## https://sploitus.com/exploit?id=D89C32C9-D479-5F40-AA80-787EA37E28FC
# CVE-2025-64155 Scanner
A Python scanner for detecting the command injection vulnerability (CVE-2025-64155) in Phoenix Monitor service.
## Description
CVE-2025-64155 is a command injection vulnerability in Phoenix Monitor service that allows remote code execution through the `cluster_url` parameter in the `handleStorageRequest` command (command ID: 1075724911).
The vulnerability occurs when user-controlled input in the `cluster_url` field is passed to a shell command without proper sanitization, allowing command injection via shell metacharacters.
This scanner is based on the exploit research by [Horizon3AI](https://github.com/horizon3ai/CVE-2025-64155).
## Features
- **Time-based detection**: Uses safe, non-destructive time-based detection method
- **SSL/TLS support**: Handles SSL connections with certificate validation bypass
- **Verbose mode**: Detailed output for debugging
- **Service check**: Option to check if service is accessible without testing vulnerability
## Requirements
- Python 3.6+
- Standard library only (no external dependencies)
## Usage
### Basic Scan
```bash
python3 scanner.py -t
```
### Advanced Options
```bash
# Specify custom port
python3 scanner.py -t 192.168.1.100 -p 7900
# Enable verbose output
python3 scanner.py -t 192.168.1.100 -v
# Set custom timeout
python3 scanner.py -t 192.168.1.100 --timeout 15
# Check if service is accessible (no vulnerability test)
python3 scanner.py -t 192.168.1.100 --check-only
```
### Command Line Arguments
- `-t, --target`: Target IP address or hostname (required)
- `-p, --port`: Phoenix Monitor service port (default: 7900)
- `--timeout`: Connection timeout in seconds (default: 10)
- `-v, --verbose`: Enable verbose output
- `--check-only`: Only check if service is accessible
## How It Works
The scanner uses a **time-based detection** method:
1. Connects to the Phoenix Monitor service over SSL/TLS
2. Sends a `handleStorageRequest` command with a malicious payload containing `sleep 3` in the `cluster_url` field
3. Measures the response time
4. If the response is delayed by ~3 seconds, the target is likely vulnerable (command was executed)
This method is safe and non-destructive - it doesn't execute harmful commands, only a harmless `sleep` command for detection purposes.
## Example Output
### Vulnerable Target
```
[*] CVE-2025-64155 Scanner
[*] Target: 192.168.1.100:7900
[*] Scanning 192.168.1.100:7900 for CVE-2025-64155...
[*] Connecting to 192.168.1.100:7900...
[*] Connected successfully
[*] Sending test payload...
[*] Received response (1024 bytes) in 3.12 seconds
============================================================
[+] VULNERABLE: Target appears to be vulnerable to CVE-2025-64155
[+] Details: Time-based detection: Response delayed by 3.12s (likely command injection)
```
### Non-Vulnerable Target
```
[*] CVE-2025-64155 Scanner
[*] Target: 192.168.1.100:7900
[*] Scanning 192.168.1.100:7900 for CVE-2025-64155...
[*] Connecting to 192.168.1.100:7900...
[*] Connected successfully
[*] Sending test payload...
[*] Received response (1024 bytes) in 0.45 seconds
============================================================
[-] NOT VULNERABLE: Target does not appear to be vulnerable
[-] Details: Response received quickly (0.45s), likely not vulnerable
```
## Technical Details
### Message Format
The scanner sends a binary message with the following structure:
```
[4 bytes] Message length (156)
[4 bytes] Payload length
[4 bytes] Command ID (1075724911 = 0x4018006F = handleStorageRequest)
[4 bytes] Padding/Flags (0)
[Variable] XML payload
```
### Payload Structure
The XML payload contains a command injection in the `cluster_url` field:
```xml
http://10.0.0.1:9200 --next -o /dev/null sleep 3
...
```
## Disclaimer
This tool is for authorized security testing and research purposes only. Only use this tool on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
## License
MIT License - see LICENSE file for details.