Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add Xplico Remote Code Execution Module #9206
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.
Vulnerable Application Installation Steps
Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0
You may also give a try to virtualbox image provided by maintainer of Xplico.
A successful check of the exploit will look like this:
Technical Details and Demo
Jan 3, 2018
This PR adds an exploit module for Xplio (CVE-2017-16666). It leverages three vulnerabilities to get unauthenticated remote code execution: An exposed user registration page, a weak randomization algorithm to generate the activation code, and a command injection in parsing an uploaded pcap. @mmetince covers the vulnerability via blog post: https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666
Tested with reverse_awk and reverse_netcat: