-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #6874, Improve exploit for CVE-2016-0854
- Loading branch information
Showing
2 changed files
with
77 additions
and
16 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
...tion/modules/exploit/windows/scada/advantech_webaccess_dashboard_file_upload.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
Advantech WebAccess is a web-based software package for human-machine interfaces and supervisory | ||
control and data acquisition (SCADA). WebAccess 8.0 suffers from a vulnerability that allows an | ||
attacker to upload a malicious file onto the web server, and gain arbitrary code execution under | ||
the context of IIS APPPOOL\WADashboard_pool. | ||
|
||
## Vulnerable Application | ||
|
||
All builds of Advantech WebAccess 8.0 are affected: | ||
|
||
* [WebAccess 8.0 _20150816](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe) | ||
* [WebAccess 8.0 _20141103](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20141103_3.4.3.exe) | ||
|
||
For exploitation, there is a difference between the two versions. The 2014 version of WebAccess 8.0 | ||
had two upload actions in the UploadAjaxAction class: uploadBannerImage, and uploadImageCommon. The | ||
2015 version of WebAccess 8.0 added another upload action: uploadFile. This exploit uses the | ||
uploadImageCommon action because it works for both. | ||
|
||
Advantech WebAccess 8.1 mitigated the vulnerability by enforcing authentication for | ||
UploadAjaxAction. However, keep in mind that WebAccess 8.1 comes with a default credential of | ||
user name "admin" with a blank password, which means the user is likely still at risk by using the | ||
default configuration. | ||
|
||
advantech_webaccess_dashboard_file_upload will not attempt to exploit WebAccess 8.1. | ||
|
||
## Verification Steps | ||
|
||
1. Start a Windows machine (such as Windows 7 SP1). | ||
2. To install Advantech WebAccess, make sure to install the Internet Information Services Windows | ||
feature. | ||
3. Download WebAccess 8.0, and install it. After installation, make sure the web application is | ||
operational by accessing with a browser (on port 80). | ||
4. Start msfconsole | ||
5. Do: ```use exploit/windows/scada/advantech_webaccess_dashboard_file_upload``` | ||
6. Do: ```set RHOST [TARGET_IP]``` | ||
7. Set other options if needed | ||
8. Do: ```exploit```, and you should get a session. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters