CNEXT exploits

Exploits for CNEXT (CVE-2024-2961), a buffer overflow in the glibc's iconv(), by @cfreal_

Usage

$ git clone --recurse-submodules https://github.com/ambionics/cnext-exploits.git
$ pip install -r requirements.txt

Technical analysis

The vulnerability and exploits are described in the following blogposts:

• Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1): PHP filters
• Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 2): direct iconv() calls, Roundcube
• Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3): PHP filters, blind

Exploits

• CNEXT: file read to RCE exploit
• Blind CNEXT: blind file read to RCE exploit
• Roundcube: authenticated RCE exploit
• CosmicSting + CNEXT: RCE on Magento <= 2.4.7