move config_changes on plex module #13914

h00die · 2020-07-27T19:36:52Z

This moves CONFIG_CHANGES to the side effects meta block from the (incorrect) reliability block as discussed with @smcintyre-r7

smcintyre-r7 · 2020-07-27T20:21:21Z

config-changes now properly shows up as a side effect:

msf5 exploit(windows/http/plex_unpickle_dict_rce) > info

       Name: Plex Unpickle Dict Windows RCE
     Module: exploit/windows/http/plex_unpickle_dict_rce
   Platform: Python
       Arch: python
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2020-05-07

Provided by:
  h00die
  Chris Lyne

Module side effects:
 ioc-in-logs
 artifacts-on-disk
 config-changes

Module stability:
 crash-service-restarts

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Automatic Target

Check supported:
  Yes

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  ALBUM_NAME                     yes       Name of Album
  LIBRARY_PATH  C:\Users\Public  yes       Path to write picture library to
  PLEX_TOKEN                     yes       Admin Authenticated X-Plex-Token
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
  REBOOT_SLEEP  15               yes       Time to wait for Plex to restart
  RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT         32400            yes       The target port (TCP)
  SSL           false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                          no        HTTP server virtual host

Payload information:

Description:
  This module exploits an authenticated Python unsafe pickle.load of a 
  Dict file. An authenticated attacker can create a photo library and 
  add arbitrary files to it. After setting the Windows only Plex 
  variable LocalAppDataPath to the newly created photo library, a file 
  named Dict will be unpickled, which causes an RCE as the user who 
  started Plex. Plex_Token is required, to get it you need to log-in 
  through a web browser, then check the requests to grab the 
  X-Plex-Token header. See info -d for additional details. If an 
  exploit fails, or is cancelled, Dict is left on disk, a new 
  ALBUM_NAME will be required as subsuquent writes will make Dict-1, 
  and not execute.

References:
  https://github.com/tenable/poc/blob/master/plex/plex_media_server/auth_dict_unpickle_rce_exploit_tra_2020_32.py
  https://www.tenable.com/security/research/tra-2020-32
  http://support.plex.tv/articles/201105343-advanced-hidden-server-settings/
  https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819
  https://cvedetails.com/cve/CVE-2020-5741/

msf5 exploit(windows/http/plex_unpickle_dict_rce) >

move config_changes

5a40c6d

h00die added the easy label Jul 27, 2020

smcintyre-r7 self-assigned this Jul 27, 2020

smcintyre-r7 added the module label Jul 27, 2020

smcintyre-r7 approved these changes Jul 27, 2020

View reviewed changes

smcintyre-r7 merged commit 189db5e into rapid7:master Jul 27, 2020

smcintyre-r7 added the rn-no-release-notes no release notes label Jul 27, 2020

h00die deleted the configchanges branch July 28, 2020 19:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

move config_changes on plex module #13914

move config_changes on plex module #13914

h00die commented Jul 27, 2020

smcintyre-r7 commented Jul 27, 2020

move config_changes on plex module #13914

move config_changes on plex module #13914

Conversation

h00die commented Jul 27, 2020

smcintyre-r7 commented Jul 27, 2020