Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-22204 PoC — exiftool 代码注入漏洞

Source
https://github.com/UNICORDev/exploit-CVE-2021-22204
Associated Vulnerability
Title:exiftool 代码注入漏洞 (CVE-2021-22204)
Description:Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
Description
Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution
Readme
# Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution

![GitHub CVE Cover](https://user-images.githubusercontent.com/23003787/172497711-958a0fb3-3937-41f7-be11-3c9fd767203d.png)

**Like this repo? Give us a ⭐!**

*For educational and authorized security research purposes only.*

## Exploit Author
[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.

## Exploit Description
Use this exploit to generate a JPEG image payload that can be used with a vulnerable ExifTool version for code execution. A custom command can be provided or a reverse shell can be generated. A JPEG image is automatically generated, and optionally, a custom JPEG image can be supplied to have the payload inserted.

## Usage
```bash
  python3 exploit-CVE-2021-22204.py -c <command>
  python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>
  python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]
  python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]
  python3 exploit-CVE-2021-22204.py -h
```

## Options
```bash
  -c    Custom command mode. Provide command to execute.
  -s    Reverse shell mode. Provide local IP and port.
  -i    Path to custom JPEG image. (Optional)
  -h    Show this help menu.
```

## Download
[Download exploit-CVE-2021-22204.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2021-22204/main/exploit-CVE-2021-22204.py)

[Download exploit-CVE-2021-22204.py from ExploitDB](https://www.exploit-db.com/exploits/50911)

### Searchsploit (ExploitDB)
```bash
searchsploit -u
searchsploit -m 50911
```

## Exploit Requirements
- python3
- djvulibre-bin
- exiftool

## Demo
![Demo Gif](https://user-images.githubusercontent.com/23003787/168875285-b939e4a6-ea10-4b0d-a11a-3a2c1adc0fd7.gif)

## Tested On
Exiftool Version 12.23

## Applies To
Exiftool Versions 7.44 - 12.23

## Vulnerable Environment
```bash
wget https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip
unzip exiftool-12.23.zip
cd exiftool-12.23
perl Makefile.PL
make test
sudo make install
exiftool -ver
```

## Test Generated Payload
```bash
exiftool image.jpg
```

## Credits
- https://hackerone.com/reports/1154542
- https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22204
- https://app.hackthebox.com/machines/Overflow
- https://www.exploit-db.com/exploits/50911
File Snapshot

 [4.0K]  /data/pocs/a0bf776e32bd9f7353f4674c521b8bb8c8ff7a97
├── [ 481]  Dockerfile
├── [6.6K]  exploit-CVE-2021-22204.py
└── [2.7K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →