Share
## https://sploitus.com/exploit?id=D1EFC5A3-3F5B-5A00-9A45-80777934AC77
# Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution

![GitHub CVE Cover](https://user-images.githubusercontent.com/23003787/172497711-958a0fb3-3937-41f7-be11-3c9fd767203d.png)

**Like this repo? Give us a โญ!**

*For educational and authorized security research purposes only.*

## Exploit Author
[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.

## Exploit Description
Use this exploit to generate a JPEG image payload that can be used with a vulnerable ExifTool version for code execution. A custom command can be provided or a reverse shell can be generated. A JPEG image is automatically generated, and optionally, a custom JPEG image can be supplied to have the payload inserted.

## Usage
```bash
  python3 exploit-CVE-2021-22204.py -c <command>
  python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>
  python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]
  python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]
  python3 exploit-CVE-2021-22204.py -h
```

## Options
```bash
  -c    Custom command mode. Provide command to execute.
  -s    Reverse shell mode. Provide local IP and port.
  -i    Path to custom JPEG image. (Optional)
  -h    Show this help menu.
```

## Download
[Download exploit-CVE-2021-22204.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2021-22204/main/exploit-CVE-2021-22204.py)

[Download exploit-CVE-2021-22204.py from ExploitDB](https://www.exploit-db.com/exploits/50911)

### Searchsploit (ExploitDB)
```bash
searchsploit -u
searchsploit -m 50911
```

## Exploit Requirements
- python3
- djvulibre-bin
- exiftool

## Demo
![Demo Gif](https://user-images.githubusercontent.com/23003787/168875285-b939e4a6-ea10-4b0d-a11a-3a2c1adc0fd7.gif)

## Tested On
Exiftool Version 12.23

## Applies To
Exiftool Versions 7.44 - 12.23

## Vulnerable Environment
```bash
wget https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip
unzip exiftool-12.23.zip
cd exiftool-12.23
perl Makefile.PL
make test
sudo make install
exiftool -ver
```

## Test Generated Payload
```bash
exiftool image.jpg
```

## Credits
- https://hackerone.com/reports/1154542
- https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22204
- https://app.hackthebox.com/machines/Overflow
- https://www.exploit-db.com/exploits/50911