This module exploits the "Apps" feature in Axis IP cameras. The feature allows third party developers to upload and execute 'eap' applications on the device. The system does not validate the application comes from a trusted source, so a malicious attacker can upload and execute arbitrary code. The issue has no CVE, although the technique was made public in 2018. This module uploads and executes stageless meterpreter as `root`. Uploading the application requires valid credentials. The default administrator credentials used to be `root:root` but newer firmware versions force users to provide a new password for the `root` user. The module was tested on an Axis M3044-V using the latest firmware (184.108.40.206: December 2021). Although all modules that support the "Apps" feature are presumed to be vulnerable.
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security