关联漏洞
标题:
Crestron AirMedia AM-100 目录遍历漏洞
(CVE-2016-5640)
描述:Crestron AirMedia AM-100是美国Crestron Electronics公司的一款智能家居网关产品。 使用1.2.1及之前版本的固件的Crestron AirMedia AM-100中cgi-bin/rftest.cgi文件中存在目录遍历漏洞。远程攻击者可借助‘ATE_COMMAND’参数中的目录遍历字符‘..’利用该漏洞执行任意命令。
描述
Crestron AirMedia AM-100 RCE (CVE-2016-5640) Metasploit Module
介绍
# CVE-2016-5640
Crestron AirMedia AM-100 RCE (CVE-2016-5640) Metasploit Module
Module for exploiting a Remote Command Injection vulnerability in the wireless diagnostics page for Crestron AirMedia AM-100 devices with a firmware version <1.4.0.13. Commands execute as the account running the service (i.e. usually root). An older exploit I worte a module for because I wanted experience writing checks and using the cmdstager .
All credit for the original exposure and writeup of the vulnerabilities should go to Cylance, I guess: https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md
文件快照
[4.0K] /data/pocs/8df33964ee45d3bddfd47b3a58b42fc0b64ef0a8
├── [5.5K] crestron_exploit.rb
└── [ 615] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。