BtnzMSF:AUXILIARY-SCANNER-HTTP-EMBY_VERSION_SSRF-Emby Version Scanner
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.145 Low
EPSS
Percentile
95.7%
This module attempts to identify the version of an Emby Media Server running on a host. If you wish to see all the information available, set VERBOSE to true. Use in conjunction with emby_ssrf_scanner to locate devices vulnerable to CVE-2020-26948.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Emby Version Scanner',
'Description' => 'This module attempts to identify the version of an Emby Media Server running on a
host. If you wish to see all the information available, set VERBOSE to true. Use in
conjunction with emby_ssrf_scanner to locate devices vulnerable to CVE-2020-26948.',
'Author' => 'Btnz',
'License' => MSF_LICENSE,
'Disclosure Date' => '2020-10-01',
'Notes' => {
'Stability' => [],
'SideEffects' => [],
'Reliability' => [],
'RelatedModules' => ['auxiliary/scanner/http/emby_ssrf_scanner']
},
'References' => [
['CVE', '2020-26948'],
['URL', 'https://github.com/btnz-k/emby_ssrf']
]
)
register_options(
[
Opt::RPORT(8096),
OptString.new('TARGETURI', [true, 'The base path, usually just /', '/']),
OptInt.new('TIMEOUT', [true, 'Timeout for the version scanner', 30])
]
)
deregister_options('SSL')
end
def run_host(ip)
res = send_request_cgi({
'uri' => "#{datastore['TARGETURI']}System/Info/Public",
'method' => 'GET'
}, datastore['TIMEOUT'])
if res.nil? || res.code != 200
print_error('Failed to connect to an Emby Server')
return
end
result = res.get_json_document
print_status("Identifying Media Server Version on #{peer}")
print_good("[Media Server] URI: http://#{peer}#{datastore['TARGETURI']}")
print_good("[Media Server] Version: #{result['Version']}")
print_good("[Media Server] Internal IP: #{result['LocalAddress']}") if (result['LocalAddress']).to_s != ''
print_good('*** Vulnerable to SSRF module auxiliary/scanner/http/emby_ssrf_scanner! ***') if Rex::Version.new((result['Version']).to_s) < Rex::Version.new('4.5.0')
report_service(
host: rhost,
port: rport,
name: 'emby',
info: "Emby Server v.#{result['Version']} (LAN:#{result['LocalAddress']})"
)
vprint_status "All info: #{result}"
report_note(
host: ip,
port: rport,
proto: 'tcp',
ntype: 'server_version',
data: result['Version'],
info: "Media Server v.#{result['Version']}"
)
vprint_status('Saving host information.')
report_host(
host: ip,
info: "Emby Server v.#{result['Version']} (LAN:#{result['LocalAddress']})"
)
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.145 Low
EPSS
Percentile
95.7%