' values from the GeoServer MapPreviewPage, then use these values to craft and send malicious WFS XML payloads to the /geoserver/wfs endpoint. The payload leverages the vulnerability to execute arbitrary system commands on the target server. The exploit supports both direct command execution and blind command execution via DNSLog. Batch testing of multiple targets is supported via a file input. The repository includes detailed usage instructions and is intended for security research and authorized testing only. No hardcoded endpoints are present; all targets are user-supplied. The code is mature as a PoC, with clear output and error handling, but does not include weaponized features such as automated payload customization or post-exploitation modules.

This repository is a graphical exploitation tool for CVE-2024-36401, a critical vulnerability in GeoServer (affecting versions <2.23.6, 2.24.0-2.24.3, and 2.25.0-2.25.1). The tool is implemented in Java with a Swing GUI and provides three main exploit capabilities: (1) DNS-based detection of the target's JDK version, (2) arbitrary command execution with Jetty echo, and (3) in-memory webshell (memory shell) injection for persistent access. The exploit works by sending crafted XML payloads to the /geoserver/wfs endpoint, leveraging the vulnerability to execute code or implant a shell. The tool supports both JDK8 and JDK17 targets, with custom payload generation and class injection logic. The repository is structured as a Maven project, with the main entry point at Main.java, and includes utility classes for payload generation, attack logic, and dynamic Java compilation. The README provides usage instructions, affected versions, and legal disclaimers. No hardcoded IPs or domains are present, but the tool requires the attacker to supply a DNS log domain for detection and a valid GeoServer layer (typeName) for exploitation.

This repository contains a Python exploit script (CVE-2024-36401.py) and a README for CVE-2024-36401, a remote code execution (RCE) vulnerability in GeoServer. The exploit works by sending a specially crafted XML payload to the /geoserver/wfs endpoint, leveraging the 'valueReference' attribute to trigger command execution via java.lang.Runtime.getRuntime(). The script supports single URL and batch URL testing, as well as arbitrary command execution. The vulnerability check uses a DNS-based out-of-band technique (pinging vaw728.dnslog.cn) to confirm code execution. The exploit is blind (no output is returned), but successful exploitation can be inferred from DNS logs or the server's response. The repository is straightforward, with one main Python script and a README describing usage. No framework is used, and the exploit is operational, requiring the attacker to specify the target URL and (optionally) a command to execute.

This repository contains a Python proof-of-concept exploit for CVE-2024-36401, a remote code execution vulnerability in GeoServer versions prior to 2.25.1, 2.24.3, and 2.23.5. The exploit consists of two files: a detailed README.md explaining the vulnerability, usage, and mitigation, and the main exploit script 'cve-2024-36401.py'. The exploit works by setting up a listener on the attacker's machine and sending a specially crafted POST request to the '/geoserver/wfs' endpoint of the target GeoServer instance. The payload leverages the vulnerability to execute a reverse shell command ('nc -e /bin/sh ...') on the target, connecting back to the attacker's specified IP and port. The script provides an interactive shell if the exploit is successful. The exploit assumes the target is a Linux system with 'nc' (netcat) installed. The code is operational and provides a working reverse shell if the target is vulnerable and properly configured. The repository is well-documented, with clear instructions and safety disclaimers. No hardcoded IPs or domains are present; all endpoints are user-supplied at runtime.

This repository provides a graphical Java-based exploit tool for GeoServer CVE-2024-36401, enabling remote code execution (RCE) via crafted WFS (Web Feature Service) XML payloads. The tool is designed for use with JDK8 and leverages JavaFX for its GUI, as seen in the Main.java and fds.fxml files. The README.md contains detailed instructions and example payloads for exploiting the vulnerability, including command execution (e.g., ping, reverse shell) and memory webshell (memory horse) injection. The exploit works by sending specially crafted POST requests to the /geoserver/wfs endpoint, abusing the <wfs:valueReference> element to execute arbitrary Java code on the server. The tool supports both detection (by analyzing error messages and exceptions) and exploitation (including reverse shell and webshell injection). The repository structure includes Java source files, FXML GUI definitions, and build artifacts. The exploit is operational, providing a working GUI for both detection and exploitation, and supports custom payloads and memory webshell injection for advanced post-exploitation.

This repository contains a Python exploit (exploit.py) targeting CVE-2024-36401, a remote code execution vulnerability in GeoServer versions prior to 2.23.2, 2.23.6, 2.24.0-2.24.3, and 2.25.0. The exploit allows unauthenticated attackers to execute arbitrary commands as root by sending a crafted POST request with a malicious XPath expression. The main script supports both single-target exploitation (delivering a reverse shell to the attacker's machine) and mass scanning of URLs to identify vulnerable GeoServer instances. The payload is a base64-encoded Perl reverse shell, executed via bash on the target. The script includes version detection, feature type enumeration, and multi-threaded scanning. The only code file is exploit.py, with requirements.txt listing dependencies and README.md providing detailed usage instructions. The attack vector is network-based, exploiting HTTP endpoints exposed by GeoServer. No hardcoded IPs or domains are present; all endpoints are constructed based on user-supplied target URLs.

This repository contains a proof-of-concept exploit for CVE-2024-36401, targeting vulnerable versions of GeoServer prior to 2.23.6, 2.24.4, and 2.25.2. The exploit is implemented in a single Python script (geopwn.py) and is accompanied by a README.md with usage instructions. The exploit works by generating a Meterpreter reverse shell payload using msfvenom, hosting it on an attacker-controlled HTTP server, and then sending a series of crafted HTTP requests to the target GeoServer instance on port 8080. These requests instruct the server to download, set executable permissions, and execute the payload, resulting in a reverse shell connection to the attacker's listener. The exploit requires the attacker to specify the target domain/IP, the URL where the payload is hosted, and the listener's host and port. The main attack vector is network-based, exploiting the GeoServer WFS endpoint. The repository is operational and provides a working exploit with a real payload, but is not part of a larger framework.

This repository, GeoExplorer, is a mass exploitation and verification toolkit for CVE-2024-36401 affecting GeoServer. It consists of two main components: 1. Client (client/main.py): A Python script that automates the exploitation of GeoServer instances by sending specially crafted WFS XML requests to the /geoserver/wfs endpoint. The exploit attempts to trigger remote code execution by instructing the target to perform an outbound HTTP request (wget on Linux, hh.exe on Windows) to a user-specified catcher server. The client supports multi-threaded scanning and can process single URLs or lists of targets. 2. Server (server/main.py): An asynchronous FastAPI application that acts as a catcher for incoming requests from exploited targets. It logs the source IP and additional info to a SQLite database, providing endpoints to view logs and confirm exploitation. The server can be run via Docker or directly with Uvicorn, and exposes /log and /logged_ips endpoints. The repository is structured with clear separation between client and server, includes Docker support for the server, and provides documentation for setup and usage. The exploit is a proof-of-concept (POC) and does not include weaponized payloads beyond OOB verification. The main attack vector is network-based, targeting exposed GeoServer WFS endpoints.

This repository provides an operational exploit for CVE-2024-36401, an unauthenticated remote code execution vulnerability in GeoServer (tested against version 2.23.2). The main exploit logic is implemented in 'exploit.py', a Python script that supports both single-target and mass exploitation modes. The script uses asynchronous HTTP requests to interact with the target GeoServer instance(s) and leverages an external SSRF service (api.cvssadvisor.com) to facilitate and verify exploitation. The exploit can be run with various options, including proxy support, output file specification, and multi-threading for lists of targets. The repository includes a docker-compose file to quickly set up a vulnerable GeoServer instance for testing. The exploit is not part of a larger framework and is self-contained. It is capable of both detecting the vulnerability and achieving remote code execution if the target is vulnerable. The codebase is primarily Python, with supporting files for environment setup and documentation.