## https://sploitus.com/exploit?id=E802680A-5034-5B55-AF57-FDCB66E4CAB6
# BIRT File Upload RCE โ C2 over HTTPS
This repository provides a proof-of-concept exploit for Remote Code Execution (RCE) in Eclipse BIRT via malicious `.rptdesign` upload. The payload establishes a polling C2 channel using `curl` over HTTPS, bypassing egress filters.
## Files
- `server.py` โ C2 server (attacker side)
- `agent.rptdesign` โ BIRT polling agent to upload
## Attack Flow
1. Attacker uploads `agent.rptdesign` to the target BIRT application.
2. The report runs a background thread that:
- Polls `GET /` for commands
- Executes commands via `/bin/bash -c`
- Sends output via `POST /` with parameter `output=...`
3. Attacker interacts through the server console, typing commands and seeing output.
## Setup & Usage
### 1. Start the C2 server
```bash
python3 server.py
```
Expose it to the internet (e.g., `ngrok http 8000`). Copy the HTTPS URL.
### 2. Configure the agent
Edit `agent.rptdesign` and set `C2_URL` to your HTTPS URL.
### 3. Upload and trigger
Upload `agent.rptdesign` via the target's file upload. Trigger the report (e.g., via the BIRT viewer).
### 4. Interact
The server console shows a prompt. Type any system command; output returns after the polling interval (default 3 seconds).
## Mitigation
- Do not accept untrusted `.rptdesign` uploads.
- Enforce a strict `ClassShutter` to block `Runtime.exec`.
- Run BIRT in a sandboxed JVM with a `SecurityManager`.
- Monitor for outbound `curl` processes spawned by BIRT.
## Legal
Use only for authorized penetration testing. Unauthorized access is illegal.