Unauthenticated RCE in Ivanti Endpoint Manager Mobile (EPMM)

Repository purpose: a Dockerized dummy target that reproduces the Ivanti EPMM pre-auth RCE class (CVE-2026-1281 / CVE-2026-1340) in a simplified, educational setup. How the exploit works (core bug): - `scripts/map-appstore-url` is a Bash CGI script that URL-decodes `REQUEST_URI`, extracts the `sha256:<params>` segment, and splits it into comma-separated key=value pairs. - During parsing, it sets `gStartTime` from the `st=` parameter and later sets `theValue` from the last processed parameter (notably `h=`). The loop variable `theValue` persists after the loop. - If the attacker sets `st=theValue␠␠` (literal string plus padding to reach length 10) and sets `h=gPath[`<cmd>`]`, then later the script evaluates `[[ ${currentTime} -gt ${gStartTime} ]]`. - In Bash, the `-gt` comparison triggers arithmetic evaluation; the string `theValue` is treated as a variable reference, expanding to the attacker-controlled `theValue` content (`gPath[`cmd`]`). The array index contains backticks, causing command substitution and thus remote command execution. Exploit capabilities demonstrated: - Arbitrary command execution as the CGI process user (in the container, examples show root-like output in artifacts). - File write/creation under `/mi` (mounted to `./artifacts`) to prove execution. - Time-based execution (`sleep N`) to confirm RCE without relying on output. Repository structure: - `Dockerfile`: builds a Debian-based container with nginx + fcgiwrap, installs the vulnerable CGI script, and prints example vulnerable URLs on startup. - `nginx.conf`: exposes `/health` and routes `/mifs/c/appstore/fob/3/<int>/sha256:<...>/<name>.ipa` to the CGI script via fcgiwrap. - `scripts/map-appstore-url`: the vulnerable Bash CGI implementation and logging. - `docker-compose.yml`: runs the container on host port 8180 and mounts `./artifacts` to `/mi` for observing exploit artifacts. - `test-exploit.sh`: automated local test suite that hits `/health` and sends exploit requests to create/write files and perform a time-based check. - `README.md`: explains the vulnerability chain and provides example curl payloads. Notable observables/fingerprintable targets: - HTTP endpoints: `/health` and the regex-matched `/mifs/c/appstore/fob/3/.../.ipa` path. - Local artifact paths: `/mi/*` in-container and `./artifacts/*` on host. - Potential documentation inconsistency: README includes an example using `localhost:81080` while compose maps `8180:80`.

Repository purpose: an operational PoC toolkit for unauthenticated RCE against Ivanti EPMM via CVE-2026-1281 and CVE-2026-1340. The exploit abuses a crafted URL path under /mifs/c/(appstore|aftstore)/fob/ where parameters include st=theValue␠␠ and h=gPath[`<command>`], leveraging Bash arithmetic/command substitution behavior (as described) to execute arbitrary commands pre-auth. Structure and key files: - exploit.py (Python): primary exploit client. Implements (1) endpoint reachability checks for /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ (treating 400/403/404 as indicative of presence), (2) payload construction embedding gPath[`cmd`] into the h parameter with a fixed kid=1 and et=1337133713, and (3) exploitation via GET requests to /mifs/c/*store*/fob/3/5/sha256:<params>/<fake_guid>. CLI supports: --check, --test-rce (sleep-based), -x/--execute arbitrary command, --webshell (JSP dropper), and --reverse-shell IP:PORT. - validate.py (Python): automated validation framework that repeatedly builds exploit URLs and runs multiple tests (endpoint accessibility, time-based sleep injection, file-write marker, etc.), logging results and exporting a JSON report. - PAYLOADS.md / REDTEAM_GUIDE.md (Markdown): extensive operator playbook and payload catalog (reverse shells, webshells, persistence, exfiltration, recon/pivoting). These documents include many example commands and internal/external endpoints used for callbacks and testing. - detect_compromise.sh (Bash): blue-team/IR IOC scanner for EPMM hosts. Scans /var/log/httpd/https-access_log for exploit markers (gPath[, theValue, vulnerable paths, and common command tokens), searches /mi and /mi/tomcat for recently modified JSPs and webshell patterns, checks for patch indicators (RPM ivanti-security-update-1761642 and presence of specific .class files), and packages evidence into a tar.gz. Exploit capabilities (as implemented/documented): - Pre-auth network RCE via crafted HTTP GET request path. - RCE confirmation via time delay (sleep). - Arbitrary command execution; optional webshell deployment and reverse-shell callback (operator-supplied LHOST:LPORT). - Post-exploitation guidance includes persistence (SSH keys, cron, systemd), credential harvesting, and data exfiltration (DNS/HTTP), though many of these are documented payloads rather than hardcoded in the exploit core. Notable observables for defenders: - Requests to /mifs/c/(aft|app)store/fob/ with parameters containing st=theValue␠␠ and h=gPath[`...`], often resulting in 404 responses. - Potential dropped artifacts under /mi/tomcat/webapps/ROOT/*.jsp, modified error JSPs (401.jsp/403.jsp/404.jsp/500.jsp), and marker files under /tmp. - Outbound callbacks to operator-controlled IP:PORT (examples use 10.10.14.5:4444) and possible DNS queries to attacker.com for exfiltration.