Share
## https://sploitus.com/exploit?id=E802680A-5034-5B55-AF57-FDCB66E4CAB6
# BIRT File Upload RCE โ€“ C2 over HTTPS

This repository provides a proof-of-concept exploit for Remote Code Execution (RCE) in Eclipse BIRT via malicious `.rptdesign` upload. The payload establishes a polling C2 channel using `curl` over HTTPS, bypassing egress filters.

## Files

- `server.py` โ€“ C2 server (attacker side)  
- `agent.rptdesign` โ€“ BIRT polling agent to upload

## Attack Flow

1. Attacker uploads `agent.rptdesign` to the target BIRT application.
2. The report runs a background thread that:
   - Polls `GET /` for commands
   - Executes commands via `/bin/bash -c`
   - Sends output via `POST /` with parameter `output=...`
3. Attacker interacts through the server console, typing commands and seeing output.

## Setup & Usage

### 1. Start the C2 server

```bash
python3 server.py
```

Expose it to the internet (e.g., `ngrok http 8000`). Copy the HTTPS URL.

### 2. Configure the agent

Edit `agent.rptdesign` and set `C2_URL` to your HTTPS URL.

### 3. Upload and trigger

Upload `agent.rptdesign` via the target's file upload. Trigger the report (e.g., via the BIRT viewer).

### 4. Interact

The server console shows a prompt. Type any system command; output returns after the polling interval (default 3 seconds).

## Mitigation

- Do not accept untrusted `.rptdesign` uploads.
- Enforce a strict `ClassShutter` to block `Runtime.exec`.
- Run BIRT in a sandboxed JVM with a `SecurityManager`.
- Monitor for outbound `curl` processes spawned by BIRT.

## Legal

Use only for authorized penetration testing. Unauthorized access is illegal.